Educause Security Discussion mailing list archives
Re: Blackberry security expertise needed
From: BEN PIJOR <bpijor () KENT EDU>
Date: Thu, 27 Jul 2006 18:15:30 -0400
James,
I have found the documentation for the BES IT Policies to be terrible at
best. As you stated, some of them are obvious, but some take some testing
to figure out. A couple of them we use in our default IT Policy that all of
our devices have applied to them. Most of the policies either do not apply
to us or were ignored due to our inability to truly decipher their purpose.
I could see many of these settings appropriate for a corporate environment
where they can really control what their users can and cannot access from
their device. Since we cannot enforce many restrictions, they simply do not
apply.
- Number of failed logon attempts before wiping
We currently recommend, but will soon be enforcing this policy that
all devices be password protected. This feature is a bit of a double edged
sword. If they lose their device, someone finds it, and enters the
password incorrectly 10 times (that's the default), the data from the
device is wiped and it is reset to the state that it was received from the
manufacturer. The other side is if someone forgets their password or
if a device has a broken keyboard, someone can easily enter an incorrect
password and wipe the device (we've had this happen once already), leaving
them out of luck while away on a trip.
- Options – Security-General Settings Security Timeout
Amount of inactivity time that passes before the device is locked. We
use this in conjunction with the password requirement to secure the device.
I have recently used this document from the Australian DSD to model a few
of our policies:
http://www.dsd.gov.au/_lib/pdf_doc/library/Blackberry_March_06.rtf
I just wish more of these settings were better explained in RIM's
documentation as to their impact to the device. They do a great job of
naming them and providing their default/recommended settings, but lack a
real description of the purpose or ability. One of my test policies that I
created for lost devices completely destroyed a device. I later found out
that a couple of my settings did not apply to the handheld setup, so I
wound up with a paperweight.
As for BlackBerry Connect, we have not ventured down this route, as we have
not tested it yet. Our stance is if you want the service, you will use one
of the wireless provider's RIM manufactured BlackBerry devices that we
approve. I have also not looked into any of the details or documentation
about BlackBerry Connect to see how it may differentiate from the
BlackBerry service we currently provide, particularly the IT Policies.
I hope I helped a little bit.
Ben
BENJAMIN PIJOR
Systems Specialist
Client Services
Kent State University
125 Library
Kent,Ohio 44242
Phone: (330) 672-8549
Email: bpijor () kent edu
James H Moore
<jhmfa () RIT EDU>
To
07/25/2006 04:54 PM SECURITY () LISTSERV EDUCAUSE EDU
cc
Please respond to Subject
The EDUCAUSE [SECURITY] Blackberry security
Security Discussion expertise needed
Group Listserv
<SECURITY@LISTSERV.E
DUCAUSE.EDU>
We are working on a mobile devices standard. We did some benchmarking with
industry on classes of devices, and it seems that BlackBerries have a
slight edge, that but Microsoft is mounting a challenge.
We ended up with 2 questions, and although I became a guinea pig, and now
have a BlackBerry, I am still clueless, and haven’t been able to find the
answers to them. If you know any good BlackBerry security sites, please
pass them on.
My first question is what are good BlackBerry security settings – Some are
obvious – Others aren’t. I don’t know if or how some of these things
affect security, any links to explanations would be great.
- Number of failed logon attempts before wiping
- Options – Security-General Settings Security Timeout
- Options – Security – Key Store Passwords (Length of password,
Private Key Password Timeout)
- Options – Security – Key Store Accept Unverified CRLs – Yes/No
- Options – Security Memory Cleaning settings
- Options – Security - TLS – TLS Default
- Options – Security – WTLS – (Allow Weak/ Strong Only)
- Internet Browser – Any Link – Browser Configuration - Support
Embedded Media
- Internet Browser – Any Link – Browser Configuration - Support
Javascript
- Internet Browser – Any Link – Browser Configuration - Support
CSS
- Internet Browser – Any Link – Cache Operations - 00K ?
- Internet Browser – Any Link – General Properties - Running WML
scripts
- Internet Browser – Any Link – General Properties – Enable
Javascript Location
- Options – MMS - Reject Anonymous Messages in
- Options - MMS - Reject Advertisements in MMS
- Options – Browser Push – Enable Push
- Options – Browser Push – Enable MDS Push
- Options – Browser Push – Enable WAP Push
- Options – Browser Push – Allow WAP Push
The second thing has to do with the security of “BlackBerry Connect” as
compared to regular BlackBerries. Vulnerabilties? Additional software
needed? If users keep spreadsheets, or save attachments, where do they go?
Thanks,
Jim
- - -
Jim Moore, CISSP, IAM
Information Security Officer
Rochester Institute of Technology
13 Lomb Memorial Drive
Rochester, NY 14623-5603
Office: 585-475-5406
Lab: 585-475-4122
Fax: 585-475-7950
"Distrust and caution are the parents of security." -- Benjamin Franklin
"We will bankrupt ourselves in the vain search for absolute security." --
Dwight D. Eisenhower
Current thread:
- Blackberry security expertise needed James H Moore (Jul 25)
- <Possible follow-ups>
- Re: Blackberry security expertise needed BEN PIJOR (Jul 27)