February 9

Security Friday Five Minute Fast Fact: Bad Batch of Blackberrys

By David Stern

Since the late 90’s, Blackberry technology from RIM has opened new avenues of employee connectivity and efficiency. Leaps in both hardware and software have allowed the Blackberry to evolve from a simple email platform to a true mobile computing device. In the Enterprise model, the devices connect back to a server, known as the Blackberry Enterprise Server (BES).

A typical deployment places the BES on the internal corporate network. The BES orchestrates access from the handheld device to internal corporate resources, including: mail, web, and just about any other network (TCP) based application. When they were initially launched, RIM devices were simple email clients, which worked to keep our risks lower. The current models are more like carrying mini-computers with you and have the expanded capabilities of being able to connect to more, do more in your network and even allow installation of network-based applications remotely (over the air).

This effectively creates a pathway from the mobile device, located anywhere in the world, back to some of our most sensitive systems on our corporate network. For example, at BlackHat 2006 (a security conference held every year), Jesse D’Aguanno released a program called a ‘proxy’ and demonstrated for the audience how a typical Blackberry architecture can be turned into a potent hacking tool.

There are ways to make this solution secure.

For most users, the ability to tunnel arbitrary traffic to the internal network can be disabled. Setting up a separate BES with tunneling enabled for IT users provides this powerful troubleshooting capability without the inherent danger. The BES should be placed into a firewall DMZ where this traffic can be controlled and monitored. Finally, periodic auditing of device configurations and policy setup for handheld units will ensure that IT has a good grasp of what its deployed community is up to. As with most technology, the application of standard information security measures can compensate for technological insecurity, preserving business value.

A potentially bad batch of Blackberrys becomes a palatable Blackberry treat.


Tags


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!