Educause Security Discussion mailing list archives
Re: Blackberry security expertise needed
From: BEN PIJOR <bpijor () KENT EDU>
Date: Thu, 27 Jul 2006 18:15:30 -0400
James, I have found the documentation for the BES IT Policies to be terrible at best. As you stated, some of them are obvious, but some take some testing to figure out. A couple of them we use in our default IT Policy that all of our devices have applied to them. Most of the policies either do not apply to us or were ignored due to our inability to truly decipher their purpose. I could see many of these settings appropriate for a corporate environment where they can really control what their users can and cannot access from their device. Since we cannot enforce many restrictions, they simply do not apply. - Number of failed logon attempts before wiping We currently recommend, but will soon be enforcing this policy that all devices be password protected. This feature is a bit of a double edged sword. If they lose their device, someone finds it, and enters the password incorrectly 10 times (that's the default), the data from the device is wiped and it is reset to the state that it was received from the manufacturer. The other side is if someone forgets their password or if a device has a broken keyboard, someone can easily enter an incorrect password and wipe the device (we've had this happen once already), leaving them out of luck while away on a trip. - Options – Security-General Settings Security Timeout Amount of inactivity time that passes before the device is locked. We use this in conjunction with the password requirement to secure the device. I have recently used this document from the Australian DSD to model a few of our policies: http://www.dsd.gov.au/_lib/pdf_doc/library/Blackberry_March_06.rtf I just wish more of these settings were better explained in RIM's documentation as to their impact to the device. They do a great job of naming them and providing their default/recommended settings, but lack a real description of the purpose or ability. One of my test policies that I created for lost devices completely destroyed a device. I later found out that a couple of my settings did not apply to the handheld setup, so I wound up with a paperweight. As for BlackBerry Connect, we have not ventured down this route, as we have not tested it yet. Our stance is if you want the service, you will use one of the wireless provider's RIM manufactured BlackBerry devices that we approve. I have also not looked into any of the details or documentation about BlackBerry Connect to see how it may differentiate from the BlackBerry service we currently provide, particularly the IT Policies. I hope I helped a little bit. Ben BENJAMIN PIJOR Systems Specialist Client Services Kent State University 125 Library Kent,Ohio 44242 Phone: (330) 672-8549 Email: bpijor () kent edu James H Moore <jhmfa () RIT EDU> To 07/25/2006 04:54 PM SECURITY () LISTSERV EDUCAUSE EDU cc Please respond to Subject The EDUCAUSE [SECURITY] Blackberry security Security Discussion expertise needed Group Listserv <SECURITY@LISTSERV.E DUCAUSE.EDU> We are working on a mobile devices standard. We did some benchmarking with industry on classes of devices, and it seems that BlackBerries have a slight edge, that but Microsoft is mounting a challenge. We ended up with 2 questions, and although I became a guinea pig, and now have a BlackBerry, I am still clueless, and haven’t been able to find the answers to them. If you know any good BlackBerry security sites, please pass them on. My first question is what are good BlackBerry security settings – Some are obvious – Others aren’t. I don’t know if or how some of these things affect security, any links to explanations would be great. - Number of failed logon attempts before wiping - Options – Security-General Settings Security Timeout - Options – Security – Key Store Passwords (Length of password, Private Key Password Timeout) - Options – Security – Key Store Accept Unverified CRLs – Yes/No - Options – Security Memory Cleaning settings - Options – Security - TLS – TLS Default - Options – Security – WTLS – (Allow Weak/ Strong Only) - Internet Browser – Any Link – Browser Configuration - Support Embedded Media - Internet Browser – Any Link – Browser Configuration - Support Javascript - Internet Browser – Any Link – Browser Configuration - Support CSS - Internet Browser – Any Link – Cache Operations - 00K ? - Internet Browser – Any Link – General Properties - Running WML scripts - Internet Browser – Any Link – General Properties – Enable Javascript Location - Options – MMS - Reject Anonymous Messages in - Options - MMS - Reject Advertisements in MMS - Options – Browser Push – Enable Push - Options – Browser Push – Enable MDS Push - Options – Browser Push – Enable WAP Push - Options – Browser Push – Allow WAP Push The second thing has to do with the security of “BlackBerry Connect” as compared to regular BlackBerries. Vulnerabilties? Additional software needed? If users keep spreadsheets, or save attachments, where do they go? Thanks, Jim - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 Office: 585-475-5406 Lab: 585-475-4122 Fax: 585-475-7950 "Distrust and caution are the parents of security." -- Benjamin Franklin "We will bankrupt ourselves in the vain search for absolute security." -- Dwight D. Eisenhower
Current thread:
- Blackberry security expertise needed James H Moore (Jul 25)
- <Possible follow-ups>
- Re: Blackberry security expertise needed BEN PIJOR (Jul 27)