1 / 55

Mobile Device Security

Mobile Device Security. Dr. Charles J. Antonelli Information Technology Security Services School of Information The University of Michigan November 12, 2008. Why we’re here. Discuss best practices in safe use of mobile devices for research Help researchers self-manage devices

jeri
Download Presentation

Mobile Device Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mobile Device Security Dr. Charles J. Antonelli Information Technology Security ServicesSchool of Information The University of Michigan November 12, 2008

  2. Why we’re here • Discuss best practices in safe use of mobile devices for research • Help researchers self-manage devices This work commissioned by the IT Security Counciland the Associate Vice President for Research

  3. Agenda • Introduction & motivation • Defining private data • Threats to data • Securing data • Demonstrations • Cryptography primer • Not covered here • PDAs • Cell phones • Digital cameras

  4. Demo participation • Laptop • Windows or Mac OS X • No network connectivity required • Flash drive • Lexar Secure II Jump Drive

  5. Meet the instructor • Research in distributed systems, file systems, and security • At U-M Center for Information Technology Integration since 1989 • Faculty in SI & EECS • Teaching • ITS 101 Theory and Practice of Campus Computer Security • SI 630 Security in the Digital World, SI 572 Database Applications Programming • EECS 280 C++ Programming, 482 Operating Systems, 489 Computer Networks; ENGR 101 Programming and Algorithms; SI 654 Database Applications Programming • DCE Internals, SHARE UNIX filesystem tours, … • Research • Advanced packet vault • SeRIF secure remote invocation framework

  6. Introduction

  7. Motivation • Protecting the confidentiality, integrity, and availability of the University’s information assets is not only good business … … it is required by federal and state laws and by contractual requirements

  8. Information Security Regulations • Family Educational Rights and Privacy Act (FERPA) • Health Insurance Portability and Accountability Act (HIPAA) • Payment Card Industry Data Security Standard (PCI-DSS) • State Notification Laws

  9. Private Personal Information • What is PPI? • Information that can be used to individually identify, contact, or locate a person, or may enable disclosure of this information • Aggregation my expose PPI – name and home address; SSN and bank account number; unique name and date of birth • Requirements relating to PPI • Non-public (“sensitive”) information that can be linked to an individual must be appropriately protected and handled on a “need to know” basis • Unauthorized disclosure of non-public PPI may harm an individual or the University • Regulatory requirement • Data Classification Guidelineshttps://www.itss.umich.edu/umonly/dataClass.php

  10. PPI Examples (GLBA) • Social Security Number • Credit Card Number • Account Numbers • Account Balances • Any Financial Transactions • Tax Return Information • Driver’s License Number • Date/Location of Birth 

  11. PPI Examples (FERPA) • Grades / Transcripts • Class lists or enrollment information • Student Financial Services information • Athletics or department recruiting information • Credit Card Numbers • Bank Account Numbers • Wire Transfer information • Payment History • Financial Aid • Grant information / Loans • Student Tuition Bills • Ethnicity • Advising records • Disciplinary records 

  12. PPI Examples (HIPAA) • Patient Names • Street Address, City, Country, Zip Code • Dates related to individuals  • Phone Numbers • Social Security Number • Account Numbers • Patient admission date • Patient discharge date • Medical record number • Patient number: Facility assigned • Unique patient number: ORS assigned • Procedure dates • Carrier codes (Insurance/HMO Name) • Patient zip‐code • Health care professional ID • Health care facility ID • Fax number • Health plan beneficiary numbers • Email addresses • Internet Protocol Address Numbers (IPaddresses) • Web Universal Resource Locators (URLs) • Device identifiers and serial numbers • Certificate/License numbers • Vehicle identification numbers and serialnumbers • Full face photographic images and anycomparable images • Biometric identifiers such as finger andvoice prints • Any other unique identifying number,characteristic, or code. 

  13. Threats to data

  14. Threats to data • Type of data • Research • Patient • Human subject (IRB) • Administrative • Proprietary • Contractual • Confidential • Threats • Compromise • Corruption • Theft (malware) • Loss of encryption key • Import/export/use restrictions on encryption • Loss of device • Theft of device • Fundamental threats • Loss of confidentiality • Loss of integrity • Loss of availability

  15. Recent news items http://www.privacyrights.org/ar/ChronDataBreaches.htm

  16. Securing Data

  17. Countermeasures • Protect data at rest (in permanent storage) • Encryption • Protect data in transit (moving through a network) • Encryption • Protect the mobile device • Physical security http://safecomputing.umich.edu/MDS/

  18. Protecting Data at Rest

  19. Protecting data at rest • Data in permanent storage • Disk, tape, flash, CD/DVD • Standards-based solutions: • Strong encryption • Accept no substitutes • Renders data inaccessiblewithout a digital key • Issue: key escrow

  20. Key escrow • Make a copy of your encryption key • In case you lose or forget your key • Provide a copy of your encryption key to your departmental IT organization • Via email, flash drive, mfile (IFS) • Check with departmental IT

  21. Protecting data at rest • Free & built-in encryption: • Windows Vista • BitLocker • Encrypting File System (EFS) • Windows XP • Encrypting File System (EFS) • Mac OS X • Encrypted disk image (Disk Utility) • FileVault • Linux • TrueCrypt (some assembly required)

  22. BitLockerWindows Vista • Encrypts all data on drive • System-selected recovery password • Store it in a safe place • Use conditions • Requires Windows Vista • Requires special hardware in the laptop • See departmental IT to enable • Otherwise use Encrypting File System (EFS) • When enabling/disabling, can access disk • Encrypts everything on the disk • Files, directories, registry, …

  23. Encrypting File System (EFS)Windows Vista or XP • Encrypts specified folder contents • System-selected encryption key • Store it in a safe place • Use conditions • When enabling/disabling, can’t access volume • Encrypted files and directories shown in green • Does not encrypt anything else on disk • Can decrypt when making backup copies

  24. FileVaultMac OS X • Encrypts user home volume contents • User-selected master password • Unlocks all home volumes • Store it in a safe place • Use conditions • When enabling/disabling, can’t access volume • “Turning on FileVault may take a while.” • Requires free space equal in size to volume • Does not play well with Sophos AV • Check with departmental IT • Does not encrypt anything else on disk • Can securely delete files (manual step)

  25. Encrypted disk imageMac OS X • Create an encrypted volume • User-selected password • Store it in a safe place • Use conditions • Does not encrypt anything else on disk • Can securely delete files (manual step)

  26. Protecting Data in Transit

  27. Protecting data in transit • Data moving through a network • Standards-based solutions: • Strong encryption • Accept no substitutes • Renders network data inaccessibleto compromise or corruption withoutpossession of a digital key

  28. Protecting data in transit • Free encryption • VPN • Cisco VPN client (ITCom)http://www.itcom.itd.umich.edu/vpn/ • Mac OS X VPN clienthttp://www.engin.umich.edu/caen/network/wireless/docs/macosvpn/ • Check with departmental IT regarding VPN availability • SSH & SFTP • SSH Secure Shell (U-M Blue Disc)https://www.itd.umich.edu/bluedisc/ • Data encryption • See “protecting data at rest”

  29. Protecting the Mobile Device

  30. Protecting the mobile device • Secure the device • Lock it up, lock it down, out of sight • Secure the data on the device • Password protect the laptop • Data encryption • See “protecting data at rest” • Be aware of travel-related restrictions • Importing/exporting/use of cryptohttp://www.research.umich.edu/policies/federal/export_proc10-23-2008.html  • Inspection & confiscation

  31. Protecting the mobile device • Other solutions • Remote wiping of data • DataDefense (Iron Mountain)http://www.ironmountain.com/digital/defense/ • Laptop tracking • Adeonahttp://adeona.cs.washington.edu/ • http://adeona.cs.washington.edu/papers/adeona-usenixsecurity08.pdf • Securing email • USHealthWire [Matt]

  32. Final Note • Check with departmental IT for information regarding • Key escrow • Help with enabling BitLocker on Windows Vista • Availability of VPN • Thanks for attending!

  33. Appendix A Demonstrations

  34. Flash encryption demoLexar Secure II Jump Drive • Encrypted container on the flash drive • Software on flash drive encrypts and decrypts data in the container on the fly • User-supplied password • Store it in a safe place • Excellent documentation:http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_thumbdrive.pdf

  35. BitLocker demoWindows Vista • Control Panel | BitLocker Drive Encryption • Select Turn on BitLocker • Initialize TPM (if necessary) • Save recovery password • Make multiple copies • Turn on disk encryption & reboot • Excellent documentation:http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_docs_with_Bitlocker.pdf

  36. EFS demoWindows Vista or XP • Select folder or group of folders to be encrypted • Properties | Advanced • Check ‘Encrypt contents to secure data’ • Click OK in both dialogs • Check ‘Apply changes to this folder, subfolders, and files’ • Back up file encryption key • Store it in a safe place

  37. FileVault demoMac OS X • System preferences | Security | FileVault

  38. Encrypted disk image demoMac OS X • Applications | Utilities | Disk Utility • Select New Image • Specify 128 or 256-bit AES encryption • Specify other options as usual • E.g. sparse image • Specify a password when prompted • Store it in a safe place • Also to your keychain

  39. VPN demoAll platforms • Cisco VPN client (ITCom)http://www.itcom.itd.umich.edu/vpn/ • Mac OS X VPN clienthttp://www.engin.umich.edu/caen/network/wireless/docs/macosvpn/ • Check with departmental IT regarding VPN availability • SSH & SFTP • SSH Secure Shell (U-M Blue Disc)https://www.itd.umich.edu/bluedisc/

  40. Appendix B Basics of Cryptography

  41. Definitions • Plaintext is a message that will be put into secret form. • Plaintext is rendered unintelligible to others by using a key to transform the plaintext into ciphertext. • A cryptosystem is an algorithm for this transformation, plus all possible plaintexts, ciphertexts, and keys.

  42. Definitions • The transformation of plaintext to ciphertext is referred to as encryption. • Returning the ciphertext back to plaintext is referred to as decryption. • The strength of a cryptosystem is determined by the cryptographic algorithm itself and the length of the key.

  43. Definitions • A key is a sequence of symbols that determines the transformation from plaintext to ciphertext and vice versa. • The range of possible values of the key is called the keyspace. • Two basic types of cryptosystems exist, secret-key and public-key.

  44. Secret-Key • In a secret-key scheme, the key used for encryption must be the same key used for decryption. Also called symmetric-key cryptosystem. • Secret-key cryptosystems have the problem of secure key distribution to all parties using the cryptosystem.

  45. Secret-Key (Symmetric Encryption) Alice Bob k k sender receiver encryption decryption P C C P Ek Dk

  46. Public-Key • Proposed by Whitfield Diffie and Martin Hellman in 1976 • Public-key cryptosystems rely on two keys which are mathematically related to one another. Also called asymmetric-key cryptosystem. • One key is called the public key and is to be openly revealed to all interested parties. • The second key is called the private key and must be kept secret.

  47. Public-Key • Properties: • A message encrypted with one of the keys can only be decrypted with the other key. • It is computationally infeasible to recover one key from the other • Public-key cryptosystems solve the problem of secure key distribution because the public key can be openly revealed to anyone without weakening the cryptosystem.

  48. Public-Key • Encryption: • Encrypt with public key, decrypt with private key • Signing: • Encrypt with private key, decrypt with public key

  49. Public-Key (Encryption) Alice Bob pubkey privkey sender receiver encryption decryption P C C P Dprivkey Epubkey

  50. Public-Key (Signing) Alice Bob privkey pubkey sender receiver encryption decryption C P P C Dpubkey Eprivkey

More Related