secure voice communications the missing piece in mobile security
DESCRIPTION
Secure Voice Communications The Missing Piece in Mobile Security. Tony Fascenda, Founder, CEO, KoolSpan Inc. Security Landscape: Wide Open, Complex. Secure Mobile Voice. Secure Customer Access. Secure Networks. Secure Machine to Machine. - PowerPoint PPT PresentationTRANSCRIPT
Secure Voice Communications
The Missing Piece in Mobile Security
Tony Fascenda, Founder, CEO, KoolSpan Inc.
Secure Customer Access Secure Machine to Machine
Secure Mobile Voice
Secure Networks
Secure PC/Laptops
Security Landscape: Wide Open, Complex
71% of large enterprise IT managers say IT security solutions are too complex
- 2008 Mobile Trust Survey
IT Infrastructure
• Multiple Problems to solve– Trusted vs. un-trusted users (login management)– Network Access (24 x 7 access)– Hackers, viruses, malware– Firewalls: packet inspection– Intrusion detection / Intrusion prevention– Patch Management– Standards / RFCs
• “Box for every problem”– 900+ vendors for IT infrastructure– “Defense in depth”– Everything must work together
• Never ending series of problems to solve
Nearly 70% of all large enterprise IT managers say mobile phones are used to
discuss business topics considered confidential.- 2008 Mobile Trust Survey
The Mobile Security Threat
Data vs. Voice
Focus• IT Engineers may spend entire career protecting data• Mobile Phones have two problems: data & voice• When it comes to voice, the user is left naked• Most important information is that which is spoken• Many security conscious companies prohibit
discussing sensitive data on mobile • Voice calls operate on the PSTN and possibly IP networks• ROI on call interception is very high
• Difficult to quantify because this is usually a risk not publicized
• Security is difficult to implement/easy to crack
“Vodafone, Ericsson Get Hung Up In Greece's Phone-Tap Scandal”
June 2006
“Phone Taps in Italy Spur Rush Toward Encryption”
April 2007
“Taliban Terrorises RAF Families”
August 2007
“Silently tapping into a private cellphone conversation is no longer a high-tech trick reserved for spies and the FBI…cellular snooping may soon be affordable enough for your next-door neighbor.”
February 2008
Mobile Voice BreachesGaining Attention
Operator A
Operator B
Operator C
Hacker Exploit of Lawful Call Monitoring Taps
Access at Network Facility
Tower spoofing
Illegal Monitoring
Four Typical Attack Vectors
How Is A Cellular Call Intercepted?
What Would it Take for Someone to Intercept Your
Mobile Communications?Just Google it!
• 100,000s of hits• Large community • Illegal, but vibrant
marketplace• Many solutions for
law enforcement, but ‘hijacked’ by bad guys
Mobile Phone Points of Attack
• Only protected part of communication is between handset and base station
• Switched-connection• Mandatory to bridge different phone types• Cleartext available anywhere between base-stations
• At either operator’s switch• Anywhere in the cloud that connects operators• Impossible to detect wiretap
Threat Envelope
Impact of Compromise:
• Operational Security
• Direct Financial Loss
• Intellectual Property (IP)
• Physical Safety Risk
• Cyber Security Risk
• Reputational / Brand Risk
• Legal Risk
• Stock Risk
What’s At Risk?
Mobile Voice Threat Envelope:What’s Changed
• 1945: Most of government secrets were held by government• 2009: Most government secrets held by private industry• Internationally, boundaries between state and criminal espionage blurred• Increased Competition• Foreign Nationals: no risk, no fear!• Wider availability of network access• Attacks, easier and easier to accomplish• Naive CEOs, CFOs, CSOs• Only companies damaged by economic espionage take threat seriously!• ROI on mobile intercept is HIGH!
Smartphone Market Eclipses Computer Market
Source: Wall Street Journal
Smartphones are new Laptops
• Susceptible to intercept but more probably to being left behind at airport security
• Mobile device loss results in:– Potential exposure to enterprise / network etc.– Loss of valuable data / trade secrets– Loss of productivity from user
• Smartphones handle both voice and data• Data often exchanged with enterprise• Stored in phone or in plug-in memory
cards• Not enough to protect the ‘pipe’ — you
must protect and secure the data at all times
“More than 10,000 laptops are reported lost at the 36 largest airports in US each week. Only 35% ever reclaimed”
- engadget
“More than 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone this year and only 25-30 percent will be reunited with their owners”
- Technet.microsoft.com
“100,000 devices left on London Underground each year”
- British Authorities
“More than 10,000 laptops are reported lost at the 36 largest airports in US each week. Only 35% ever reclaimed”
- engadget
“More than 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone this year and only 25-30 percent will be reunited with their owners”
- Technet.microsoft.com
“100,000 devices left on London Underground each year”
- British Authorities
Hurdles to “Enterprise Ready” Smartphones
InformationWeek Cover Story, October 2008
“Unfortunately, IT directors’ ability to manage these devices as corporate assets, while controlling the data and applications that run on them, hasn’t kept pace.”
~ InformationWeek
Business applications for Smartphones are proliferating
Increasingly, many business people choose to “leave their laptop behind”
Vulnerable to eavesdropping onphone calls as well as attacks onthe data applications
Challenges to Mobile Communication Security
YES44%
NO56%
Are you aware of any compromises to voice communicationson cellular/mobile networks?
~ Mobile Trust Survey, 2007
Wide Gap: Problem Recognitionand Solution Implementation
Why the Unmet need incellular encryption?
Would consider an easy, cost-effective solution
72%
14%
Already deployed
14%
Among Respondents Interested In Secure Voice Solution (58% of Total)
Planning a deployment
~ Mobile Trust Survey, 2007
Because…
• It’s hard to do
• It’s difficult to manage
• Manufacturers don’t provide security hooks
• Enterprises don’t yet realize the threat
Wide Gap: Problem Recognitionand Solution Implementation
Phones are Insecure
• Phones aren’t managed by IT Department• Phones don’t use IT infrastructure• Phones can connect to anyone, anytime• Phones not designed to protect your data
– Result: mobile voice is insecure– Result: mobile data is insecure
OEM Over-Exposure
Data Port
GSMCDMA
SIM CardSD Card
BluetoothWi-FiEdge/3GCSDGPRS
ApplicationsE-mail
InternetCRMData
Etc., etc.
• Security Issues are pervasive within device
• Dealing with all of them is next-to-impossible
• No OEM has yet to adopt a platform security solution
• FIPS and other certs?
• Way too many entry points to adequately address the issues
WinMoSymbianBlackberryLinuxAndroid
Application Implementation
• Customer Application Example– Access to real-time data vital– Data is important to both customer and company– Secure access is vital– Data-in-motion + Data-at-rest must be secure
• Developer Implementation?– What’s available to me?– What’s best practice?– How do I design, develop, test and certify?
Application ImplementationCustomer Application Example
Authentication & Encryption Solutions
Biometric SolutionsFobLock
Good TechnologyGoodLink MobileDefense
Mobile ArmorData Armor
PalmSecurity 5p
PointSec
RSA SecuritySecurID
SafeBootDevice Encryption
TealPoint SoftwareTealLock
Management & Security Solutions
Credant Mobile Guardian
IBM Tivoli Configuration Manager
iAnywhereAfaria
Intellisync Mobile Systems Management
Trust Digital TRUST Enterprise Secure
NovellZenworks Handheld Management
Transmission & Security Solutions
AventailWorkplace
F5Firepass
IBMWebSphere Everyplace Access (WEA)
MeetinghouseAEGIS WLAN Security Solution
CerticommovianVPN
MergicMergic VPN
Nortel NetworksAlteon SSL VPN
WorldNet21anthaVPN
Cryptography/PKI Toolkits
CerticomSecurity BuilderCrypto
CoperaAESLib
DiversinetPassport
RSA SecurityBSAFE
Ntru CryptosystemsSecurity Toolkit
Messaging/Data Solutions
Good TechnologyGoodLink
NotifyNofifyLink Enterprise Edition
IntellisyncMobile Suite
SEVENSystem SEVEN
VistoMobile Access Solution
Extended SystemsOneBridge MobileGroupware
My Solution!
Application ImplementationCustomer Application Example
• Multiple Solutions are really multiple problems
• Multiple instances of same/competing libraries
• Resource Utilization
• Host Processor Performance
• Platform Security is better approach
Secure Voice Issues
• Voice must be secured between two users– no intervening infrastructure involved
• Users may not belong to same organization– how to manage credentials?
• Peer-to-peer authentication• Platforms are not consistent
(WinMo/Symbian/RIM/iPhone etc.)– Audio re-routing issues difficult on Symbian, next to impossible on
WinMo; not available on RIM
• Connecting two incompatible platforms is not easy
Evaluating Solutions to Mobile Communication Security
Implementing Security
• Three areas of expertise (in descending importance)
1. Key Management
2. Authentication
3. Encryption
• Each have particular issues to be handled– Multiple solutions for each abound– But…all components must be carefully integrated
• Platform vs. point-specific solutions
• Fine mesh system• Carefully tuned• Fully integrated
Need for end-to-end Security
• Connection– Hub-and-spoke?
– Peer-to-Peer?
– Conferencing?
• Security– End-to-end?
– Managed?
• Data Security– In Motion?
– At Rest?• Key escrow
• Lawful Intercept– Mandated capability
Networks themselves must be considered insecureIn a global context, IT infrastructure approach ill-suited
Data must be available only to designated partiesAccess to secure data must be easily manageable
Not good enough just to have a “VPN”Data must be protected at all times: at rest, in USB tokens,memory cards etc.Securing the pipe is only a partial solution
Need to support lawful access without divulging underlying technology
Examples of three popular platforms
• Blackberry / WinMo / iPhone– Three distinctly different operating systems– Why do enterprises like each?– How have each handled security?– What are their risks?
Blackberry
• Winning in the Enterprise/Gov’t– Because of Email Integration & Security– Widely adopted throughout the world
• E-mail handled by BES – adequate security
• Other applications don’t have security• Voice security not addressed
Windows Mobile• Highly integrated into Enterprise
– Easily understood and managed by IT administrators
• Recent efforts at improving security infrastructure
– Improved methods for device connectivity
– No consistent method for application security
• Authentication/Security– Left up to individual application designer
– Key Management mystery; often poorly managed
– Voice Security left unaddressed
• Result– Device often packed with multiple separate instances of
security technologies that often bring with them more vulnerabilities than the solution they provide
– No service opportunity for managed security
iPhone
• Easy-to-use, consistent interface• Not fully integrated into enterprise• Rapidly gaining market share• Powerful, elegant, flexible• App Store• Voice security unaddressed
• Voice and Data security common problem– Both must be addressed
– Ensure business voice calls are encrypted
• Networks are un-trusted pipes• End-to-end security is preferred
– Data must be secured at all times: in motion, at rest
– Security must persist no matter what
• Educate senior staff on risks• Ensure that employees understand the nature of mobile phone
intercepts
Best Practices for Mobile Voice & Data Security
• Platform security makes sense• Use standards-based approach wherever possible• Integrate data-at-rest, data-in-motion security• Common framework for both transport and application security• Use single, well thought out integrated Key Management, Authentication and
Encryption solution supporting multiple contexts• Implement in plug-in hardware
– Adaptable to any modern handset– Secure hardware resolves all security issues– Software bridges adaptability– Best of both worlds! – Management must be secure at all times
Best Practices for Mobile Voice & Data Security
Thank YouTony FascendaKoolSpan Inc.4962 Fairmont Ave.Bethesda, MD. 20814Phone: 240 880-4402E-mail: [email protected]
http://www.koolspan.com