We discuss both Goodlink and Blackberry gateways and clients because they are similar in feature sets as pertains to security. The implementation may be slightly different, but they usually arrive to the same end result. We will cover some of the supporting company infrastructure specific to their implementation, but we don't go beyond this. We will not touch on such components as e-mail servers or switch gear, which may or may not be in the scope of your audit. Please consider other sections of this book as necessary if you feel that you want to expand the scope of the audit beyond what we have listed below. The following checks conceptually follow closely to the checks in the WLAN audit earlier with some slight changes.
Running old software on the mobile device gateways may leave the gateways or remote mobile devices open to known attacks or prevent the organization from taking advantage of more robust security features.
Evaluate the gateway with an administrator, and verify that the code running on the gateway is the latest version. Verify that the latest version is correct using the manufacture's website or other similar updated source of information from the manufacturer. Examine the change-management processes around evaluating and maintaining current code releases for the access points. Note whether this process is automated and coordinated and whether it scales operationally across regional sites.
Goodlink and Blackberry Enterprise Server (BES) both provide several client features such as password controls and remote or local wiping that can bolster your security should a device become lost or stolen.
Requisition a mobile device with an administrator's help, and verify that it has the protective features enabled as determined by your mobile security policy or other agreed-on standard. If you don't have a policy, then we'll suggest some components for a mobile security policy in a later step. Some very common features available with both Goodlink and BES include enforced passwords, password settings, remote lock, remote wipe, and local wipe. Passwords can be set up to meet several different requirements in terms of length and complexity. Emergency calls to 911 are allowed on both Goodlink and BES when configured to enforce passwords. Remote lock allows administrators to lock a lost or stolen mobile device until it is either found or a decision is made to remotely wipe the device. Wiping the devices prevents an attacker from retrieving any data. The local wipe feature is designed to wipe the device if a user exceeds the maximum number of tries to log into the device.
If you have the capability, you should evaluate the process a user would follow if his or her PDA phone were lost or stolen. Test these features to verify that your company processes work as designed and that all parties understand how to carry out the process.
This is an advanced step and would be performed with the help of your company's computer forensic or security team. The subtle reason for performing this step is to help shed light on the need for security on mobile devices. The company's e-mail server and global address book are accessible remotely on lost or stolen devices until the device account tied into the company network is removed.
In one large company, it was estimated by the administrator that wiping a device succeeds only about 20 percent of the time. One of the reasons for this is because users tend to wait too long before reporting that their devices have been lost or stolen. If users are not aware of what to do when they lose a device, then this opens the window of opportunity for someone with malicious intent to attempt to record data from the device. Waiting to raise a potential issue renders the remote lock and erase controls ineffective.
There are several ways to go about this step. You could, for example, assume that it takes 3 hours to pull data from a device before remotely attempting to kill the device. Assume that you have the ability to remotely kill devices, and assume that Faraday bags are not used by the attacker. Faraday bags prevent radio signals from reaching a device and lend an unfair advantage to an attacker. These bags might be used by a skilled, in-tentioned attacker, but they are not common.
Your forensics team might use something similar to Paraben's Device Seizure. Visit http://www.paraben-forensics.com/cell_models.html to see if the device you're interested in testing is supported by this tool. You'll also find more information about Paraben's Device Seizure on the company's website. We had some interesting findings on older devices, such as recovering e-mail that the user thought was deleted. Deleted e-mail messages could not be recovered through the interface but were accessible using these relatively low-cost tools.
The following are additional controls that help to prevent physical access hacks. These must be turned on manually and should be in line with your policies. Some organizations see these as too restrictive, but there are several that will not allow managed BES and Goodlink devices to operate without these additional controls.
Managed devices must be password-protected and erase themselves automatically after 15 incorrect password attempts.
Devices can be locked or erased remotely.
A password is required to read data on a mobile device or turn on the USB port.
Security monitoring and regular log reviews can reveal potential issues before a serious event occurs.
Speak with the mobile device administrator in an attempt to understand what's being logged and whether those logs are ever looked at or reviewed. It's preferred to have an automated review process. The monitoring devices or software ideally would help you to identify issues, record authentication events, and locate potential rogue access points. Work with the administrator to understand if these logs are useful, and if not, then determine what barriers exist to prevent them from being reviewed and serving up useful data.
Unmanaged devices often contain sensitive personal and corporate data without the benefit of the security controls enforced on managed TREO and Blackberry devices. This makes them easy targets for compromise when they are lost or stolen.
One method for discovering the number of potential unmanaged devices on your network is to look for the existence of the supporting desktop software on your systems. This doesn't prove that an employee is actively using the device but suggests that at one point he or she tried to do so. You could use SMS, for example, to search for the existence of the executables listed in Table 11-3 associated with the desktop software used with the mobile devices.
Mobile Operating System
Failure to establish ownership and tracking of end-user issues could result in end users being unable to resolve connectivity problems.
End-user issues should be tracked through a trouble ticketing system. There needs to be an owner for these issues and a group responsible for tracking the progress to closure for any tickets opened because of mobile device issues. Discuss these processes with the administrator.
Policies help to ensure compliance with a standard, help with repeatable processes, and allow the company the ability to act against documented company violations.
Determine if mobile device policies exist and whether the administrator responsible for the mobile devices knows and understands the content of those policies. Determine if the policies are being followed or what barriers might exist to prevent them from being followed. Some example policy items might include
You must use one of the defined and supported devices.
Synchronizing to your local workstation is allowed with only approved managed devices.
When available, antivirus and encryption tools should be used on your handheld device.
The password policy for handhelds that access the company's Internet and/or email systems is [defined policy].
After 15 failed password tries, the handheld must be erased automatically.
The device must time out after 30 minutes of inactivity.
Failure to have appropriate recovery processes in place prevents a timely restoration of mobile e-mail access for users who must have it to conduct company business.
Restoring mobile device access may not be at the top of most people's list following a critical disaster, but there should at least be some thought around and procedures in place to facilitate this process. Discuss this with the administrator, and ensure that the recovery processes are in line with the expectations and standards of other recovery processes in the company. Depending on the use of mobile e-mail, this may be a critical component, such as with a large mobile sales force that depends on wireless mobile e-mail to efficiently conduct business and close deals. Other environments, such as one that uses wireless e-mail to supplement existing and working wired infrastructures, may not view this as very important. This is a business risk that should be evaluated and measured appropriately when you review the mobile device security policies and DR/BC (disaster recovery/business continuity) processes.
Change management processes help track and provide controlled changes to the environment. Controlled environments are more secure and have less impact on user productivity.
Discuss change management practices with the administrator as they relate to changing components in the environment that affect the infrastructure and especially changes that might affect the end user. Consider asking for evidence of a recent change and following through how the change was handled from start to finish.
The service life cycle of devices is defined as the provisioning, servicing, and deprovision-ing of devices over the period of time such devices are used at the company. The risk of not tracking a device through the service life cycle includes losing track of the device to an employee who leaves the company with sensitive information still on the mobile device.
Measures should exist to manage the service life cycle of the mobile devices managed by your company and the accounts associated with those devices. Discuss this with the administrator, and look for records supporting his or her statements. Walk through a recent provisioning and deprovisioning process with the administrator.