Information Security Office

advertisement
Palm Pilots / PDAs / Cell
Phones/ Wireless Security
Information Security Office
Don’t Compromise
Your PDA!
What information
on the device can
be compromised
Everything! –
Contacts/clients;
meetings; patient
data; legal and
financial information
Information Security Office
Confidentiality
Solutions
Passwords – good
first line defense
User ID/Power –
passwords
– Alphanumeric
– Non
alphanumeric
– 8 Character
– Problems – data
not encrypted
Security specific
software
Information Security Office
Some Common Sense
The lonely PDA…not for
long
Left on a desk
Left on an airplane
Dropped from a pocket or
bag
Stolen!
The PDA and all its
contents immediately are
released to another
individual unless protected
SECURITY IS
PARAMOUNT!
Information Security Office
Are You Protected?
Policies
Infrastructure/Network
Encryption software
Awareness
Information Security Office
Mobile and Wireless Security Issues
• Handhelds, being small, portable devices, are easily
lost or stolen. About 250K PDAs were lost in US
airports during 2002.(Gartner report)
• Handhelds are frequently used in hostile environments
like hotspots, customer sites, business partner offices,
and industry conferences.
• Attackers are drawn to locations where business
travelers gather, because targets are more plentiful
and it is easier to go unnoticed.
Information Security Office
• Security features limited - Handheld
devices have simpler user interfaces and
less CPU, storage, memory, and network
bandwidth than desktops or laptops.
• Inherently harder to manage.
– Not continuously connected
• More difficult to enforce security policies and
monitor security events.
• Handhelds often ship with security
features disabled by default.
Information Security Office
Threats
• Handhelds are also potentially vulnerable to viruses,
worms, trojans, and spyware.
• Most are Win32 viruses that can be spread from
unprotected handhelds to desktops through
synchronization, email, or file shares.
– Self-replicating worms like Bugbear, Klez, and Spida
flood email and file servers, delete registry keys, kill
processes, disable software, and carry trojans.
– Trojans can log keystrokes, launch denial of service
(DoS) zombies, or let attackers assume remote
control of infected hosts.
– Spyware in cookies and programs like Kazaa are not
overtly malicious, but leak potentially sensitive
information about your computing behavior.
Information Security Office
Threats
• Mobile phones that can download games, ring tones,
and other software have opened a new avenue for
hackers to exploit.
• Compact flash and PCMCIA cards supported by
handhelds can store 5 GB or more. These removable
cards (and their contents) are easily “borrowed” or
stolen.
• According to CERIAS, networked handhelds are less
resistant to common TCP denial of service attacks
because their limited resources are easily exhausted.
Information Security Office
Practical Security Strategies
for Pocket PCs
• Set power-on passwords. According to Gartner, the
biggest risk associated with Pocket PCs is that no
power-on password is required by default.
• Use mobile firewall to block unauthorized handheld
network activity
– Defends against port scans, unauthorized requests,
unwanted peer-to-peer connections, denial of
service floods, and other network-borne attacks.
Information Security Office
Practical Security Strategies for
Pocket PCs
• Encrypt sensitive values, database records, key
files and folders, or entire compact flash cards..
• Protect traffic sent and received by handhelds.
Consider encrypted, authenticated VPN tunnels to
ensure the privacy and integrity of communication
between handhelds and connected networks.
• If credentials must be saved on a handheld,
encrypt them.
• Detect and eradicate viruses.
• Backup handheld data regularly. Frequent
backups can reduce loss of data and downtime
when a Pocket PC is lost, stolen, wiped clean, or
damaged beyond repair.
Information Security Office
How Data Is Stored
• Digitally as tiny magnetized regions, called
bits
• Hard drives store this on a platter, like a CD
• Data can be extracted from ANY
electronic/digital source (floppy, cd, dvd, zip
disks, removable media, hard drives, flash
memory, thumb drive, usb drives, printer
memory, blackberry, pda, XBOX, tivo, etc.)
• Once data is written, it remains until disk is
wiped or overwritten by other information
Information Security Office
25 August 2003 - Used Blackberry
Contained Proprietary Information
A man who bought a BlackBerry on eBay for $15.50 found that
the wireless device contained a database of over 1,000 names,
e-mail addresses and phone numbers of Morgan Stanley
executives, as well as more than 200 internal Morgan Stanley
e-mails.
The seller is a former VP of mergers and acquisitions who had left
the company. He said he had removed the battery months before
selling the BlackBerry and assumed the data had been erased.
Information Security Office
Controls
• Information that is placed on device
• Security configuration including
software used to protect the information
• Does the device synchronize with
others - Admin rights?
• Modes of operation
– Wireless
– Infrared
Information Security Office
Controls
• No upload/download via infrared or wireless while
connected to desktop networked PC
• Use infrared only for authorized data transfers
• PDA”S not to be left unattended while attached to
a computer
• PDA’s secured with password protection while
not in use
• User takes responsible steps to prevent loss or
theft of device
• Regularly sync device so that appropriate
security files (virus signature) are updated
Information Security Office
Awareness
• Physical security of device
• A strong password (eight characters, mixture of
numbers, letters and special characters)
• Information to be stored on device
• Procedure to follow if device is lost or stolen
• Firewall
• Record, in the event PDA is lost or stolen:
– Serial number
– Make and model
Information Security Office
Wireless Security
WIRELESS DATA CONNECTIVITY GUIDELINE
http://www.telcom.arizona.edu/WLAN-Guide.html
Information Security Office
Information Security Office
What Is This Phenomenon of Drive-by
Hacking?
• Hacker taps into a network using a wireless device.
• Got its name because a hacker can literally construct
a device, that will allow them to park in front of a
building and gain access to a network while sitting in
the car.
• Relative ease of uncovering this vulnerability and
gaining access to a company's unsecured network
can be likened to installing a wireless LAN jack in
your parking lot (access to everyone).
Information Security Office
What Does It Mean to Do "War Driving"?
• Need a device capable of receiving an 802.11b
signal (the wireless standard)
• A device capable of locating itself on a map
• Software that will log data from the second when a
network is detected by the first.
• You then move these devices from place to place,
letting them do their job.
• Over time, you build up a database comprised of the
network name, signal strength, location, and
ip/namespace in use. You may even log packet
samples and probe the access point for data
available via SNMP.
Information Security Office
Is This a New Security Vulnerability?
• The security community has known about this
vulnerability for a couple of years, but only recently
has it become more widely known and popular.
• Freeware programs can be downloaded that
automate finding and cracking wireless networks;
combining this with the rapidly increasing use of
802.11 due to low cost components hitting the market
makes it a big issue today.
Information Security Office
Why Is It Easy to Get Into a Wireless
Network?
• The most common wireless local area network is built
based on a standard known as 802.11.
• The security function of this technology has been
demonstrated to be inadequate when challenged by
simple hacking attempts.
• In addition, products sold with this technology are
often delivered with security functionality disabled.
Information Security Office
Does the WEP Encryption Option Built
Into 802.11 Make Me Secure?
• Not really. The 802.11 standards include a security
component called Wired Equivalent Privacy, or WEP,
and a second standard called Shared Key
Authentication.
• WEP defines how clients and access points identify
each other and communicate securely using secret
keys and encryption algorithms.
• Although the algorithms used are well understood and
not considered weak, the way in which they are used,
in particular the way keys are managed, has resulted
in a number of easily exploitable weaknesses.
• On top of this, it is estimated that approximately only
30% of 802.11 networks use WEP encryption or have
turned on the option to enable WEP encryption-this is
based on anecdotal evidence of war driving
experiences that people have posted on the Internet.
Information Security Office
Will Banning Wireless Devices From Our
Network Make Us More Secure?
• Wireless access points are now so affordable that people are
using them for convenience everywhere.
• For example, someone may have a wireless device connected
to their home computer, and that computer may also be dialed
into the university network.
• This introduces a rogue access point to the corporate network
that was not part of the original architecture and is likely
unknown to network administrators.
• Another scenario may be that an individual or department may
set up a wireless network inside the university firewall—again
establishing rogue access points that you do not know about.
Information Security Office
What Can I Do to Make Our Network
More Secure?
• You need to layer more security on top of any
wireless 802.11 system.
• By having security conscious mindset and following a
few policy guidelines, a wireless network can be
secure.
• By implementing a sound security policy and
following with thorough enforcement of that policy, we
are better equipped to face the security challenges
that wireless technology presents.
•
Information Security Office
Possible Solutions Include
• Using a VPN (virtual private network).
– VPNs are used with digital IDs to achieve strong user
identification.
– VPN also provides the added benefit of establishing an
encrypted tunnel from a client machine right through to the
server.
• The use of encryption as an added security measure can be
considered.
– Requires user knowledge and use of an assigned key that must
be changed periodically by central IT staff.
– Users must be notified of each key change.
– Nothing prevents a user from sharing the encryption key with an
outsider.
– Research indicates wireless encryption methods are easily
broken.
• Regardless of security measures, data transmitted via a
wireless network can be intercepted. Users are advised to
avoid the transmission of sensitive data across this network.
Information Security Office
Wireless Security Data Connectivity
Guideline
• Describes how wireless technologies are to be:
– implemented
– administered,
– and supported at the University of Arizona campus.
• Supplements the guidelines in the CCIT
Computer and Network Usage Policy
– by adding specific content addressing wireless data
connectivity
– the resolution of interference issues that might arise
during use of specific frequencies.
• Desire for campus constituencies to:
– deploy wireless technologies with a central
administrative
– encourage all constituents to deploy such systems with
an acceptable level of service quality and security.
Information Security Office
Scope of Service
Guideline defines the roles of the
campus units and Telecommunications
for deploying and administering the
wireless infrastructure for the campus.
Information Security Office
Network Reliability
• Function both of the level of user congestion (traffic loads)
and service availability (interference and coverage).
• Guideline establishes a method for resolving conflicts that
may arise from the use of the wireless spectrum.
• Approaches the shared use of the wireless radio frequencies
in the same way that it manages the shared use of the wired
network.
• CCIT will respond to reports of specific devices that are
suspected of causing interference and disrupting the campus
network.
• Where interference between the campus network and other
devices cannot be resolved, Telecommunications reserves
the right to restrict the use of all wireless devices in
university-owned buildings and all outdoor spaces.
Information Security Office
Security
• The maintenance of the security and
integrity of the campus network requires
adequate means of ensuring that only
authorized users are able to use the
network.
• Wireless devices utilizing the campus
wired infrastructure must meet certain
standards to insure only authorized and
authenticated users connect to the
campus network and that institutional data
used by campus users and systems not be
exposed to unauthorized viewers.
Information Security Office
Campus Units Responsibilities
• Responsible for adhering to Wireless Communications
Guidelines.
• Responsible for managing access points within departmental
space and assuring proper network security is implemented.
• Responsible for registering wireless access point hardware,
software & deployments with Telecommunications.
• Responsible for informing wireless users of security and
privacy guidelines & procedures related to the use of wireless
communications.
• Responsible for monitoring performance and security of all
wireless networks within departmental control as required to
prevent unauthorized access to the campus network.
Information Security Office
Draft Wireless Security Standards
Due to the lack of privacy of network
communication over existing wireless network
technology, all wireless traffic is presumed to be
insecure and susceptible to unauthorized
examination.
• Authentication
• Security Awareness
• Monitoring and Reporting
Information Security Office
Authentication
Access to wireless network connectivity should be limited to
authenticated users and authorized wireless client devices.
Authentication may be performed based on the following
requirements:
All authorized wireless network users will be required to be
authenticated and operate through the campus VPN.
All authorized wireless network users must register the MAC
address of the wireless network interface card (NIC) to the
local or campus Dynamic Host Configuration Protocol (DHCP)
service.
Wireless NICs and user accounts are not to be shared. (See
Network Usage policy)
Users are prohibited from using wireless network technology
to access critical and essential applications without the
wireless network connections being appropriately encrypted.
Information Security Office
Security Awareness
All wireless network managers should be aware of the
following issues:
•Authentication for wireless network access protection
of passwords
•Authorized use of wireless network technology
wireless interference issues
•Privacy limitations of wireless technology
•Report wireless network service problems
•Respond to a suspected privacy violation
•Revoke DHCP registration due to termination of
affiliation with University.
Information Security Office
Monitoring and Reporting
The use of wireless network technology is to be monitored on a
regular basis for security and performance.
Authentication, authorization and usage and wireless network
performance reports are to be made on an individual basis
·
Any unusual wireless network event that may reflect unauthorized
use of wireless network services will be immediately reported by
the wireless system administrator to the campus Security Incident
Response Team (SIRT) for review and, if appropriate,
investigation.
Information Security Office
The key to security awareness is
embedded in the word security………….
SEC-
-Y
If not you, who? If not now, when?
Information Security Office
Resources at the University of Arizona
Kerio Firewall
https://sitelicense.arizona.edu/kerio/kerio.shtml
Sophos Anti Virus
https://sitelicense.arizona.edu/sophos/sophos.html
VPN client software
https://sitelicense.arizona.edu/vpn/vpn.shtml
Policies, Procedures and Guidelines
http://w3.arizona.edu/~policy/
Security Awareness
http://security.arizona.edu/awareness.html
Information Security Office
University Information Security
Office
Bob Lancaster
University
Information Security Officer
Co-Director – CCIT, Telecommunications
Lancaster@arizona.edu
621-4482
Security Incident Response Team (SIRT)
sirt@arizona.edu
626-0100
Kelley Bogart
Information
Security Office Analyst
Bogartk@u.arizona.edu
626-8232
Information Security Office
Download