There’s the police officer, within 10 feet there is the panhandler
making threats, 10/28/2009 at 4:25pm, corner of Church
and Chambers Streets

Actually it is worse than just one officer ignoring a crime, it is that it is different officers on a daily basis watching people be yelled at and threatened. The approach did not start that way of course, the panhandling started simply as this person asking for change for the subway and being mindful of the police officer standing there. But as the month wore on, and he saw that clearly the police had no intention of addressing what he was doing, he became more aggressive.

A little History…

Around 1994 New York City’s police forces adopted an Order-Maintenance Policing strategy, popularly known as Broken Windows theory. Under this approach laws that deal with social disorder are enforced using a low tolerance approach. In other words, infractions that are generally considered low level such as graffiti, panhandling, jumping subway turnstiles, public urination, and so forth are used as grounds for arrest.

NY Crime Rate Drop

The theory had one of its most well known implementations in New York under William Bratton the then head of the NYC Transit Police. The policy was adopted more widely under Mayor Rudy Giuliani and police commissioner Howard Safir, and in many objective measurements the crime rates dropped for both nuisance and violent crimes. Most would also agree that if multiple officers with the duty to enforce the laws of the city directly observe something happen but take no punitive action that the law while on the books is not an enforced law. When the law is obviously not enforced, people are led to the conclusion that it can be broken without consequence, and thus because of uneven or non-existent enforcement the law becomes a paper tiger, largely not worth the paper it is written on.

Whatever you think of it…

Not everyone subscribes to this theory, which as a zero-tolerance style policy does likely over reach. In general though, most will concede that even if panhandling itself should not be a crime, aggressive panhandling does become problematic under its most extreme variations including: approaching individuals as a group, using veiled threats or insults, following individuals, blocking or touching a person, or approaching a person using an ATM. If you can concede that, and it is against the law, then law officers not addressing the situation is tacitly accepting the behavior.

I keep using officers in plural because one police officer ignoring something could be taken as an outlier, someone who just is not doing his or her job but not characteristic of what other officers would do. In this case I have waited a month to observe multiple officers, to see what the reaction would be.

What does this have to do with Information Security?

Security Policies

People who write information security policies are loath to have their effort be completed in vain. Most texts and experienced security professionals will tell you that anything that is overly technically specific, patently unenforceable, or subject to major variation in interpretation should be taken out of a security policy. The best practice generally put forth is to carefully divide the security requirements of the organization into the direction and context (policy level) and put the specifics for achieving those policies into standards, procedures, and guidelines which can be updated often and are more fungible.

Security folks write what are sometimes complex exception mechanisms and risk acceptance methods to deal with the rare occasion that a security policy must be overridden. Good security policies are usually the result of much iteration, regular update, and reviewed in consult with business, technical, and legal leadership within the organization.

Finally a good security policy contains a corrective action clause. That is the policy details the consequences of non-compliance. This is the part of the policy that usually includes a clause that reads “actions up to and including termination”.

In this context, security policies are like the law. They describe “the what” on what’s prohibited but exclude “the how”, the enforcement itself.

Policy Enforcement

Most security professionals can also quote what should be on the policy books of your Human Resources department, that there can be no difference between individuals in the way policies are enforced or the risk of a downstream law suit that is more difficultly defensible is incurred. In the imperfect reality of the enterprise, corporate policies are enforced differently across different people all the time, but the goal and stated practice generally remains the same. Policy is to be enforced uniformly in all cases. For this reason, a security policy that does not have a reasonable enforcement mechanism (technology products and people processes to detect violation) will generally be difficult to enforce. Further a policy where detection mechanisms do exist but corrective actions never followed communicates clearly to corporate citizens the lack of importance of the policy.

Unenforced policies are difficult to resurrect to being enforceable, and further weaken the overall set of security policies. As soon as the reader comes across a policy instance that they know to either be unenforceable or that clearly is not enforced because it is observed by security personnel but nothing comes of it, that reader comes to question the entire set of security policies in place. It is similar to what happens when reading a newspaper article, if you come across one glaring inaccuracy that you know to be untrue based on your personal experience it draws all of the facts of the article in question.

So what have we learned?

If you know you can’t enforce it, or know your company will not enforce it, fight like hell to keep it out of your security policies. And if you want to threaten people into giving you money, south of Canal Street is the place to do it.

Related Posts:

• Press F1 for Help, pwned.
• Fugitive Found Working at Homeland Security

About one month ago, a problem in the Blackberry browser left devices open to attack due to a certificate notification flaw. An advisory from Research in Motion details how a malicious user could spoof a “trusted” website then use a phishing technique to send users to that site using SMS or email.

A malformed SMS message causing a memory corruption error could be used to cause a denial of service or execution of arbitrary code on Apple’s iPhone (CVE-2009-2204). Although not related to Blackberry, I wanted to get the point across that mobile devices are beginning to see their fair share of vulnerabilities which could lead to malicious activity.

Turning our focus back to the Blackberry, a director for Hermis Consulting in Jakarta, Indonesia recently wrote an application for the Blackberry which can turn the handheld into a remote bugging device.
The software is called PhoneSnoop and was written to demonstrate how an “attacker can activate the microphone of a Blackberry handheld and listen to sounds near or around it.” There are currently no stealth or spyware aspects of the software, but it shows how the capabilities of a Blackberry could be used for malicious purposes.

These issues remind me of my previous position, managing a global infrastructure team for a financial company.  Exchange and Blackberry services were under our umbrella of responsibilities.  When I first arrived many years ago, as with most companies that are victims of rapid growth, IT policies were non-existent.  Though unpopular with the users, I had to have a BES policy implemented, and one that took quite a bit of control from the user. From password policies to WiFi disabling, where is your BES policy?

Note: A BES (Blackberry Enterprise Software) is middleware software which connects to your enterprise messaging solution (such as Microsoft Exchange or IBM Lotus Domino) and redirects email and PIM information to and from Blackberry mobile devices.

Note: A BES IT Policy is configured from the BES and are assigned to the Blackberry devices over the air.  Policies can be assigned to users and user groups. The default installation does not enforce policies which should definitely be enabled and are best practices on any platform or device. See the bottom of this post for the KB with instructions on how to create and apply policies.

At the bare minimum, you should have these basic policies set:

• Password Required Rule – True
• User Can Change Time – False
• User Can Disable Password – False
• Password Pattern Checks – Require at least 1 alpha and 1 numeric
• Minimum Password Length – 7 characters
• Maximum Password Age – 30 or 60 days
• Set Password Timeout – 10 minutes
• Set Maximum Password Attempts – 10
• Maximum Password History – 6
• Set Owner Info – Customize
• Set Owner Name – Customize
• Lock Owner Info – Customize
• Remote Wipe Reset to Factory Defaults – True

Control Upgrades:

• Allow Non Enterprise Upgrade – False
• Disallow Device User Requested Upgrade – True

Camera Options:

• Disable Photo Camera – True 
• Disable Video Camera – True

Application Control:

• Disable Application Center – True
• Allow Application Down Services – False
• Disallow Third Party Application Downloads – True

Other Policies I Like:

• Disable USB Mass Storage – True
• Disable Blackberry Messenger – True
• Disable Bluetooth – True
• Allow Application Download Services – False
• Allow Hotspot Browser – False
• Allow IBS Browser – False

Too Much?

Now, these policies are starting to sound too strict at a glance; but, the purpose of the device is for users to have access to their email, contacts and calendars anywhere and to have a mobile phone they can be reached at any time.  Cameras, Hotspots and transferring photos and music using USB mass storage are features that are not necessary. If you have legitimate business needs for these features, than you can enable them for certain user groups using a policy.

The policies mentioned are a very small fraction of what is available. I’d like to hear which policies you find useful in your environment, or which you find to be more harm than good.

For a complete list of policies, please see the Policy Reference Guide.

Howto

Create, Assign, View, and Send IT policies
Doc ID : KB02022
Last Modified : 2007-02-01
Document Type : How To
Environment
This article applies to BlackBerry® Enterprise Server software versions 3.6, 4.0, and 4.1 for Microsoft® Exchange.
Procedure
The BlackBerry Enterprise Server uses an IT policy to control the behavior of the BlackBerry devices assigned to it. IT policies cover a wide range of BlackBerry device functions (for example, passwords, attachment viewing, and available browsers). Administrators can create custom IT policies in addition to the IT policies already present on the BlackBerry Enterprise Server.
Creating IT Policies
To create an IT policy, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Click New, then create a name for the IT policy.
4. Select the check box beside each IT policy rules item you would like to assign. A description of the IT policy will appear.
5. To enable the selected IT policy, in the description window, click TRUE.
6. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, click Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. Click New, then create a name for the IT policy.
5. Select an IT policy group to view the associated IT policy rules.
6. Select the appropriate IT policy rules.
7. Click Apply, then click OK.

Assigning IT Policies
To assign an IT policy to a BlackBerry device user, complete the following steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager.
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click Edit User List.
4. Click Add Users to This Policy.
5. Select a BlackBerry device user, then click Add.
6. Click Close, then click OK to close the Edit IT Policy Userlist window.
7. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double click IT Policy to User Mapping.
4. Select a BlackBerry device user, then click the button next to the appropriate IT policy.
5. Click OK to close the IT policy to User Mapping window.
6. Click Apply, then click OK.

Viewing IT Policies
To view IT policies on the BlackBerry Enterprise Server, complete these steps:
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Right-click the BlackBerry Enterprise Server name, then click IT Policy.
3. Select an IT policy, then click View to see the BlackBerry device and Desktop Policy Settings that have been applied.
4. Click OK to close the View Policy window.
5. Click OK again.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, click Servers, then click the Global tab.
2. From the Tasks menu, select Edit Properties.
3. Select IT Policy, then double-click IT Policies.
4. To view the IT policy rules, click Properties.
5. Click OK.

To view an IT policy on a BlackBerry device, complete these steps:

1. From the Home screen, select Options.
2. Select Security Options > General Settings.
3. The IT policy Name, Last Updated, and Time Stamp fields will be listed.

Note: Depending on the BlackBerry device and BlackBerry Device Software version, the instructions for viewing the IT policy on the BlackBerry device may vary. For example, on the BlackBerry 7100 series, the BlackBerry device user must select Settings or Tools, then select Security.

Sending IT Policies
To send an IT policy to a BlackBerry device user, complete the following steps:
Note: By default, when you assign an IT policy to a BlackBerry device user, the IT policy is automatically sent to the BlackBerry device user.
Note: When a change is made to an existing IT policy, it is automatically resent to all BlackBerry device users assigned to that IT policy.
BlackBerry Enterprise Server software versions 3.6 and 4.0

1. Depending on your version, open the BlackBerry Enterprise Server Management console or BlackBerry Manager
2. Select the BlackBerry Enterprise Server name, then right-click a BlackBerry device user name.
3. Click Properties.
4. On the IT Admin tab, click Resend policy.
5. Click Apply, then click OK.

BlackBerry Enterprise Server software version 4.1

1. In BlackBerry Manager, select the BlackBerry Enterprise Server name.
2. Select a BlackBerry device user, then click the question mark ( ? ) symbol beside IT Admin.
3. From the menu that appears, you can resend the IT policy or assign an IT policy to a BlackBerry device user.
4. Click OK.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• First Patch Tuesday of 2010

Little Bit of History

I am going to quickly cover some of the history of the Internet and how it grew borders, but please skip to the highlight of the article if you are familiar with this already: Borderless Networks, What?

ARPANET (‘69-’91)

In the beginning, there was ARPANET which was the pioneer in packet switching networks and gave providers the choice of which method and hardware for communication it would use. However, the base protocol used for devices to communicate in ARPANET was NCP. The NCP protocol could best be described as a network device driver and less as a network transport stack. It did not have any method for end-to-end error handling which was seen as a problem, but nothing was done about this until 1983.

In 1983, TCP/IP replaced NCP as the protocol for transport and ARPANET became a part of what was to become the Internet. TCP/IP was a huge improvement over NCP in that it accounted for problems on the network and allowed the network not to come to a grinding halt when packets were lost. It also achieved the concept of end-to-end connectivity between each host. This meant that as long as two hosts were on the Internet they could reach each other by utilizing standard TCP/IP. This standard framework also lead to the growth of many different applications as there was no longer any need to make changes to the network to add new applications/protocols.

First Borders (‘91-’94)

All the building blocks were in place and what formed was a large group of interconnected networks to share and exchange data. Then the first virus and worm hit in 1983 and 1988 respectively. The morris worm gained a fair amount of media attention and in fact prompted the establishment of CERT. Even in this embryonic stage the vitality of the information being shared caused many researchers to begin placing limitations on the end-to-end connectivity of their hosts. Thus began the ‘Us’ and ‘Them’ status of the Internet.

‘Us’ and ‘Them’ started out simple with a move to keep networks segregated-or put another way, adding a border between the networks. At first, the borders were nothing more than routers that limited the effects from network A from spilling over into network B. They were effective, but in 1991 DEC released the first modern Firewall: SEAL. This marked the first real security border on the Internet, where all packets were inspected and compared to a set of policy rules before being passed on. These first security borders were instrumental in providing the trust and assurance in the network that companies and researchers required, speeding the growth of the Internet. While intrusion was still possible, the bar of entry was raised beyond causal attacks and probes.

Figure 1: Us vs. Them

In 1992, the dominant addressing of hosts was IPv4, where each host is a assigned a 32-bit address. This assignment limited the total number of addressable hosts to 4,294,967,296, but, due to reservations and subnetting, this could never be fully utilized. At this time, it was recognized that IPv4 limitations would be become a problem in the future, beginning the process of creating a new IP protocol with a much higher number of addressable hosts. IPv6 was born in 1994, based on a 128-bit address for each host. This would effectively allow every man, woman, and child on Earth to be assigned an address many times over. As a part of the formation of IPv6, security between networks was also taken into account and IPSec was created as a requirement of the IPv6 protocol.

IPv6’s creation gave the Internet a secure method of communications between networks via IPSEC and nearly unlimited address space, but IPv6 did not get off the ground quickly. This was mostly due to the fact that all devices and operating systems would need to be upgraded to handle the new protocol, and there was little to no pressure from the market to push things forward. IPSec on the other hand did take off, as it quickly became the standard method for interconnecting trusted networks over an untrusted medium (such as the Internet).

At the same time that IPv6 and IPSec were being developed, another group of people began working on an alternate method for dealing with the lack of addressable space in IPv4. Network Address Translation (NAT) was published in RFC1631 in 1994 as a short term solution, while the larger problems were being addressed. NAT became very successful quickly as it allows a very large number of hosts to access the larger Internet while using very few publicly addressable IP addresses. As with most things, NAT came with some trade-offs. One of the big ones was that hosts no longer had complete end-to-end connectivity. Thus, another border on the network was created; in practice firewalls became the dominate NAT devices. Nonetheless, the NAT border would create problems for applications developers for years to come.

Present (‘09)

In 2009, the way Internet runs is really not very different from 1994; IPv6 is just now getting underway, NAT is used everywhere, and IPSEC still secures networks over an untrusted medium. What has changed in a big way is the applications and uses of the Internet. Telephone calls commonly use the Internet for transport, on demand video is a huge source of traffic, social media networks garner huge numbers of users, online shopping is an important revenue stream for companies, and most recently more and more services are being hosted elastically on demand via the Internet.

Borderless Networks. What?

Now let’s get back to Borderless Networks…

Cisco envisions a global network where you can go any place and access any data you could need at anytime. John Chambers detailed the approach on a video at Cisco.com:

Cisco also has a Virtual event on Oct 20th for Borderless Networks, and have been encouraging people to register via twitter and emails for the last two weeks.

I first learned of the Borderless Networks push during the SC World Congress. I was there to get a preview of Borderless Networks as presented by Joel McFarland. The session description sounded interesting and as it was a keynote there was nothing else to pull on my time.

Two co-workers and I attended the session, but being a little late we had to make our way to the very front of the room to find seats. Up front we were able to hear and see everything in great detail, but in hindsight this might have not been the best place for us. There was no way Joel could have missed the looks of skepticism on all three of our faces.

Joel pushed the Cisco idea of Borderless Networks in many different ways, but pointed to the iPhone as the game changer, the beginning of things to come. Then iPhone and salesforce.com became his prime example of how the mobile sales team are almost completely disconnected from the enterprise network. They access leads, manage contacts, input orders, and exchange notes and information all without even logging into the corporate network. At this point, I looked to my co-workers with a questioning expression and whispered the rhetorical question “No corporate login?“.

The example Joel used is common for a sales workforce, and is actively encouraged in many environments, but this was just something that I have always felt was wrong. In many companies, sales leads are valuable information and something that competitors and even other sales people would actively try to gain access to. When all access to this information is controlled by an external party you are no longer able to apply your own controls. In fact, you are beholden to the policies and procedures of the provider. Joel was one step ahead of me on this. He pointed out the problems that were playing through my head and countered that salesforce.com can be made to use a corporation’s internal authentication methods (Active Directory, RSA Token, etc.). As such, your internal policies for access and removal of access are once again in your control. I conceded. Joel is correct that salesforce.com can be brought into line with one’s internal security policy, but he does not address the issue of the remote device-the iPhone itself.

Borderless

Let me come back to the iPhone in a bit, I want to point out another slide that came up during this iPhone praise. In Figure 2 I have created a combined version of the two slides Joel was showing to demonstrate the future of networking (I have recreated them from memory, but its close enough for this post).

Figure 2: Before & After

In Figure 2, we have the before and after sections. According to Joel, currently the before example is a good summary of how most enterprises networks allow access into and between their networks. This Joel and I agree on.

As seen in the before section, you have a defined entry point into the network from outside, where all external resources gain access. This is your border between “us” and “them“. In the examples, both the remote home desktop and iPhone access the network and are allowed across past the border only if proper authentication and authorization have take place. Once completed, the remote device is granted access to the resources that are allowed for it to function as an effective job tool: access to to internet via internal proxy, access of files in the London office, or logging into the salesforce.com website. The key thing is that all access flows through this single point of entry.

By restricting access for remote devices to a single point, we are able to overcome some technical shortcomings and greatly reduce the vectors of attack for the network. NAT is required due to the limited number of publicly addressable addresses. Thus end-to-end connectivity is not an option for the remote devices. The use of IPSec for transport and assigning a RFC1918 address to the remote device end of the IPSec tunnel allows one to overcome the NAT limitations. This gives you remote device end-to-end connectivity within the enterprise network. By using this method the network administrators are able to capture and monitor at a single point all access into and out of the network. NAC, IPS/IDS, and other methods of monitoring are commonly deployed here.

With the after diagram of Figure 2, we see the future as Cisco/Joel see it. This is where all resources are able to access all other resources; also known as complete end-to-end connectivity. Joel did not say how this was to be achieved, but given the network diagram it’s not hard to surmise that Cisco is planning a big push for IPv6. IPv6 will allow for this type of network, and will bring down the NAT boundary. With it the technical limitation of too few addresses for end-to-end connectivity on the Internet is eliminated and things can get a lot more complex as we see in the after section of the diagram.

On the after diagram you see end-to-end connectivity to each resource both inside the network and outside. We have an iPhone going directly to salesforce.com, directly accessing a file in the London office, and able to access all the data that it could ever need. What about limiting access to resources? How do you make sure that a remote home desktop does not start copying all of the data from the London office, NYC office, and salesforce.com to a remote site? What if the desktop is infected with malware? How do you log the activity of the remote device access? All the questions become much harder when you have completed end-to-end connectivity, and historically we have learned it becomes an even larger problem when there are remote devices involved.

All the questions I have asked about the security of the after sections can be answered with products already on the market and in fact are recommended for use in both networks. The problem becomes the scale that is needed to protect and defend a network that has complete end-to-end connectivity. Once again, going back to the after diagram, only taking into account remote device access, the number of policies that needs to be maintained, protected, and monitored goes from 1 to 4. Now a growth of 400% is big, but almost manageable. If you start to think about a small enterprise with 20 offices, 2 datacenters, and 200 remote users, the problem of scale is instantly untenable.

IPv6 will solve a lot of problems for networks as the need for NAT will go away and devices will be able to directly address each other across networks and boundaries, but as with just about everything there are side effects. Keeping control of access into and out your network is the first line of defense and with IPv6 this becomes a policy and enforcement issue even if it is no longer a technical requirement.

The iPhone, Key to the Borderless Network

Joel said he likes his iPhone and from the huge number of videos from Cisco featuring an iPhone it’s safe to assume Cisco does too. During the keynote Joel pointed out the iPhone a few times in a number examples and in general with heavy praise. Joel and I agree the iPhone is an amazing device, an important step forward in mobile computing. After this Joel and I begin to disagree, namely around one key point: “The iPhone is a game changer.” I think that statement needs to add “for the consumer market“.

Figure 3: The iPhone

iPhones are enabling users to use the Internet from almost anyplace; it’s one of the most popular cameras on flickr, has a huge list of applications, and, for some people, a complete replacement for the traditional computer. While its strong points work well in the consumer market, in the enterprise markets it’s a very different beast. In fact the strongest points for the iPhone in the consumer market are security concerns for the enterprise. Application controls are limited, centralized control is even more limited, and encryption of the data residing on the devices is a problem on the most fully featured phone to date.

Devices like the iPhone should be thought of less as a phone and more as a laptop. With that comes all the same protections and controls that we use to mitigate risk on an enterprise laptop. Here is a quick list of what I expect from a laptop and by extension from an iPhone for it to become a viable remote access device in the enterprise environment:

• Virus and Malware software with centralized reporting
• Secure communications for the device; both internal resources and the ability to define policies
• Strong Data Encryption on the device
• Ability to do remote kill of device
• Application installation and run controls
• Web Filter/Proxy controls
• Access controls, password complexity settings and password failure data destruction

Some of the areas listed are available on the iPhone, but none of them are near complete and ready for everyday use in an enterprise. Research In Motion (RIM) dominates the enterprise market for the reasons I have listed here. RIM via the BlackBerry Enterprise Server (BES) gives the enterprise complete control of every device that connects via a centralized management station. BES also does network traffic correctly in that all devices came back to the BES at a single point of entry into the enterprise. This allows an enterprise to place additional control directly attached to the BES and not with multiple devices all over the network. RIM’s BES product represents the minimum level of security that should be expected for remote access of phone like devices. I would go so far as to say it should be the starting standard for how remote access devices should behave.

The iPhone might be the start of things to come, but in no way is it even close to ready for the enterprise market.

Why?

Cisco’s push with Borderless Networks is either something that they haven’t completely vetted from a security perspective or the security strategy isn’t completely explained in the marketing. The huge increase in the number of points needing protection, the corresponding increase in the policy and management, and management data flow and access controls are areas that need addressing. These are problems we still having troubles controlling with our current network deployments. Unless Cisco has a magic bullet coming out of their research and development departments, I don’t see how this move to Borderless Networks is even possible.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• March’s Patch Tuesday
• Press F1 for Help, pwned.
• The “Aurora” IE Exploit Used Against Google in Action