Master s STI GDWP. Authors: Mark Baggett, mark.baggett@morris.com Jim Horwath, jim.horwath@rcn.com. Submitted: June 6, 2010

Transcription

1 Design Phase One of an iphone Rollout Master s STI GDWP Authors: Mark Baggett, mark.baggett@morris.com Jim Horwath, jim.horwath@rcn.com Submitted: June 6, 2010

2 Table of Contents Table of Contents... 2 Executive Summary... 3 Business Advantages of iphone Deployment... 4 Biggest Risks of iphone Usage... 6 Risks Associated with All Mobile Devices... 6 Risks in Current Infrastructure... 8 Mitigation Strategies for Risk... 8 Mitigation Options... 9 Third Party Products Purchase Offerings No Additional Charge Offerings Conclusions Appendix Exchange Settings References... 15

3 Executive Summary GIAC Fortune cookie would like to initiate the deployment of iphones to the workforce. GIAC Fortune Cookie has an existing BlackBerry and Microsoft Exchange infrastructure in place today and would like to maintain the same level of risk during the deployment of iphones. This document explores the business advantages inherent to the use of iphones along with the risk introduced by the device. The team will attempt to reproduce the controls in place today in our BlackBerry environment using the software available at no additional cost from Apple and Microsoft. Then, after exhausting the controls available with the free products, we will analyze the residual risk and existing BlackBerry controls that are not available with these tools. Finally, we examine commercial software offerings that are available to help close gaps not addressed using free products for integration and deployment of iphones into the existing environment. There are several advantages to deploying iphones in our organization. First, we want our customers to perceive us as a forward thinking innovative leader in the Fortune Cookie market. The adoption of technologies such as the iphone helps to mold that customer perception. Second, the world is becoming increasingly mobile. Our customers and employees are moving towards mobile smartphone technology. By embracing this technology, and addressing the risks associated with the use of the technology, we empower our business with the ability to respond to the demands of the mobile market. Last, by providing our employees with devices that bring together business data with the internet and location based services we empower them to make faster better business decisions to drive revenue. There are significant advantages to deploying this technology, but it is not without risk. There are several threats posed by the use of mobile devices in the work place. Those threats include the loss of devices containing sensitive data, mobile malware, and the use of unauthorized devices accessing company data. Until now, we have successfully mitigated those risks with controls implemented by our BlackBerry server. The controls in place today on our BlackBerry BES server include data encryption, password protection, the ability to remotely wipe a device, restrictions on the use of unauthorized software, and the ability to authenticate a remote device. Authenticating the remote device is important because it ensures that we avoid storing sensitive data on non-company devices. Our goal is to maintain the BlackBerry controls in an iphone environment, or otherwise mitigate the risk in order to maintain our current risk posture. While reviewing our current risk posture, the team made a startling discovery. The ActiveSync technology used by the iphone may be active and exposing the company to the risk of rouge mobile devices storing sensitive data. We are taking immediate action to identify the extent of the exposure. An action plan is in place to mitigate the threat. Without a clear understanding of any control

4 gaps that exist between the BlackBerry and the proposed iphone infrastructure, recommendations, planning and budget for a deployment are not possible. The team compared the current BlackBerry BES infrastructure with an iphone infrastructure built with tools from Microsoft and Apple. Unfortunately, the management tools available from Apple and Microsoft left significant gaps in our controls. However, we believe combining third party commercial tools with Microsoft and Apple tools should address all of the risk associated with the iphone. This would align the controls in place for the iphone with the current BlackBerry controls. Although a thorough evaluation of third party products was not possible in a 24- hour period, the team did develop a short list of products that will likely meet the needs of the organization. The products evaluated include ianywhere by Sybase, Smartphone Suite by GuardianEdge (soon to be Symantec) and Enterprise Mobile Manager by Trust Digital (soon to be McAfee). The team recommends a complete evaluation and vetting of the products to determine which products meet our needs. Once the team chooses a product, we recommend the company initiate user education and training, prior to any product deployment. In summary, the iphone is a powerful and flexible technology that will empower our workforce. Adapting available technology today to address the risk associate with this technology will give GIAC a strategic advantage over our competitors, who are not embracing the mobile market. Using third party products, we should be able to fully address the risk associated with the use of this technology and continue to drive GIAC Fortune Cookies as the market leader and innovator. Business Advantages of iphone Deployment The adoption of any technology in an enterprise is a business decision based on risk and value. Introducing the iphone to the enterprise will have several benefits for GIAC s employees, customers, and business partners. The initial analysis is: Use of modern technology portrays the company in a positive manner as being innovative and forward thinking. The convergence of Internet, location-aware services, and business information in a single device empowers the mobile workforce to crush the competition. For example, a sales person can easily identify all potential customers with a given radius of their current location.

5 Potential customer location map By identifying and mitigating risks now, this allows the organization to respond to an increasingly mobile world. The success of the iphone in the consumer market created a wellconnected workforce that is comfortable with iphone technology. Modifying our technology to support this growing market will allow us to create a more intelligent and focused workforce. The iphone is the market innovator and rapidly gaining market share in the mobile device market. According to IDC s Worldwide Quarterly Mobile Phone tracker, the iphone s market share grew faster than all other mobile devices. iphone market share for Q1, erry.html

6 In the summer 2009, Philippe Winthop of Strategy Analytics, did a study named Directory of Business Mobility Solutions. This study of 100 enterprises showed organizations using iphones were more responsive to market information, had faster responses to enterprise information, and better response to outside organizations than organizations using noniphone mobile devices. 2 Please note the success of the iphone has lead to a very competitive smartphone market. Many of the manufacturers of competing smartphones are now offering devices with an iphone like browsing experience. The advantages of the iphone over these competing devices will diminish over time. There are some indications that smartphones based upon Google s Android may overtake the iphone in the market place. 3 Once we develop the risk mitigation strategies for the iphone, GIAC Fortune Cookie s will be better prepared to address the risk in other mobile devices. Biggest Risks of iphone Usage Note: The risks discussed below are valid as of June The smartphone industry is evolving at a rapid pace; information provided below may not be valid in the future. The value of any company is its intellectual property. Intellectual property comes in many forms: customer contacts, contract bids, salary information, product information, marketing strategies, etc. Employees demand freedom and access to critical resources whenever they travel. Technology is spoiling users with the ability to access business critical data everywhere. However, this flexibility brings with it a responsibility to be very careful not to place a firm in additional risk by exposing intellectual property. Risks Associated with All Mobile Devices All mobile devices share a common set of risks and exposures. The chart below highlights the three major categories of risk that affect all mobile devices. 2 ngtitles&mid=b4771c6f22f34e4ca3fffda61e0ea2c5&tier=4&id=33cd8f28dc99448aafa803a DE2B2F1A0 3

7 Table with common mobile device risks and mitigations We mitigate all the risks above by implementing the following security configurations and technologies on our Blackberry BES server. 4 We utilize end-to-end encryption of s and credentials as they travel across the wireless networks. This prevents the exposure of confidential communications and internal credentials as they pass across untrusted open networks. Implementation of device encryption protecting data stored on devices while at rest. An unauthorized person in possession of the device cannot access the data without the password. Idle time password protection. If any GIAC-owned BlackBerry device is unsecured for more than five minutes, the device will lock itself requiring a password for access. GIAC uses device configuration policies to enforce minimum-security requirements. GIAC requires password protection for handheld devices and prevents password guessing by an individual who finds or steals the device. If an intruder incorrectly guesses a password ten times, the device initiates a disk wipe of all data. GIAC has the ability to activate a KILL function allowing the administrator to wipe data from lost or stolen devices. By applying policies, GIAC can minimize the exposure to malware by restricting the use of unauthorized software on mobile devices. GIAC displays an ownership statement on the locked screen of a BlackBerry, with a contact number to recover lost or stolen devices. With various Smartphone management tools available from the Apple, Microsoft and other iphone, the Security Operations Team is only able to implement some of these controls on the iphone. However, without the use of addition software there are still some residual risks. We will discuss these risks later in the mitigation section. Some of these risks may even apply to the current infrastructure. 4

8 Risks in Current Infrastructure Responding to the request for adding iphone support provided the Security Operations Team with the opportunity to understand iphone technology and doing so reviewed possible risks in our current infrastructure. The following diagram illustrates how proposed iphones would access company and Fortune Cookie Application. Unauthorized mobile device GIAC DMZ Internet GIAC Fortune Cookie Application GIAC Fortune Cookie Employees Authorized mobile devices External Firewall External Outlook Web Server Internal Firewall Exchange Servers Near Term Storage Mobile infrastructure June 2010 An iphone connects to GIAC s Internet-facing Outlook Web Access servers. Microsoft Exchange 2003 and later supports ActiveSync allowing mobile devices to store company . During analysis of threats associated with integration of a new technology like the iphone, the team uncovered default settings in our Microsoft Exchange ActiveSync environment that are adding additional risk and exposure to company data. By default, deployments of Microsoft Exchange has Microsoft Active Sync enabled for all users and devices, allowing any smart devices such as the iphone, Android and Microsoft Mobile Smartphones to download and store company . This default setting allows users to synchronize without any policies in place. The Security Operations Team recommends immediate remediation and details of this configuration are available in the Appendix. A change management ticket request (REQLO127001) is open for the remediation. The team will notify the Incident Response Team concerning any existing devices already containing company data. Mitigation Strategies for Risk We mitigate the vast majority of risks associated with mobile devices with controls in place on our BlackBerry server. To maintain our existing level of security, the Security Operations team first attempted to duplicate the Blackberry controls on the iphone. The initial approach was to maintain those controls by using Apple s

9 iphone Configuration Utility (Apple ICU) to implement the Center for Internet Security s iphone configuration Benchmark. The team reviewed the CIS standards and industry best practices for iphone deployments. The team created an iphone policy to enforce the best practices outlined in the CIS benchmark. The team created this template only to prove the feasibility of using Apple s ICU to implement all of the controls available to us today on the Blackberry BES. The team did not vet the policy build for acceptability in our enterprise. The team explored other tools such as Microsoft Exchanges Mobile Device manager, and third party security products in order to mitigate residual risk left unchanged by the use of Apple s ICU and the CIS Benchmark. Mitigation Options The Center for Internet Security (CIS) has a document recommending the best practices for iphone configuration. The document recommends establishing a minimum baseline enforceable through system controls such as: Requiring all iphones to be running the latest revision of firmware, as of the writing of this document the latest revision is The disabling of all VPN, Wireless, Bluetooth, and Location-based services when the iphone is not in use. CIS recommends implementing best practices by using the iphone Configuration Utility (ICU). The business and Security Operations should develop its own configuration standard based on CIS Benchmark adopting it to meet business needs. Once the business and Security Operations agrees on a workable configuration, this configuration will become the company Gold configuration standard. Corporate policy will require all devices will adhere to the Golden configuration. The use of Apple s ICU and the CIS Benchmark mitigated many of the risks associated with weak passwords and poor configuration on the iphone. In the diagram below there is a policy named CIS Recommendations. All of the suggested settings of the CIS Benchmark are set in the General and Passcode sections of the policy, highlighted below.

10 Screenshot of Apple s ICU However, it left notable gaps when compared to the controls on the BlackBerry. Specifically: GIAC cannot encrypt the phone without using additional software. Not having data encrypted introduces additional risk to the firm and the iphone user. The native wipe function available on the iphone does not remove the data; it only renders the iphone unusable. A user can retrieve data off the phone after an iphone wipe. It is not possible to add custom banners displaying contact information in the event the iphone is lost and the finder wants to return it. This is only possible with additional software. After a gap analysis of this configuration against the CIS Benchmark, the team determined there are several critical security settings not configurable in Apple s ICU tool. Section 1 of the CIS guide contains several of the non-configurable settings. Additional risks addressed on the BlackBerry server, but missing in the CIS Benchmark include the ability to wipe the device remotely. Tools such as Microsoft Exchange Mobile Device Management (MDM) can help reduce the risk and exposure. MDM only partially addresses one of these residual risks. It provides the ability to remotely wipe a device. However, the wipe only places the device in recovery mode, and since the device lacks effective encryption, the data remains at risk. iphone supports disk encryption; however, this encryption has proven to be an ineffective control. 5 Using MDM to wipe a device renders the device temporarily unusable. Administrators can use the MDM to remotely disable the device. 5

11 Screenshot of remote disk wipe capability 6 ICU and MDM do not address all the risks. The devices still lack encryption and a true wipe capability. Additionally, we cannot prevent the installation of unapproved software. This can lead to malware and vulnerabilities on our smartphones. There are additional tools available from third party software vendors that will increase the security posture of GIAC iphones. These tools should provide the full suite of controls available on the BlackBerry. These commercial tools will need vetting through the corporate process weighing the benefits and deficiencies of each offering. Adding one or more of the tools below should allow GIAC to align an iphone deployment with the current BlackBerry deployment. The following graphic depicts a list of critical BlackBerry controls currently in use, and the tools to implement said controls on the iphone. 6

12 Security controls matrix If the third party tools deliver the functionality they market, the iphone does not increase the risk of exposing sensitive data. The team recommends GIAC begin an evaluation of third party offerings to mitigate risk prior to iphone adoption. Third Party Products Knowing that we will have to use a third party tool to help address the risks, the team reviewed the marketing materials for several products and services. The team did not find any mobile service providers that offered equivalent controls. The team did find several software offerings that claimed to address all the required controls. The team compiled a short list of companies meeting the product requirements. This is not an exhaustive list. Purchase Offerings ianywhere Mobile Office for iphone by Sybase. This software combines fully integrated wireless and PIM data with on-device security and business process mobilization. 7 Trust Digital EMM manages the entire lifecycle of the iphone with tools and facilities. McAfee announced their intent to purchase Trusted Digital May 25 of this year. 8 GuardianEdge Smartphone Suite. Symantec announce their intent to purchase GuardianEdge in April of this year WP.pdf

13 No Additional Charge Offerings Apple iphone Configuration Utility available at: Exchange Management Console: 76e9c677e802&displaylang=en Conclusions After evaluating the risk mitigated by the management tools provided at no cost by Microsoft and Apple, we believe the firm will be unable to maintain the current level of security provided by our BlackBerry environment. If senior leadership wants to maintain the current level of security without accepting additional risk, GIAC Fortune Cookies must evaluate third party products to secure the iphone. While a complete evaluation of products is impossible in a 24-hour period, the security team identified several products that claim to address most of the risks introduced by the iphone. The security team recommends an evaluation of products to determine whether they deliver the services advertised, and selection of the product that best meets our needs. Finally, Security Operations will collaborate with senior leadership to initiate a security education program for employees before issuing smartphone devices and on an on-going basis.

14 Appendix Exchange Settings GIAC can control the ability to synchronize a mobile device by the msexchomaadminwirelessenable attribute on each users account. By default, this value is not set (it is NULL). A null value allows the user to synchronize any mobile device that supports active sync with their account. To prevent users from synchronizing their this value much be changed to 7. Here is an explanation of the msexchomaadminwirelessenable attribute: 1 (bit 0) = 1 to disable Server Activesync, 0 to enable it 2 (bit 1) = 1 to disable Outlook Mobile Access, 0 to enable it 4 (bit 2) = 1 to disable Always Up-To-Date (AUTD), 0 to enable it = 7 = All ActiveSync Features disabled In addition to setting, this value on existing accounts actions need to be taken to ensure that new accounts created also have their value changed to 7.

15 References "Massive IPhone Security Issue Could Endanger Enterprise Adoption." ReadWriteWeb - Web Apps, Web Technology Trends, Social Networking and Social Media. 31 May Web. 06 June < Cassavoy, Liane. "How Much Does an IPhone Cost - The Price of the IPhone 3G." Cell Phones -- News, Reviews, and More about the Latest Cell Phones and Smartphones. Web. 06 June < "Mobile Messaging with Exchange Server 2007 Part 2: Managing Mobile Devices." Microsoft Exchange Server Resource Site: Articles & Tutorials. Web. 06 June < 2007/mobility-client-access/mobility-client-access/mobile-messaging-exchangeserver-2007-part2.html>. Oliver, Sam. "AppleInsider IPhone Market Share Grows to 16% at Expense of BlackBerry." AppleInsider Apple Insider News and Analysis. 07 May Web. 06 June < 16_at_expense_of_blackberry.html>. Nunziata, Susan. "4 Real Benefits Of IPhone In The Enterprise In This Issue Mobile Enterprise Magazine." 4 Real Benefits of IPhone in the Enterprise. Web. 06 June < Publishing&mod=PublishingTitles&mid=B4771C6F22F34E4CA3FFFDA61E0E A2C5&tier=4&id=33CD8F28DC99448AAFA803ADE2B2F1A0>. TinyComb, "Google s Android To Take Over The IPhone By 2012 â TinyComb." TinyComb â Hand Picked Tech News. Web. 06 June < 2012/>. "IPhone 3GS Encryption useless?" Security and the Net. Web. 06 June < "Mobile Smartphone Security Software and Protection from GuardianEdge." Enterprise Data Encryption and Endpoint Data Protection Software for Hard Drives,

16 Removable Storage and Smartphones GuardianEdge. Web. 06 June <