Protecting the Physical Interface

Protecting the Physical Interface

Protecting physical access to the device is instrumental in your system. Restricting access to something that is mobile, not stationary, is tricky. To minimize potential damage caused by unauthorized physical access, attention should be paid to developing code governing the user interface and all data stored on the device. By designing protection mechanisms inside the device, you can prepare for worst-case scenarios of unauthorized and malicious physical access.

Protecting Access to the User Interface

We will not cover this vulnerability in great detail because it is being addressed by the manufacturers. They are making strides to mitigate this risk by providing protective cases, flip-up covers, and impervious membranes, locking the keyboard/keypad, and rugged-izing cases.

Protecting Personal Data on the PDA

We will examine the protection of personal data by looking at the various roles identified, similar to the approach we took in identifying the vulnerabilities. We also restate the vulnerability so that you do not have to refer to Chapter 6, "Cryptography." This approach need not be taken with every vulnerability, but it helps ensure completeness.

Malicious Device Support Personnel

Personal data stored on the device can be vulnerable to malicious device support personnel when the device is taken in for upgrades, maintenance, or repair. These support personnel may have access to manufacturer bypass and diagnostic codes, equipment, or utilities that allow them access to personal data stored on the device.

Poor or inexperienced device support personnel may inadvertently leave the device in a security bypass or diagnostic mode, leaving personal data vulnerable.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access. By rotating team members, alliances that encourage malicious activity are less likely to form.

         An alternative to teams would be video monitoring of work areas. Security or managerial personnel monitor support activities to ensure the device's integrity.

         Institute a checklist and an oversight procedure for processing devices that are in for support, to ensure that all security bypass or diagnostic modes have been properly reset to operational settings. This prevents poor or inexperienced personnel from inadvertently leaving the device vulnerable.

         Make the personal data inaccessible even if someone does have privileged access. This can be accomplished by storing all personal data on the device in encrypted form. As long as the encryption is cryptographically sound, it will be extremely difficult for someone to obtain useful personal information from the device.

         Following on the preceding track of making the personal data inaccessible, store all personal data on a removable device such as a SmartCard. The SmartCard provides authentication before allowing access to the personal data. Also, the SmartCard can directly communicate the personal information (such as a credit card number) with the application requiring the information.

         Price the device so that obtaining a new one is more cost-effective than repairing the old unit.

Malicious App Developer

Malicious application developers can create a virus or Trojan Horse utilities or programs that provide access to personal data on the PDA.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application (such as not clearing buffers and overwriting data elements), leaving personal data stored on the device vulnerable.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the device. This would require that the software be examined by the device manufacturer or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the device that establishes virtual environments for programs. The program believes that it has complete and direct access to the device's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the device perform a hardware resident integrity check of the device and the OS to ensure that the device's integrity is intact before initializing the system. (This is a result of the preceding protection and can be implied from the term trusted OS, but we specifically choose to list this separately because it has other uses.)

Malicious App Support Personnel

Malicious application support personnel may coerce the user via social engineering to provide access, or information necessary for access, to personal data under the auspices of assisting with an application issue. Alternatively, malicious app support personnel may enable debug or other diagnostic switches within the software that disable security mechanisms present in the device or software.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled following a support activity, leaving the personal data vulnerable.

Interestingly enough, and logically, the protections applicable for this role are a combination of the protections for the malicious device support personnel and malicious app developer.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Institute a checklist and an oversight procedure for processing devices that are in for support, to ensure that all security bypass or diagnostic modes have been properly reset to operational settings.

         Store all personal data on the device in encrypted form. As long as the encryption is cryptographically sound, it will be extremely difficult for someone to obtain useful personal information from the device.

         Store all personal data on a removable device, such as a SmartCard. The SmartCard provides authentication before allowing access to the personal data.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the device. This would require that the software be examined by the device manufacturer or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the device that establishes virtual environments for programs. The program believes that it has complete and direct access to the device's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the device perform a hardware resident integrity check of the device and the OS to ensure that the device's integrity is intact before initializing the system.

Malicious User

Personal data is vulnerable to a malicious user who has gained access to the device. Recall that malicious user is a catchall term encompassing a variety of activities. Although this simple statement is adequate for describing the vulnerability, the complexity of the role may become important when generating mitigations and protections or performing the security-functionality trade-offs, and it should not be forgotten. For example, a malicious user may pose as a member of one of the legitimate functional roles and become the functional equivalent of one of the preceding, listed malicious roles.

Because the malicious user may pose as a member of one of the legitimate functional roles and become the functional equivalent of one of the preceding, listed malicious roles, each of the preceding protections applies here as well. Therefore, we list only protections not previously covered in the other roles:

         Shield the device from physical and nonphysical technical attacks against memory, data emanation, power analysis, and the like. Most of these issues are beyond the scope of this book, so suffice it to say that if these types of issues are of concern in your particular application or architecture, you have to become involved with the manufacturer to determine the susceptibility of a given component or device to such attacks.

         Make the device hardware tamper-proof by not allowing the case to be opened without destroying or clearing the memory.

         Have the device perform a hardware resident integrity check of the device and the OS to ensure that the device's integrity is intact before initializing the system.

Protecting Corporate or Third-Party Information

From a vulnerability perspective, no distinction exists between corporate or third-party information and personal data. There may be some distinction when it comes to the security-functionality trade-offs.

Protections also indicate no distinction between corporate or third-party information and personal data.

Protecting Personal Data Being Sent by the Wireless Device

This target is the personal data mentioned in the preceding section, but here the target is the data as it is in transit. You will notice that all the preceding roles are present, with the addition of a few others due to the increased exposure of the data during transport.

Malicious Wireless Service Provider (WSP)

Recall the office complex case study example in Chapter 9, "Identify Targets and Roles," in which a company provides gratis access to a client, only to monitor the client's activities.

         Encrypt the data to be transmitted so that only the desired recipient can decrypt it.

Malicious Device Support Personnel

Personal data transmitted by the device may be made vulnerable by malicious device support personnel when the device is taken in for upgrades, maintenance, or repair. These support personnel may have access to manufacturer bypass and diagnostic codes, equipment, or utilities that allow them to intentionally bypass security features, leaving personal data transmitted by the device vulnerable.

Poor or inexperienced device support personnel may inadvertently leave the device in a security bypass or diagnostic mode, making personal data vulnerable during transit.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Institute a checklist and an oversight procedure for processing devices that are in for support, to ensure that all security bypass or diagnostic modes have been properly reset to operational settings.

         Encrypt the data to be transmitted so that only the desired recipient can decrypt it.

         Have the device perform a hardware resident integrity check of the device and the OS to ensure that the device's integrity is intact before initializing the system. This ensures that critical procedures such as the encryption applications have not been disabled or tampered with.

         Price the device so that obtaining a new one is more cost-effective than repairing the old unit.

Malicious WSP OMS Personnel

Personal data transmitted by the device is vulnerable to malicious WSP OMS personnel who have access to the WSP transceiver and wireless network equipment.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Encrypt the data to be transmitted so that only the desired recipient can decrypt it.

Malicious App Developer

Malicious application developers may create a virus or Trojan Horse utilities or programs that cause the transmitted data to be vulnerable. An example would be an encryption utility containing nonunique or known keys. To the user, the data appears encrypted, but it is readily accessible to unauthorized individuals who know the key. Alternatively, an e-mail utility may send a blind copy of every message sent or received by the device to a predefined address.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, leaving personal data vulnerable during transit.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the device. This requires that the software be examined by the device manufacturer or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the device that establishes virtual environments for programs. The program believes that it has complete and direct access to the device's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the device perform a hardware resident integrity check of the device, OS, and critical software to ensure that the device's integrity is intact before initializing the system.

         Store all personal data on the device in encrypted form.

         Store all personal data on a removable device such as a SmartCard. The SmartCard provides authentication before allowing access to the personal data. Have the SmartCard perform the communication activity itself so that the device is merely a conduit.

         Encrypt the data to be transmitted so that only the desired recipient can decrypt it.

Malicious App Support Personnel

Malicious application support personnel may coerce the user via social engineering to provide access, or information necessary for access, to personal data under the auspices of assisting with an application issue. Alternatively, malicious app support personnel may enable debug or other diagnostic switches within the software that disable security mechanisms present in the device or software.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving the personal data vulnerable during transit.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Institute a checklist and an oversight procedure for processing devices that are in for support, to ensure that all security bypass or diagnostic modes have been properly reset to operational settings.

         Store all personal data on the device in encrypted form.

         Store all personal data on a removable device such as a SmartCard. The SmartCard provides authentication before allowing access to the personal data. Have the SmartCard perform the communication activity itself so that the device is merely a conduit.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the device. This would require that the software be examined by the device manufacturer or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the device that establishes virtual environments for programs. The program believes that it has complete and direct access to the device's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the device perform a hardware resident integrity check of the device and the OS to ensure that the device's integrity is intact before initializing the system.

         Encrypt the data to be transmitted so that only the desired recipient can decrypt it.

Malicious User

Personal data is vulnerable to a malicious user who has access to, or has built a receiver that monitors, the transmission of the PDA and can reconstruct the data transmitted and received. Again, a malicious user may assume any of the preceding malicious roles to gain access necessary to exploit a vulnerability.

All the protections for the preceding roles apply here.

Protecting Corporate or Third-Party Information Being Sent

As with offline functions, from a vulnerability perspective there is no distinction between corporate or third-party information and personal data in transit.

Protections also indicate no distinction between corporate or third-party information and personal data being sent.

Protecting User Online Activities, Usage Patterns, Location, and Movement

This category can be considered a subset of or equivalent to user personal data as far as vulnerabilities are concerned.

Protection of user online activities, usage patterns, location, and movement can be treated as personal data if and while it is stored on the device. In this situation, the protections for personal data on the device apply. Now, consider protecting this information during transit a different problem altogether. The difficulty is that the wired Internet was not originally designed with security and privacy in mind. In fact, quite the opposite, it was designed as an open and available architecture for freely sharing ideas and data. Only recently, with the desire to commercialize the Internet, has the need for security and privacy become important. The requirement is to protect user information traveling on an open and accessible infrastructure.

         Encryption is the first thing that comes to mind. One solution is that you do not transmit in unencrypted form any information that specifically identifies the user. This would likely require the cooperation of application developers. Applications would have to be capable of accepting user-specific information in encrypted form. This is not as easy as it sounds. The use of encryption protects the information communicated but not the fact that the communication is occurring. To protect the user's privacy, an unauthorized party should not be able to determine that the user communicated with the server.

         Have the WSP act as a proxy server for all activity so that malicious individuals see only that a wireless user is involved. The WSP performs the routing of packets to the true user. This places a lot of additional processing burden on the WSP, and although it would solve the dilemma of providing privacy, it is unlikely that WSPs will provide this service unless consumers begin to refuse to accept service without privacy. It is the classic "We can forgo the security because consumers will demand the functionality and will give up security to get it."

Protecting Access to Network and Online Services

As used here, access to network and online services means the use of the device or information on the device to gain access to network and online services. This distinction separates it from similar activities occurring against the service provider, which we will discuss shortly.

Malicious Device Support Personnel

User network and online services access credentials are vulnerable to device support personnel who have access to the device for upgrade, maintenance, or repair purposes. Device support personnel may have access to manufacturer bypass and diagnostic codes, equipment, or utilities that give them access to network and online service access credentials on the device.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the device's integrity.

         Encrypt the credentials stored on the device, and transmit the credentials and access code in encrypted form so that only the desired recipient can decrypt the data.

         The network or online services could require some form of biometric or SmartCard authentication so that the information on the device itself is insufficient to gain access to the resources.

         Price the device so that obtaining a new one is more cost-effective than repairing the old unit.

Malicious WSP OMS Personnel

User network and online services access credentials are vulnerable to WSP OMS personnel when this information is received and processed by the WSP equipment. The user may also be coerced into providing network or online access credentials to WSP OMS personnel.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

Note

Logging is beneficial only if someone examines the logs. To derive the greatest benefit from logs, they should be examined by an automated process that detects anomalies or alert conditions and sends notification to the appropriate authority.

 

         Utilize video monitoring of critical areas so that security or managerial personnel can monitor support activities to ensure the system's integrity.

         Encrypt the credentials stored on the device, and transmit the credentials and access code in encrypted form so that only the desired recipient can decrypt the data.

         The network or online services could require a form of biometric or SmartCard authentication so that obtaining the information on the device itself is insufficient to gain access to the resources.

Malicious App Developer

User network and online services access credentials are vulnerable to applications that can copy and store, or forward, these credentials to the developer.

         Encrypt the credentials stored on the device, and transmit the credentials and access code in encrypted form so that only the desired recipient can decrypt the data.

         The network or online services could require a form of biometric or SmartCard authentication so that obtaining the information on the device itself is insufficient to gain access to the resources.

Malicious User

Access to network and online services are vulnerable to a malicious user. A malicious user may gain access to the device and retrieve network and online services credentials to be used on another device or at a later time. A malicious user may monitor transmissions (as discussed in the "Malicious User" section under "Protecting Personal Data Being Sent by the Wireless Device") to obtain network and online services credentials. Again, a malicious user may assume any of the preceding malicious roles to gain access necessary to exploit a vulnerability.

All the protections for the preceding roles apply here.

Protecting the Transceiver

Protecting the Transceiver Itself
Malicious Device OMS Personnel

The transceiver is vulnerable to manipulation or modification by malicious device OMS personnel.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Have all maintenance and support activities reviewed by a Quality Assurance/Security team where the transceiver is tested and inspected.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the device's integrity.

         Make the transceiver a nonservicable, tamper-proof component that is replaced as a unit if it fails.

         Price the device so that obtaining a new one is more cost-effective than repairing the old unit.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For example, manipulating the transceiver can be done to assist a man-in-the-middle attack.

         Make the transceiver a nonservicable, tamper-proof component that is replaced as a unit if it fails.

Protecting Vulnerabilities of the Service Provider

Protecting the Transceiver Itself

When we use the term transceiver in regard to the service provider, we are considering the transceiver system as consisting of the antenna array, tower, coax, transceiver, and switching equipment.

Malicious WSP OMS Personnel

The transceiver is vulnerable to manipulation or modification by malicious WSP OMS personnel.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

         Have all maintenance and support activities reviewed by a Quality Assurance/Security team where the transceiver is tested and inspected.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the transceiver's integrity.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For example, this may be done to deny service to areas or individuals at crucial times.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the transceiver's integrity.

Protecting the Transceiver Services

Malicious WSP OMS Personnel

The transceiver services are vulnerable to manipulation or modification by malicious WSP OMS personnel, for example, granting access to the network to unauthorized users by providing them with maintenance or diagnostic access credentials.

         Implement access control and logging systems to monitor OMS personnel access to network and sensitive areas.

         Require the use of biometric SmartCard authentication or another physical access token, in addition to any maintenance or diagnostic access credentials.

Malicious User

The transceiver is vulnerable to manipulation or modification by a malicious user. For example, a malicious user may obtain access credentials to utilize the service without paying for the privilege.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the transceiver's integrity.

         Require the use of biometric SmartCard authentication or another physical access token, in addition to any maintenance or diagnostic access credentials.

Protecting Access to Its Subscribers

Malicious WSP OMS Personnel

The service provider is vulnerable to WSP OMS personnel who grant access to the network and thereby its subscribers for spam or other unsolicited purposes.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

         Have all maintenance and support activities reviewed by a Quality Assurance/Security team where the transceiver is tested and inspected.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the integrity of the service provider's system.

Malicious Corporate and Private Servers

The service provider is vulnerable to malicious corporate or private servers that access the service provider to deliver advertising, marketing, or other spam to the service provider's subscribers.

         Do not allow subscriber information to become available to outside servers.

         Maintain subscriber information on a separate server, and require authentication for processes or entities requesting access to this server.

         Store subscriber information in encrypted form.

         Establish a firewall/proxy server so that details of the network are not available to external entities.

         Do not allow nonspecifically addressed messages to be processed by the system.

         Implement access control and logging systems to monitor access to equipment and resources.

Malicious Corporate and Private Server OMS Personnel

The service provider is vulnerable to malicious corporate or private server OMS personnel who utilize authorized servers to allow unauthorized access to subscribers. For example, a service provider's subscribers receive stock quotes as part of their service plan. OMS personnel with access to the quote server that provides this service can alter the server to deliver anything in addition to, or in place of, the stock quotes.

         Implement access control and logging systems to monitor access to equipment and resources. Prohibiting this type of abuse is problematic because the attacker is taking advantage of an authorized capability. The best the service provider can do is to have logs in place that identify this activity and report it to the server's security or administrative personnel. Alternatively, the service provider can deny any further access by that particular server or company.

Malicious Content Providers

The service provider is vulnerable to malicious content providers who use the service provider's resources to spam or otherwise deliver their payload to the subscribers.

         Do not allow subscriber information to become available to outside servers.

- Maintain subscriber information on a separate server, and require authentication for processes or entities requesting access to this server.

- Store subscriber information in encrypted form.

- Establish a firewall/proxy server so that details of the network are not available to external entities.

         Do not allow nonspecifically addressed messages to be processed by the system.

         Implement access control and logging systems to monitor access to equipment and resources.

Malicious App Developer

The service provider is vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to the subscribers.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the service provider's systems. This would require that the software be examined by the service provider or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the service provider's systems that establishes virtual environments for programs. The program believes that it has complete and direct access to the service provider's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the information systems perform a hardware resident integrity check of the system, OS, and critical software to ensure that the system's integrity is intact before initializing the system.

         Store all subscriber data on the system in encrypted form.

         Require authentication before allowing access to subscriber data. Have the access and activity on the system logged.

Malicious App Support Personnel

Service provider subscribers are vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software that disable security mechanisms present to protect access to the service provider's subscribers.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving corporate proprietary data and resources vulnerable on the network server.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Institute a checklist and an oversight procedure for app support activities to ensure that all security bypass or diagnostic modes have been properly reset to operational settings.

         Store all subscriber data on the system in encrypted form.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the system. This would require that the software be examined by the service provider or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the service provider's systems that establishes virtual environments for programs. The program believes that it has complete and direct access to the service provider's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the information systems perform a hardware resident integrity check of the system, OS, and critical software to ensure that the system's integrity is intact before initializing the system.

         Implement access control and logging systems to monitor access to equipment and resources.

Malicious User

The service provider is vulnerable to malicious users' gaining access to its network to allow them access to the service provider's subscribers, either by acting in one of the preceding roles or by exploiting a vulnerability in the service provider's overall system.

All the protections for the preceding roles apply here.

         Continually monitor bug and vulnerability reports of software and information systems in use to ensure that new vulnerabilities and exploits are properly mitigated in a timely fashion.

         Periodically perform security risk analysis of the system to ensure that something has not been overlooked or some change or update to one part of the system has not left another part vulnerable to exploitation.

Protecting the Transceiver

Recall that there are no additional targets for the transceiver beyond those identified for the higher-level functional block. Likewise, there would likely not be any additional protections or mitigations to identify.

Protecting the Administrative Server

By administrative server, we are referring to the billing, maintenance, and support systems associated with keeping the wireless infrastructure functional.

Protecting User-Specific Data

User-specific data is information such as credit card numbers, addresses, finances, call and access log information that resides on the administrative server.

Malicious WSP OMS Personnel

User-specific data resident on the administrative server is vulnerable to malicious WSP OMS personnel who exploit their system access to gain access to user-specific data.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

         Have all maintenance and support activities reviewed by a Quality Assurance/Security team. This should include logs of system and information access associated with the support activity.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the system's integrity.

Malicious App Developer

User-specific data resident on the administrative server is vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to user-specific data.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the system. This would require that the software be examined by the service provider or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the administrative server that establishes virtual environments for programs. The program believes that it has complete and direct access to the administrative server's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the administrative server perform a hardware resident integrity check of the system, OS, and critical software to ensure that the system's integrity is intact before initializing the system.

         Store all user-specific data on the system in encrypted form.

         Require authentication before allowing access to user-specific data.

         Have the access and activity on the system logged.

         Require the use of a physical token as part of the authentication process.

Malicious App Support Personnel

User-specific data is vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the administrative server software that disable security mechanisms.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving the user-specific data vulnerable on the administrative server.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Institute a checklist and an oversight procedure for processing app support activities to ensure that all security bypass or diagnostic modes have been properly reset to operational settings.

         Store all user-specific data on the system in encrypted form.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the system. This would require that the software be examined by the service provider or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the service provider's systems that establishes virtual environments for programs. The program believes that it has complete and direct access to the service provider's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the information systems perform a hardware resident integrity check of the system, OS, and critical software to ensure that the system's integrity is intact before initializing the system.

         Implement access control and logging systems to monitor access to equipment and resources.

Malicious User

User-specific data resident on the administrative server is vulnerable to malicious users' gaining access to the service provider's network and thereby access to user-specific data. The service provider's network access can be obtained by these malicious users' acting in one of the preceding roles or exploiting a vulnerability in the service provider's overall system.

All the protections for the preceding roles apply here.

         Continually monitor bug and vulnerability reports of software and information systems in use to ensure that new vulnerabilities and exploits are properly mitigated in a timely fashion.

         Periodically perform security risk analysis of the system to ensure that something has not been overlooked or some change or update to one part of the system has not left another part vulnerable to exploitation.

Protecting Corporate Proprietary Data and Resources

Corporate proprietary data and resources refers to information resident on the administrative server that provides network details, fraud detection scheme information, and the like.

Malicious WSP OMS Personnel

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious WSP OMS personnel who exploit their system access to gain access to corporate proprietary data and resources.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Implement access control and logging systems to monitor OMS personnel access to sensitive equipment and areas.

         Have all maintenance and support activities reviewed by a Quality Assurance/Security team. This should include logs of system and information access associated with the support activity.

         Utilize video monitoring of work areas so that security or managerial personnel can monitor support activities to ensure the system's integrity.

         Store all corporate proprietary data on the system in encrypted form.

Malicious App Developer

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to corporate proprietary data and resources.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the system. This would require that the software be examined by the service provider or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the administrative server that establishes virtual environments for programs. The program believes that it has complete and direct access to the administrative server's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the administrative server perform a hardware resident integrity check of the system, OS, and critical software to ensure that the system's integrity is intact before initializing the system.

         Store all corporate proprietary data on the system in encrypted form.

         Require authentication before allowing access to corporate proprietary data.

         Have the access and activity on the system logged.

         Require the use of a physical token as part of the authentication process.

Malicious App Support Personnel

Corporate proprietary data and resources are vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software that disable security mechanisms present in the network server.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving corporate proprietary data and resources vulnerable on the network server.

         Have all maintenance and support activities performed by maintenance teams with rotating members, rather than by individuals. This limits the opportunity for support personnel with malicious intent to exploit their privileged access.

         Institute a checklist and an oversight procedure for processing app support activities to ensure that all security bypass or diagnostic modes have been properly reset to operational settings.

         Store all corporate proprietary data on the system in encrypted form.

         Institute a certification program, enforced by the OS, allowing only digitally signed code from authorized certifiers to be loaded on the system. This would require that the software be examined by the service provider or an independent third party to validate that the software is secure and reliable and functions as advertised. This certification would also digitally sign the code to ensure the code's (and certificate's) authenticity and integrity.

         Implement a trusted OS on the service provider's systems that establishes virtual environments for programs. The program believes that it has complete and direct access to the service provider's resources, but the OS continually monitors and processes the requests on the program's behalf. In this way, should the program attempt to do something untoward, the OS can simply return an error or otherwise keep the activity from occurring.

         Have the information systems perform a hardware resident integrity check of the system, OS, and critical software to ensure that the system's integrity is intact before initializing the system.

         Implement access control and logging systems to monitor access to equipment and resources.

         Require authentication before allowing access to corporate proprietary data.

         Have the access and activity on the system logged.

         Require the use of a physical token as part of the authentication process.

Malicious User

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious users' gaining access to the service provider's network and thereby access to corporate proprietary data and resources. The service provider's network access can be obtained by these malicious users' acting in one of the preceding roles or exploiting a vulnerability in the service provider's overall system.

All the protections for the preceding roles apply here.

         Continually monitor bug and vulnerability reports of software and information systems in use to ensure that new vulnerabilities and exploits are properly mitigated in a timely fashion.

         Periodically perform security risk analysis of the system to ensure that something has not been overlooked or some change or update to one part of the system has not left another part vulnerable to exploitation.

Protecting the Network Server

Protecting User-Specific Data

User-specific data is information such as credit card numbers, addresses, and data such as e-mail and Web traffic that transits the network server.

Malicious WSP OMS Personnel

User data transiting the network server is vulnerable to malicious WSP OMS personnel who have access to the network server.

The protections here are the same as the protections employed for the administrative server.

Note

The only additional concern to consider for this role, as well as the following roles, is the potential for attacks or access via the network to which the network server is connected. Network-based attacks are not unique to wireless systems and are well publicized. Plenty of available resources cover this area of security, so we will not cover it in any detail here.

 

Malicious App Developer

Malicious application developers can create a virus or Trojan Horse utilities or programs that cause the transit data to be vulnerable. An example would be a network routing utility containing code that routes a copy of the transit data to the app developer.

Poor or inexperienced application developers may not take appropriate security measures regarding their particular application, leaving user data vulnerable during transit.

The protections here are the same as the protections for the administrative server.

Malicious App Support Personnel

User data is vulnerable to malicious application support personnel who can enable debug or other diagnostic switches within the software that disable security mechanisms present in the network server.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving the user data vulnerable during transit of the network server.

The protections here are the same as the protections for the administrative server.

Malicious User

User data is vulnerable to a malicious user who has access, or has assumed one of the preceding roles to get access, to the network server.

The protections here are the same as the protections for the administrative server.

Protecting Corporate Proprietary Data and Resources

Much the same as for the administrative server, corporate proprietary data and resources refers to information resident on the network server. We are referring to the system that connects the service provider's transceivers to the remainder of the wired world.

Malicious WSP OMS Personnel

Corporate proprietary data and resources resident on the network server are vulnerable to malicious WSP OMS personnel who exploit their system access to gain access to corporate proprietary data and resources.

The protections here are the same as the protections for the administrative server.

Malicious App Developer

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious app developers who include back doors or Trojan Horse utilities or programs that the service provider uses. These app developers can then use the privileged access available to their legitimate applications to obtain illegitimate access to corporate proprietary data and resources.

The protections here are the same as the protections for the administrative server.

Malicious App Support Personnel

Corporate proprietary data and resources are vulnerable to malicious application support personnel who enable debug or other diagnostic switches within the software that disable security mechanisms present in the network server.

Poor or inexperienced app support personnel may inadvertently leave debug or diagnostic switches enabled at the conclusion of a support activity, leaving corporate proprietary data and resources vulnerable on the network server.

The protections here are the same as the protections for the administrative server.

Malicious User

Corporate proprietary data and resources resident on the administrative server are vulnerable to malicious users' gaining access to the service provider's network, and thereby access to corporate proprietary data and resources. The service provider's network access can be obtained by these malicious users' acting in one of the preceding roles or exploiting a vulnerability in the service provider's overall system.

The protections here are the same as the protections for the administrative server.

Protecting Vulnerabilities of the Gateway

As stated in Chapter 10, the gateway is functionally not much more than a server that performs some processing to convert Web traffic to a form compatible with the wireless device. You will notice that vulnerabilities and protections listed for the network server mirror those for the administrative server. Likewise, the vulnerabilities and protections for the gateway, Web server, and backend server are similar to those for the administrative server. Therefore, we will not specifically cover the protections for the gateway, Web server, and backend server. In performing an analysis of an actual system, you would want to call them out specifically so that you can perform the define phase, where the trade-offs between security, functionality, and managerial properties are decided.

 



Wireless Security and Privacy(c) Best Practices and Design Techniques
Wireless Security and Privacy: Best Practices and Design Techniques
ISBN: 0201760347
EAN: 2147483647
Year: 2002
Pages: 73

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net