From Provider Wiki

Contents 1 This page has been frozen as of the presentation to SUG and IT Roundtable on February 12, 2007 1.1 Findings 1.1.1 Blackberry 1.2 Products Considered 1.2.1 Final Evaluation Candidates 1.3 Recommendations 1.3.1 Non-Centralized LSP Support 1.3.2 Centralized LSP Support 1.4 Best Practices 1.5 Appendices 1.5.1 Previous Penn Evaluation Efforts 1.5.2 Resources 1.5.2.1 User Information sites

This page has been frozen as of the presentation to SUG and IT Roundtable on February 12, 2007

This LSP-oriented product/technology evaluation team was asked to test and document mobile device (laptop, PDA, smartphone) security concerns with an eye toward tools or services that will protect users and data in the event the device is physically lost or stolen.

Specific deliverables include precise configuration instructions and suggestions, best practices for dealing with security versus accessibility, and information regarding specific issues of interest (such as various PDA and smartphone security options and best practices).

Findings

After an initial discussion about smartphone security, the team decided to focus on products available to help keep mobile devices secure. Other areas discussed by this group are summarized in the "Best Practices" section.

During our evaluation, the Mobile Device Security team evaluated the following products in areas of:

• Usability
• Encryption Strength
• End of life data destruction / options for lost devices
• Best practices/device hygene
• Data integrity

Blackberry

Blackberry devices are much more tightly controlled by the parent company, Reseach In Motion (RIM) than are Palm OS and Windows Mobile Devices. As such, the built-in security and encryption are much more robust out of the box than are the other two operating systems. These devices support end-to-end AES or Triple DES encryption by default in communicating with the back-end server infrastructure. The BES supports an extensive amount of over the air (OTA) wireless IT policies and commands that enable IT administrators to wirelessly enforce security settings.The committee did not find many third party products that provided better security or more options than the BlackBerry Enterprise Server (BES).

Products Considered

The committee evaluated products for Palm OS, Windows Mobile and Blackberry devices. Since campus IT is decentralized, products were evaluated both with and without central infrastructure in mind.

Final Evaluation Candidates

As of our meeting on December 11, 2006, we narrowed down the list of products that we evaulated.

• Mobile_device_security/TealLock and Mobile_device_security/SafeGuard PDA
  • These two products are essentially the same. Safeguard PDA is the OEM version of TealLock, licensed by Utimaco corp.
• Mobile_device_security/Good Technologies
• Mobile_device_security/Credant
• Mobile_device_security/SafeBoot

Recommendations

The committee's findings have been grouped into products that are viable for users both in centralized and non-centralized LSP environments. For users that are associated with Windows Active Directory or centralized LDAP infrastructure, the centralized LSP products may be more useful. For users that do not have such an infrastructure in place, these products are not appropriate, and they should consider the Non-Centralized list.

Development of configuration recommendations for individual devices is still in progress, but will be made available from the team's web page.

Non-Centralized LSP Support

• Utimaco Safeguard PDA
  • Palm OS, Windows Mobile
• E-Wallet
  • Palm OS, Windows Mobile

Centralized LSP Support

The committee was not tasked to evaluate products that required server back-ends. Testing these would also have been too time-consuming for such a short-lived committee. The following recommendations are based on industry reviews of products that take advantage of a server infrastructure (cf. appendix... ):

• Utimaco Safeguard PDA
• Credant Mobile Guardian, Group Edition
• Good Technologies Mobile Defense

It is also worth noting that the next-generation POBOX server will support some centralized management for PDAs. The exact details of these services has not been formally announced; please refer to ISC Networking's Email pricing page for more information as details develop.

Best Practices

• Devices which support a power-on password should use them. This basic security is more intrusive on some devices than others (e.g. some BlackBerrys will wipe themselves after 3 incorrect attempts, and require that the pin number be entered before an incoming call can be answered). Our recommendation is to try the built-in password screen on your device and see if it is usable for your specific needs.

• PDAs are particularly vulnerable to damage or loss (Pointsec study on lost devices) and should be backed up regularly. The definition of an appropriate backup depends heavily on the workflow of the user; there is no global recommendation to be made here. For some users the vendor-supplied desktop sync package will be sufficient. Other users may require whole-device backup packages such as SPBBackup or BackupBuddy.

• When performing backups locally, remember that backups to external flash cards only protect you against damage to the device; if the device is lost or stolen, the flash card goes with it.

• The latest-and-greatest handheld device may not be able to sync with your old smartphone's information. The turnover rate of smartphone/PDA devices is very high (devices are essentially obsolete after 2 years). Cellular carriers also customize their offered devices to a high degree, such that there's no guarantee that a new device (even one with the same model number) will behave anything like an older device. It is recommended that smartphone users carefully weigh their options before deciding to upgrade to a new device, and leave sufficient overlap time between the two in order to migrate from one to the next. It is also suggested that users wait at least 6 months from any new operating system offering (e.g. Windows_mobile_6) before purchasing any devices that use it.

• Carriers often offer upgrades for smartphones. The general rule seems to be that you can expect one minor-version upgrade during the life of the device, at which point the hardware is no longer compatible with the next generation of operating system. It is rare to see two upgrades, or major-version upgrades, of operating systems for smartphones.

• Smartphones are prone to software-related functionality problems (particularly related to bluetooth and Wi-Fi) that are often never properly patched by their vendors. It is recommended that users investigate users' reports of new models on popular websites. See the Appendices below for specific resources.

• Specific configuration instructions for various devices and programs are still underway and will be posted when finalized.

Appendices

Previous Penn Evaluation Efforts

• The 2006 Hard Drive Encryption team has some specific instructions on encrypting hard drives for Windows XP and Mac OS X on their results page. The document covers EFS for Windows XP and File Vault for Mac OS X.
• In 2005, the Data Encryption team created a Word document with specific recommendations for email and file transfer. Specifically, it discusses the use of SSL, PGP, and secure methods of FTP. DataEncryption20060108.doc

Resources

Gartner Research Group's Magic Quadrant for Mobile Data Protection, 1H06

Gartner Research Group's Magic Quadrant for Mobile Data Protection, 1H05

Palm's Mobile Security page

Yale Med computing article on PDA security

Carnegie Mellon University site Mobile Device Security Guidelines

MSMobiles article on Windows Mobile security vulnerabilities

Mobile/Laptop File Encryption software comparison (Work-in-progress)

User Information sites

• Brighthand.com
• Palminfocenter
• Mobility Today
• Blackberry Cool
• Smartphone Thoughts

US-CERT articles:

• article on PDA security
• Cyber Security for electronic devices