denotes premium content | Jan 7 2009 
Feature
posted 8 Nov 2006 in Volume 3 Issue 4
Mobile information
Securing mobile devices
With increased mobility comes increased information risk. What counter-measures can organisations take to protect the information held on personal digital assistants?
By Paul Orlowski
Personal digital assistants (PDAs) can be very effective information-processing tools, but along with the increases in productivity and new ways of working that they facilitate come some interesting security challenges.
These need to be assessed and managed so that organisations can continue their day-to-day business under an acceptable corporate risk regime. This workshop discusses those challenges, provides a brief review of system and PDA context, presents three main classes of threat and suggests high-level countermeasures that can be used to manage the risks.
Context
Many terms are used when considering the security model associated with PDAs. It is necessary to understand the scope of these terms to really appreciate the potential security impact of the use of PDAs.
The most important term to scope is ‘PDA’ itself. Contemporary mobile devices have processing power and connection capabilities to match and exceed traditional fixed devices in a form factor that is much more compact. At the time of writing this paper, there are only three real PDA platforms to consider – PocketPC, Palm and Blackberry.
Mobile telephones tend to have less-general operating systems, so they are not really suitable for applications in the same context as the core PDA platforms. However, mobile telephones do have Java environments, in which applications may run and still pose a security risk to connected infrastructure.
Therefore, from a security perspective, there is little distinction between PDAs, mobile telephones, palm-top computers and other forms of ‘mobile IT processing facilities’, in the parlance of the British Standards Institute’s BS7799 security standard. The security analysis contained in this workshop is therefore appropriate to all of these devices.
Furthermore, this workshop will consider the connection of a PDA to a corporate network with the use of either a permanent or sporadic data connection. To that end, this paper assumes an acceptable baseline level of security has been achieved on the fixed side of the house and that this has been replicated to some extent on the mobile device.
For example, a nominal strength of mechanism may be claimed for identification and authentication (ID&A) controls across the complete system. This assumption has been made so that the focus of this white paper can indeed be the mobile PDA.
Finally, the workshop will only consider the nature of the countermeasure to be evaluated for any given threat. It is left to the reader to make a judgement relating to the absolute value of the data to be protected and, therefore, the assurance or strength of the barrier to be implemented.
The threats
The threat model I use considers the confidentiality, integrity and availability – the ‘CIA’ – of sensitive data being sent to or from the PDA, processed on the PDA by an application, or being stored (intentionally or unintentionally) on the PDA. The threat model also considers how the PDA changes the security model of the fixed IT system to which it is connecting.
In terms of generic threats which are applicable to PDA usage, these may be presented in one of three ways.
Environmental threats
These are threats to the sensitive data arising from the way the PDA interacts with its environment. For instance, the confidentiality of the data may be subverted due to an architectural change required to the fixed IT network to support PDA working. Of all three generic threats, this is the most complex to decompose, as this is the one with the greatest degrees of freedom or uncertainty.
Computer security (COMPUSEC) threats
These are threats to the sensitive data (and applications) while processing occurs on the PDA – the confidentiality and integrity of the data may be subverted, for example, when the PDA is stolen, as an attacker may be able to access unprotected areas of permanent storage on the device.
Communications security (COMSEC) threats
These are threats to the sensitive data in transit between the corporate network and the PDA itself – the confidentiality of the data may be subverted by an attacker while the data is traversing an untrusted third-party network.
Environmental threats
This is the threat area with the greatest degree of uncertainty. Therefore, this is the area that requires the greatest scrutiny.
The degrees of freedom include (but are not limited to) the functionality of the hardware and the physical environments in which the PDA is used. The threat arises due to the very nature of the PDA and the way it is being used. A brief list of issues arising from these diverse threats will be presented in order to seed thought.
Threats arising due to the richness of interfaces furnished on current PDAs
The threat is amplified by the fact that the interfaces tend to be controlled by software and therefore are very difficult to turn off with any meaningful degree of assurance. These additional communications capabilities represent additional vectors through which data may be compromised.
An example of a high assurance countermeasure against the threat arising due to an infra-red (IrDa) interface being present, for example, is quite simply to stick a strip of black electrician’s insulating tape strategically over the infra-red transceiver window.
Similarly, mobile devices with Bluetooth short-range communications capabilities built-in should have this function switched off as standard.
Threats arising from the use of unauthorised PDAs in corporate environments
A modern PDA can be readily configured as a covert wireless local area network (WLAN) sniffer/encryption cracker.
This enables it to pick up data being transmitted locally, posing a threat to nearby corporate wireless networks. It is therefore necessary to control PDAs in the vicinity of vulnerable corporate IT networks as much as possible.
Threats arising from the use of the PDA in busy environments in which we are able to exercise little or no security control
An example of this is ‘shoulder surfing’ on a train, the simple act of someone reading the screen and key-strokes over the shoulder of the user. This type of threat can be mitigated with good security-operating procedures, supported by user training. In addition, specific physical countermeasures can be used, such as the use of polarising viewing film on the screen so that that the acceptance angle of the screen is very small and has a vector very close to the perpendicular of the plane of the screen.
Some PDA hardware vendors have fixed-gateway products as part of their enterprise solutions, which are intended to manage the communication between the enterprise environment and the ‘fleet’ of PDAs in the field. The use of these products introduces the possibility of additional vulnerabilities, which will need to be countered if the risk is to be managed.
Giving bona fide users the ability to access the enterprise network with PDAs may also make it easier for hackers to do likewise. This may affect the threat profile of the fixed network. The simple connection of a PDA to a fixed computer via the universal serial bus (USB) for the purposes of synchronisation also introduces additional threat vectors.
COMPUSEC threats
If the assertion is made that the baseline security of the PDA is no worse than an ‘isotropic’ fixed equivalent, (that is to say, good identification/authentication, a robust system-accounting policy and so on), the additional PDA threats that arise can be attributable to the large amounts of sensitive data being stored and/or the use of sensitive applications.
The use of these applications and data takes place in a security context of heightened threat compared to a fixed device context – most commonly, desktop PCs in an office wired to the corporate network. A straightforward example is the use of a PDA on a busy train: there is an increased risk of theft of the complete device compared to the fixed context in which there is a much greater degree of physical protection from potential threats.
These arguments enable us to postulate that we need to look after the data and applications on the PDA, using countermeasures such as password-controlled access to device processing and also password-controlled access to device data. The nature of the countermeasure may need to be subtly different depending on the technology being used but, in general, will rely on some form of encryption as well to protect the data on the device, unless valid access credentials are presented.
Therefore, the arguments presented in the COMSEC section below apply – that is, the strength and therefore assurance of the implementation can only be derived after an objective assessment of all of the aspects of the cryptographic implementation.
COMSEC threats
The general countermeasure to COMSEC threats is the use of cryptography, sometimes supported by additional transmission security (TRANSEC) measures, such as transmission padding, to make sure that every ‘block’ of data transmitted is of a fixed size. This ensures that the encrypted data transmitted does not provide clues to its contents simply by an attacker being able to see the variable size of blocks.
It is worth noting that while some vendors relate the efficacy of cryptography to specific aspects, such as algorithm and key length, there are many other facets of cryptography that can affect its security (see figure one).
Therefore, in order to gain objective assurance of the cryptography in use, the complete implementation should be considered with a rigour that is commensurate with the value of the data that is being protected.
Depending on the assurance required of the barrier, PDAs with industry-standard operating systems using Transport Layer Security (TLS), or its forerunner, Secure Socket Layer (SSL) and IP Security (IPsec), are options. However, care should be taken in the configuration of these mechanisms.
In all cases, the design of the COMSEC system should be considered in light of the key security claims of functionality. These claims should then be evaluated in some meaningful way in order to gain an appropriate level of security assurance.
For higher assurance requirements, TLS/SSL/IPsec-based solutions may not be appropriate. Instead, the system designer may need to look at a FIPS 140-evaluated cryptography product or alternative formal cryptographic evaluation schemes. FIPS 140 is one of the US Federal Information Processing Standards covering encryption.
Identifying countermeasures
Countermeasures for environmental threats
It is difficult to propose specific countermeasures for this genre of threat, as the deployed architectures will be specific to the individual business requirements of the enterprise.
However, a number of high-level principles can be asserted which will help in making the risk of operating PDAs more manageable:
1. Do not allow unauthorised PDAs into sensitive environments;
2. Be sure that the remote entities accessing fixed infrastructure are who or what they declare themselves to be. This is an authentication issue. Designers should ensure that an authentication mechanism of some strength is used to filter out unauthorised remote access requests;
3. For the functions and facilities which are present with the PDA hardware, make sure that unused functions and facilities, such as Bluetooth connectivity, for example, are turned off. If possible, turn the features off in hardware as opposed to software, as this provides higher assurance;
4. Test vendors’ security claims by subjecting the end-to-end architectures to security testing in a controlled, benign environment.
Countermeasures for COMSEC threats
The main countermeasure to COMSEC threats is the use of appropriate strength cryptography. This will protect both the confidentiality and the integrity of the information in transit.
Countermeasures for COMPUSEC threats
The main COMPUSEC countermeasure is the use of an appropriate grade of cryptography to protect the sensitive data while on the device. The effectiveness of this countermeasure is greatly dependant on the implementation of the PDA itself, in particular, the assertion that only known executables may run. Many operating system vendors are working to provide trusted-execution functionality as part of a standard feature set – usually, this is based on digital signatures of applications.
The value of data These countermeasures in themselves may constitute any one or a combination of technical, physical, procedural or personnel approaches. The strength of each countermeasure must be commensurate with the value of the data being processed, of course.
This valuation of data must consider its confidentiality, integrity and availability, particularly in light of the impact of a security breach. Furthermore, the security designer should consider the value for money expected from the countermeasure in question. In other words, what real security benefit (assurance) does a specific barrier yield per unit cost?
Of all three genres of threat vector discussed in this paper, the threats arising from the PDA environment are the most difficult to quantify and therefore counter.
However, countermeasures to bear in mind which can provide massive value for money in return for security effort are:
* Penetration testing – attempts to subvert the end-to-end security for the purpose of improvement. This should be done as part of a frequently recurring exercise, so that new, evolving threats may be addressed, as well as technology refresh priorities;
* Top-down system security decomposition – considering the security aspects in the context of a published security framework, which should ensure that all aspects of security are addressed.
These countermeasures when deployed as part of a holistic security framework should make the risks associated with corporate use of mobile PDAs more manageable.
The user/owner of the data must perform the ultimate valuation of their own data, but with use of the countermeasures discussed, mobile messaging and processing of sensitive data on PDAs is addressed in a secure and satisfactory fashion.
Paul Orlowski is an experienced technical consultant and INFOSEC engineer. He is currently part of consultancy VEGA’s technical security group, specialising in assurance of technical security countermeasures and system accreditation, predominantly in the market areas of defence and government. He can be contacted at security@vega.co.uk.
Security concerns threaten enterprise rollout of mobile technology
Security concerns are the biggest obstacle to the widespread adoption of wireless and remote computing in businesses worldwide today, according to a 2006 global survey by the Economist Intelligence Unit and sponsored by IT security specialist Symantec. More than 60 percent of companies are holding back on mobile deployment, citing security concerns, the survey found.
Close to 47 per cent of respondents cite cost and complexity as a major obstacle to deployment. And almost one in five businesses has already experienced financial loss due to attacks via mobile data platforms.
The Economist Intelligence Unit’s research highlighted serious weaknesses in firms’ present security arrangements for mobile devices. While 82 per cent of businesses worldwide indicate that they see the damage from virus attacks as the same or greater on a mobile network than on a fixed network, only 26 per cent have actually assessed security risks of smart phones, compared with 81 per cent of enterprises conducting security assessments for laptops.
Despite the proliferation of mobile device use in the enterprise, only nine percent of companies have incorporated a comprehensive security architecture designed to include mobile device access. Of the rest, ten per cent of companies have no measures for addressing mobile security, 39 per cent are granting mobile devices access to corporate networks on an ad hoc basis and another 39 per cent are integrating mobile devices into their existing fixed-network security architecture.
“It’s prudent to gain experience in mobile deployments and security before a serious attack makes it mandatory and time critical,” says Paul Miller, director of mobile and wireless solutions at Symantec.
