Secure Voice Communications
The Missing Piece in Mobile
Security
Tony Fascenda, Founder, CEO, KoolSpan Inc.
Secure Customer Access
Secure Machine to Machine
Secure Mobile Voice
Secure Networks
Secure
PC/Laptops
Security Landscape: Wide Open, Complex
71% of large enterprise IT managers say
IT security solutions are too complex
-
2008 Mobile Trust Survey
IT Infrastructure
•
Multiple Problems to solve
–
Trusted vs. un
-
trusted users (login management)
–
Network Access (24 x 7 access)
–
Hackers, viruses, malware
–
Firewalls: packet inspection
–
Intrusion detection / Intrusion prevention
–
Patch Management
–
Standards / RFCs
•
“Box for every problem”
–
900+ vendors for IT infrastructure
–
“Defense in depth”
–
Everything must work together
•
Never ending series of problems to solve
Nearly 70%
of all large enterprise IT managers say mobile phones are used to
discuss business topics considered confidential.
-
2008 Mobile Trust Survey
The Mobile Security Threat
Data vs. Voice
Focus
•
IT Engineers may spend entire career protecting data
•
Mobile Phones have two problems: data & voice
•
When it comes to voice, the user is left naked
•
Most important information is that which is spoken
•
Many security conscious companies prohibit
discussing sensitive data on mobile
•
Voice calls operate on the PSTN and possibly IP networks
•
ROI on call interception is very high
•
Difficult to quantify because this is usually a risk not publicized
•
Security is difficult to implement/easy to crack
“Vodafone, Ericsson Get Hung Up In
Greece's Phone
-
Tap Scandal”
June 2006
“Phone Taps in Italy Spur Rush
Toward Encryption”
April 2007
“Taliban Terrorises RAF Families”
August 2007
“Silently tapping into a private cellphone
conversation is no longer a high
-
tech trick
reserved for spies and the FBI…cellular
snooping may soon be affordable enough
for your next
-
door neighbor.”
February 2008
Mobile Voice Breaches
Gaining Attention
Operator A
Operator B
Operator C
Hacker Exploit of Lawful
Call Monitoring Taps
Access at
Network Facility
Tower spoofing
Illegal
Monitoring
Four Typical Attack Vectors
How Is A Cellular Call Intercepted?
What Would it Take for
Someone to Intercept Your
Mobile Communications?
Just Google it!
•
100,000s of hits
•
Large community
•
Illegal, but vibrant
marketplace
•
Many solutions for
law enforcement,
but ‘hijacked’ by
bad guys
Mobile Phone Points of Attack
•
Only protected part of communication is between
handset and base station
•
Switched
-
connection
•
Mandatory to bridge different phone types
•
Cleartext available anywhere between base
-
stations
•
At either operator’s switch
•
Anywhere in the cloud that connects operators
•
Impossible to detect wiretap
Threat Envelope
Impact of Compromise:
•
Operational Security
•
Direct Financial Loss
•
Intellectual Property (IP)
•
Physical Safety Risk
•
Cyber Security Risk
•
Reputational / Brand Risk
•
Legal Risk
•
Stock Risk
What’s At Risk?
Mobile Voice Threat Envelope:
What’s Changed
•
1945: Most of government secrets were held by government
•
2009: Most government secrets held by private industry
•
Internationally, boundaries between state and criminal espionage
blurred
•
Increased Competition
•
Foreign Nationals: no risk, no fear!
•
Wider availability of network access
•
Attacks, easier and easier to accomplish
•
Naive CEOs, CFOs, CSOs
•
Only companies damaged by economic espionage take threat
seriously!
•
ROI on mobile intercept is HIGH!
Smartphone Market Eclipses Computer Market
Source: Wall Street Journal
Smartphones are new Laptops
•
Susceptible to intercept but more
probably to being left behind at airport
security
•
Mobile device loss results in:
–
Potential exposure to enterprise / network etc.
–
Loss of valuable data / trade secrets
–
Loss of productivity from user
•
Smartphones handle both voice and
data
•
Data often exchanged with enterprise
•
Stored in phone or in plug
-
in memory
cards
•
Not enough to protect the ‘pipe’
—
you
must protect and secure the data at all
times
“More than 10,000 laptops are
reported lost at the 36 largest
airports in US each week. Only
35% ever reclaimed”
-
engadget
“More than 250,000 mobile phones
and handheld devices will be left
behind at U.S. airports alone this
year and only 25
-
30 percent will be
reunited with their owners”
-
Technet.microsoft.com
“100,000 devices left on London
Underground each year”
-
British Authorities
Hurdles to “Enterprise Ready” Smartphones
InformationWeek
Cover Story, October 2008
“Unfortunately, IT directors’ ability to manage these
devices as corporate assets,
while controlling the
data and applications that run on them, hasn’t kept
pace
.”
~
InformationWeek
Business applications for Smartphones are
proliferating
Increasingly, many business people choose
to “leave their laptop behind”
Vulnerable to eavesdropping on
phone calls
as well as attacks on
the data applications
Challenges to Mobile
Communication Security
YES
44%
NO
56%
Are you aware of any
compromises to
voice communications
on cellular/mobile networks?
~ Mobile Trust Survey, 2007
Wide Gap: Problem Recognition
and Solution Implementation
Why the Unmet need in
cellular encryption?
Would consider an easy, cost
-
effective solution
72%
14%
Already deployed
14%
Among Respondents Interested In
Secure Voice Solution (58% of Total)
Planning a deployment
~ Mobile Trust Survey, 2007
Because…
•
It’s hard to do
•
It’s difficult to manage
•
Manufacturers don’t
provide security hooks
•
Enterprises don’t yet
realize the threat
Wide Gap: Problem Recognition
and Solution Implementation
Phones are Insecure
•
Phones aren’t managed by IT Department
•
Phones don’t use IT infrastructure
•
Phones can connect to anyone, anytime
•
Phones not designed to protect your data
–
Result: mobile voice is insecure
–
Result: mobile data is insecure
OEM Over
-
Exposure
Data Port
GSM
CDMA
SIM Card
SD Card
Bluetooth
Wi
-
Fi
Edge/3G
CSD
GPRS
Applications
E
-
mail
Internet
CRM
Data
Etc., etc.
•
Security Issues are
pervasive
within
device
•
Dealing with all of them is
next
-
to
-
impossible
•
No OEM has yet to adopt
a platform security solution
•
FIPS and other certs?
•
Way too many entry points
to adequately address the
issues
WinMo
Symbian
Blackberry
Linux
Android
Application Implementation
•
Customer Application Example
–
Access to real
-
time data vital
–
Data is important to both customer and company
–
Secure access is vital
–
Data
-
in
-
motion + Data
-
at
-
rest must be secure
•
Developer Implementation?
–
What’s available to me?
–
What’s best practice?
–
How do I design, develop, test and certify?
Application Implementation
Customer Application Example
Authentication &
Encryption Solutions
Biometric Solutions
FobLock
Good Technology
GoodLink Mobile
Defense
Mobile Armor
Data Armor
Palm
Security 5p
PointSec
RSA Security
SecurID
SafeBoot
Device Encryption
TealPoint Software
TealLock
Management & Security
Solutions
Credant Mobile Guardian
IBM Tivoli Configuration
Manager
iAnywhereAfaria
Intellisync Mobile Systems
Management
Trust Digital TRUST
Enterprise Secure
NovellZenworks Handheld
Management
Transmission & Security
Solutions
Aventail
Workplace
F5
Firepass
IBM
WebSphere Everyplace
Access (WEA)
Meetinghouse
AEGIS WLAN Security
Solution
Certicom
movianVPN
Mergic
Mergic VPN
Nortel Networks
Alteon SSL VPN
WorldNet21
anthaVPN
Cryptography/PKI
Toolkits
Certicom
Security Builder
Crypto
Copera
AESLib
Diversinet
Passport
RSA Security
BSAFE
Ntru Cryptosystems
Security Toolkit
Messaging/Data
Solutions
Good Technology
GoodLink
Notify
NofifyLink Enterprise
Edition
Intellisync
Mobile Suite
SEVEN
System SEVEN
Visto
Mobile Access Solution
Extended Systems
OneBridge Mobile
Groupware
My Solution!
Application Implementation
Customer Application Example
•
Multiple Solutions are really multiple
problems
•
Multiple instances of
same/competing libraries
•
Resource Utilization
•
Host Processor Performance
•
Platform Security is better approach
Secure Voice Issues
•
Voice must be secured between two users
–
no intervening infrastructure involved
•
Users may not belong to same organization
–
how to manage credentials?
•
Peer
-
to
-
peer authentication
•
Platforms are not consistent
(WinMo/Symbian/RIM/iPhone etc.)
–
Audio re
-
routing issues difficult on Symbian, next to impossible
on WinMo; not available on RIM
•
Connecting two incompatible platforms is not easy
Evaluating Solutions to
Mobile Communication Security
Implementing Security
•
Three areas of expertise
(in descending importance)
1.
Key Management
2.
Authentication
3.
Encryption
•
Each have particular issues to be handled
–
Multiple solutions for each abound
–
But…all components must be carefully integrated
•
Platform vs. point
-
specific solution
s
Key
Management
• generation
• distribution
• utilization
• storage
• revocation
Authent
-
ication
Encryption
•
Fine mesh system
•
Carefully tuned
•
Fully integrated
Need for end
-
to
-
end Security
•
Connection
–
Hub
-
and
-
spoke?
–
Peer
-
to
-
Peer?
–
Conferencing?
•
Security
–
End
-
to
-
end?
–
Managed?
•
Data Security
–
In Motion?
–
At Rest?
•
Key escrow
•
Lawful Intercept
–
Mandated capability
Networks themselves must be considered insecure
In a global context, IT infrastructure approach ill
-
suited
Data must be available only to designated parties
Access to secure data must be easily manageable
Not good enough just to have a “VPN”
Data must be protected at all times: at rest, in USB tokens,
memory cards etc.
Securing the pipe is only a partial solution
Need to support lawful access without divulging
underlying technology
Examples of three popular platforms
•
Blackberry / WinMo / iPhone
–
Three distinctly different operating systems
–
Why do enterprises like each?
–
How have each handled security?
–
What are their risks?
Blackberry
•
Winning in the Enterprise/Gov’t
–
Because of Email Integration & Security
–
Widely adopted throughout the world
•
E
-
mail handled by BES
–
adequate
security
•
Other applications don’t have security
•
Voice security not addressed
Windows Mobile
•
Highly integrated into Enterprise
–
Easily understood and managed by IT administrators
•
Recent efforts at improving security
infrastructure
–
Improved methods for device connectivity
–
No consistent method for application security
•
Authentication/Security
–
Left up to individual application designer
–
Key Management mystery; often poorly managed
–
Voice Security left unaddressed
•
Result
–
Device often packed with multiple separate instances of security
technologies that often bring with them more vulnerabilities than
the solution they provide
–
No service opportunity for managed security
iPhone
•
Easy
-
to
-
use, consistent interface
•
Not fully integrated into enterprise
•
Rapidly gaining market share
•
Powerful, elegant, flexible
•
App Store
•
Voice security unaddressed
•
Voice and Data security common problem
–
Both must be addressed
–
Ensure business voice calls are encrypted
•
Networks are un
-
trusted pipes
•
End
-
to
-
end security is preferred
–
Data must be secured at all times: in motion, at rest
–
Security must persist no matter what
•
Educate senior staff on risks
•
Ensure that employees understand the nature of mobile phone
intercepts
Best Practices for Mobile
Voice & Data Security
•
Platform security makes sense
•
Use standards
-
based approach wherever possible
•
Integrate data
-
at
-
rest, data
-
in
-
motion security
•
Common framework for both transport and application security
•
Use single, well thought out integrated Key Management,
Authentication and Encryption solution supporting multiple
contexts
•
Implement in plug
-
in hardware
–
Adaptable to any modern handset
–
Secure hardware resolves all security issues
–
Software bridges adaptability
–
Best of both worlds!
–
Management must be secure at all times
Best Practices for Mobile
Voice & Data Security
Thank You
Tony Fascenda
KoolSpan Inc.
4962 Fairmont Ave.
Bethesda, MD. 20814
Phone: 240 880
-
4402
E
-
mail: tfascenda@koolspan.com
http://www.koolspan.com
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment