Secure Voice Communications

publicyardMobile - Wireless

Dec 10, 2013 (3 years and 8 months ago)

95 views

Secure Voice Communications

The Missing Piece in Mobile
Security


Tony Fascenda, Founder, CEO, KoolSpan Inc.


Secure Customer Access

Secure Machine to Machine

Secure Mobile Voice

Secure Networks

Secure
PC/Laptops

Security Landscape: Wide Open, Complex

71% of large enterprise IT managers say


IT security solutions are too complex

-

2008 Mobile Trust Survey

IT Infrastructure


Multiple Problems to solve


Trusted vs. un
-
trusted users (login management)


Network Access (24 x 7 access)


Hackers, viruses, malware


Firewalls: packet inspection


Intrusion detection / Intrusion prevention


Patch Management


Standards / RFCs


“Box for every problem”


900+ vendors for IT infrastructure


“Defense in depth”


Everything must work together


Never ending series of problems to solve

Nearly 70%

of all large enterprise IT managers say mobile phones are used to
discuss business topics considered confidential.
-

2008 Mobile Trust Survey

The Mobile Security Threat

Data vs. Voice

Focus


IT Engineers may spend entire career protecting data


Mobile Phones have two problems: data & voice


When it comes to voice, the user is left naked


Most important information is that which is spoken


Many security conscious companies prohibit

discussing sensitive data on mobile


Voice calls operate on the PSTN and possibly IP networks


ROI on call interception is very high


Difficult to quantify because this is usually a risk not publicized


Security is difficult to implement/easy to crack


“Vodafone, Ericsson Get Hung Up In
Greece's Phone
-
Tap Scandal”

June 2006

“Phone Taps in Italy Spur Rush
Toward Encryption”

April 2007

“Taliban Terrorises RAF Families”

August 2007

“Silently tapping into a private cellphone
conversation is no longer a high
-
tech trick
reserved for spies and the FBI…cellular
snooping may soon be affordable enough
for your next
-
door neighbor.”

February 2008

Mobile Voice Breaches

Gaining Attention

Operator A

Operator B

Operator C

Hacker Exploit of Lawful

Call Monitoring Taps

Access at
Network Facility

Tower spoofing

Illegal
Monitoring

Four Typical Attack Vectors

How Is A Cellular Call Intercepted?

What Would it Take for

Someone to Intercept Your

Mobile Communications?

Just Google it!


100,000s of hits


Large community


Illegal, but vibrant
marketplace


Many solutions for
law enforcement,
but ‘hijacked’ by
bad guys

Mobile Phone Points of Attack


Only protected part of communication is between
handset and base station


Switched
-
connection


Mandatory to bridge different phone types


Cleartext available anywhere between base
-
stations


At either operator’s switch


Anywhere in the cloud that connects operators


Impossible to detect wiretap

Threat Envelope

Impact of Compromise:


Operational Security


Direct Financial Loss


Intellectual Property (IP)


Physical Safety Risk


Cyber Security Risk


Reputational / Brand Risk


Legal Risk


Stock Risk

What’s At Risk?

Mobile Voice Threat Envelope:

What’s Changed


1945: Most of government secrets were held by government


2009: Most government secrets held by private industry


Internationally, boundaries between state and criminal espionage
blurred


Increased Competition


Foreign Nationals: no risk, no fear!


Wider availability of network access


Attacks, easier and easier to accomplish


Naive CEOs, CFOs, CSOs


Only companies damaged by economic espionage take threat
seriously!


ROI on mobile intercept is HIGH!

Smartphone Market Eclipses Computer Market

Source: Wall Street Journal

Smartphones are new Laptops


Susceptible to intercept but more
probably to being left behind at airport
security


Mobile device loss results in:


Potential exposure to enterprise / network etc.


Loss of valuable data / trade secrets


Loss of productivity from user


Smartphones handle both voice and
data


Data often exchanged with enterprise


Stored in phone or in plug
-
in memory
cards


Not enough to protect the ‘pipe’


you
must protect and secure the data at all
times

“More than 10,000 laptops are
reported lost at the 36 largest
airports in US each week. Only
35% ever reclaimed”

-

engadget


“More than 250,000 mobile phones
and handheld devices will be left
behind at U.S. airports alone this
year and only 25
-
30 percent will be
reunited with their owners”

-

Technet.microsoft.com


“100,000 devices left on London
Underground each year”

-

British Authorities



Hurdles to “Enterprise Ready” Smartphones

InformationWeek

Cover Story, October 2008

“Unfortunately, IT directors’ ability to manage these
devices as corporate assets,
while controlling the
data and applications that run on them, hasn’t kept
pace
.”

~

InformationWeek



Business applications for Smartphones are
proliferating


Increasingly, many business people choose
to “leave their laptop behind”


Vulnerable to eavesdropping on

phone calls

as well as attacks on

the data applications

Challenges to Mobile

Communication Security

YES

44%

NO

56%


Are you aware of any
compromises to

voice communications

on cellular/mobile networks?

~ Mobile Trust Survey, 2007

Wide Gap: Problem Recognition

and Solution Implementation

Why the Unmet need in

cellular encryption?

Would consider an easy, cost
-
effective solution

72%

14%

Already deployed

14%

Among Respondents Interested In
Secure Voice Solution (58% of Total)

Planning a deployment

~ Mobile Trust Survey, 2007

Because…


It’s hard to do


It’s difficult to manage


Manufacturers don’t
provide security hooks


Enterprises don’t yet
realize the threat

Wide Gap: Problem Recognition

and Solution Implementation

Phones are Insecure


Phones aren’t managed by IT Department


Phones don’t use IT infrastructure


Phones can connect to anyone, anytime


Phones not designed to protect your data


Result: mobile voice is insecure


Result: mobile data is insecure

OEM Over
-
Exposure

Data Port

GSM

CDMA

SIM Card

SD Card

Bluetooth


Wi
-
Fi

Edge/3G

CSD

GPRS

Applications

E
-
mail

Internet

CRM

Data

Etc., etc.




Security Issues are
pervasive
within

device


Dealing with all of them is
next
-
to
-
impossible


No OEM has yet to adopt
a platform security solution


FIPS and other certs?


Way too many entry points
to adequately address the
issues

WinMo

Symbian

Blackberry

Linux

Android

Application Implementation


Customer Application Example


Access to real
-
time data vital


Data is important to both customer and company


Secure access is vital


Data
-
in
-
motion + Data
-
at
-
rest must be secure


Developer Implementation?


What’s available to me?


What’s best practice?


How do I design, develop, test and certify?

Application Implementation

Customer Application Example

Authentication &
Encryption Solutions

Biometric Solutions

FobLock

Good Technology

GoodLink Mobile

Defense

Mobile Armor

Data Armor

Palm

Security 5p

PointSec

RSA Security

SecurID

SafeBoot

Device Encryption

TealPoint Software

TealLock

Management & Security
Solutions

Credant Mobile Guardian

IBM Tivoli Configuration
Manager

iAnywhereAfaria

Intellisync Mobile Systems
Management

Trust Digital TRUST
Enterprise Secure

NovellZenworks Handheld
Management

Transmission & Security
Solutions

Aventail

Workplace

F5

Firepass

IBM

WebSphere Everyplace
Access (WEA)

Meetinghouse

AEGIS WLAN Security
Solution

Certicom

movianVPN

Mergic

Mergic VPN

Nortel Networks

Alteon SSL VPN

WorldNet21

anthaVPN

Cryptography/PKI
Toolkits

Certicom

Security Builder

Crypto

Copera

AESLib

Diversinet

Passport

RSA Security

BSAFE

Ntru Cryptosystems

Security Toolkit

Messaging/Data
Solutions

Good Technology

GoodLink

Notify

NofifyLink Enterprise
Edition

Intellisync

Mobile Suite

SEVEN

System SEVEN

Visto

Mobile Access Solution

Extended Systems

OneBridge Mobile

Groupware

My Solution!

Application Implementation

Customer Application Example


Multiple Solutions are really multiple
problems


Multiple instances of
same/competing libraries


Resource Utilization


Host Processor Performance


Platform Security is better approach

Secure Voice Issues


Voice must be secured between two users


no intervening infrastructure involved


Users may not belong to same organization


how to manage credentials?


Peer
-
to
-
peer authentication


Platforms are not consistent
(WinMo/Symbian/RIM/iPhone etc.)


Audio re
-
routing issues difficult on Symbian, next to impossible
on WinMo; not available on RIM


Connecting two incompatible platforms is not easy


Evaluating Solutions to

Mobile Communication Security

Implementing Security


Three areas of expertise

(in descending importance)

1.
Key Management

2.
Authentication

3.
Encryption


Each have particular issues to be handled


Multiple solutions for each abound


But…all components must be carefully integrated


Platform vs. point
-
specific solution
s

Key
Management

• generation

• distribution

• utilization

• storage

• revocation

Authent
-
ication

Encryption


Fine mesh system


Carefully tuned


Fully integrated

Need for end
-
to
-
end Security


Connection


Hub
-
and
-
spoke?


Peer
-
to
-
Peer?


Conferencing?


Security


End
-
to
-
end?


Managed?


Data Security


In Motion?


At Rest?


Key escrow


Lawful Intercept


Mandated capability

Networks themselves must be considered insecure

In a global context, IT infrastructure approach ill
-
suited

Data must be available only to designated parties

Access to secure data must be easily manageable

Not good enough just to have a “VPN”

Data must be protected at all times: at rest, in USB tokens,

memory cards etc.

Securing the pipe is only a partial solution

Need to support lawful access without divulging
underlying technology

Examples of three popular platforms


Blackberry / WinMo / iPhone


Three distinctly different operating systems


Why do enterprises like each?


How have each handled security?


What are their risks?

Blackberry


Winning in the Enterprise/Gov’t


Because of Email Integration & Security


Widely adopted throughout the world


E
-
mail handled by BES


adequate
security


Other applications don’t have security


Voice security not addressed

Windows Mobile


Highly integrated into Enterprise


Easily understood and managed by IT administrators


Recent efforts at improving security
infrastructure


Improved methods for device connectivity


No consistent method for application security


Authentication/Security


Left up to individual application designer


Key Management mystery; often poorly managed


Voice Security left unaddressed


Result


Device often packed with multiple separate instances of security
technologies that often bring with them more vulnerabilities than
the solution they provide


No service opportunity for managed security

iPhone


Easy
-
to
-
use, consistent interface


Not fully integrated into enterprise


Rapidly gaining market share


Powerful, elegant, flexible


App Store


Voice security unaddressed


Voice and Data security common problem


Both must be addressed


Ensure business voice calls are encrypted


Networks are un
-
trusted pipes


End
-
to
-
end security is preferred


Data must be secured at all times: in motion, at rest


Security must persist no matter what


Educate senior staff on risks


Ensure that employees understand the nature of mobile phone
intercepts


Best Practices for Mobile

Voice & Data Security


Platform security makes sense


Use standards
-
based approach wherever possible


Integrate data
-
at
-
rest, data
-
in
-
motion security


Common framework for both transport and application security


Use single, well thought out integrated Key Management,
Authentication and Encryption solution supporting multiple
contexts


Implement in plug
-
in hardware


Adaptable to any modern handset


Secure hardware resolves all security issues


Software bridges adaptability


Best of both worlds!


Management must be secure at all times

Best Practices for Mobile

Voice & Data Security

Thank You


Tony Fascenda

KoolSpan Inc.

4962 Fairmont Ave.

Bethesda, MD. 20814

Phone: 240 880
-
4402

E
-
mail: tfascenda@koolspan.com


http://www.koolspan.com