1 / 35

Secure Voice Communications The Missing Piece in Mobile Security

Secure Voice Communications The Missing Piece in Mobile Security. Tony Fascenda, Founder, CEO, KoolSpan Inc. Security Landscape: Wide Open, Complex. Secure Mobile Voice. Secure Customer Access. Secure Networks. Secure Machine to Machine.

kosey
Download Presentation

Secure Voice Communications The Missing Piece in Mobile Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure Voice CommunicationsThe Missing Piece in Mobile Security Tony Fascenda, Founder, CEO, KoolSpan Inc.

  2. Security Landscape: Wide Open, Complex Secure Mobile Voice Secure Customer Access Secure Networks Secure Machine to Machine 71% of large enterprise IT managers say IT security solutions are too complex- 2008 Mobile Trust Survey Secure PC/Laptops

  3. IT Infrastructure Multiple Problems to solve Trusted vs. un-trusted users (login management) Network Access (24 x 7 access) Hackers, viruses, malware Firewalls: packet inspection Intrusion detection / Intrusion prevention Patch Management Standards / RFCs “Box for every problem” 900+ vendors for IT infrastructure “Defense in depth” Everything must work together Never ending series of problems to solve

  4. The Mobile Security Threat Nearly 70% of all large enterprise IT managers say mobile phones are used to discuss business topics considered confidential.- 2008 Mobile Trust Survey

  5. Data vs. Voice Focus IT Engineers may spend entire career protecting data Mobile Phones have two problems: data & voice When it comes to voice, the user is left naked Most important information is that which is spoken Many security conscious companies prohibitdiscussing sensitive data on mobile Voice calls operate on the PSTN and possibly IP networks ROI on call interception is very high Difficult to quantify because this is usually a risk not publicized Security is difficult to implement/easy to crack

  6. Mobile Voice BreachesGaining Attention “Silently tapping into a private cellphone conversation is no longer a high-tech trick reserved for spies and the FBI…cellular snooping may soon be affordable enough for your next-door neighbor.” “Phone Taps in Italy Spur Rush Toward Encryption” April 2007 February 2008 “Vodafone, Ericsson Get Hung Up In Greece's Phone-Tap Scandal” “Taliban Terrorises RAF Families” June 2006 August 2007

  7. How Is A Cellular Call Intercepted? X Tower spoofing Four Typical Attack Vectors Illegal Monitoring X Operator A Operator B X Hacker Exploit of Lawful Call Monitoring Taps X Access at Network Facility Operator C

  8. What Would it Take for Someone to Intercept YourMobile Communications? Just Google it! • 100,000s of hits • Large community • Illegal, but vibrant marketplace • Many solutions for law enforcement, but ‘hijacked’ by bad guys

  9. Mobile Phone Points of Attack • Only protected part of communication is between handset and base station • Switched-connection • Mandatory to bridge different phone types • Cleartext available anywhere between base-stations • At either operator’s switch • Anywhere in the cloud that connects operators • Impossible to detect wiretap

  10. Threat Envelope

  11. What’s At Risk? • Impact of Compromise: • Operational Security • Direct Financial Loss • Intellectual Property (IP) • Physical Safety Risk • Cyber Security Risk • Reputational / Brand Risk • Legal Risk • Stock Risk

  12. Mobile Voice Threat Envelope:What’s Changed • 1945: Most of government secrets were held by government • 2009: Most government secrets held by private industry • Internationally, boundaries between state and criminal espionage blurred • Increased Competition • Foreign Nationals: no risk, no fear! • Wider availability of network access • Attacks, easier and easier to accomplish • Naive CEOs, CFOs, CSOs • Only companies damaged by economic espionage take threat seriously! • ROI on mobile intercept is HIGH!

  13. Smartphone Market Eclipses Computer Market Source: Wall Street Journal

  14. Smartphones are new Laptops “More than 10,000 laptops are reported lost at the 36 largest airports in US each week. Only 35% ever reclaimed” - engadget “More than 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone this year and only 25-30 percent will be reunited with their owners” - Technet.microsoft.com “100,000 devices left on London Underground each year” - British Authorities • Susceptible to intercept but more probably to being left behind at airport security • Mobile device loss results in: • Potential exposure to enterprise / network etc. • Loss of valuable data / trade secrets • Loss of productivity from user • Smartphones handle both voice and data • Data often exchanged with enterprise • Stored in phone or in plug-in memory cards • Not enough to protect the ‘pipe’ — you must protect and secure the data at all times

  15. Hurdles to “Enterprise Ready” Smartphones “Unfortunately, IT directors’ ability to manage these devices as corporate assets, while controlling the data and applications that run on them, hasn’t kept pace.” • ~ InformationWeek Business applications for Smartphones are proliferating Increasingly, many business people choose to “leave their laptop behind” Vulnerable to eavesdropping on phone calls as well as attacks on the data applications InformationWeek Cover Story, October 2008

  16. Challenges to Mobile Communication Security

  17. YES44% NO56% Wide Gap: Problem Recognitionand Solution Implementation Are you aware of any compromises to voice communicationson cellular/mobile networks? ~ Mobile Trust Survey, 2007

  18. Why the Unmet need incellular encryption? Wide Gap: Problem Recognitionand Solution Implementation Already deployed 14% Planning a deployment 14% • Because… • It’s hard to do • It’s difficult to manage • Manufacturers don’t provide security hooks • Enterprises don’t yet realize the threat 72% Would consider an easy, cost-effective solution Among Respondents Interested In Secure Voice Solution (58% of Total) ~ Mobile Trust Survey, 2007

  19. Phones are Insecure • Phones aren’t managed by IT Department • Phones don’t use IT infrastructure • Phones can connect to anyone, anytime • Phones not designed to protect your data • Result: mobile voice is insecure • Result: mobile data is insecure

  20. OEM Over-Exposure Security Issues are pervasive within device Dealing with all of them is next-to-impossible No OEM has yet to adopt a platform security solution FIPS and other certs? Way too many entry points to adequately address the issues WinMo Symbian Blackberry Linux Android GSM CDMA SIM Card SD Card Bluetooth Wi-Fi Edge/3G CSD GPRS Applications E-mail Internet CRM Data Etc., etc. Data Port

  21. Application Implementation • Customer Application Example • Access to real-time data vital • Data is important to both customer and company • Secure access is vital • Data-in-motion + Data-at-rest must be secure • Developer Implementation? • What’s available to me? • What’s best practice? • How do I design, develop, test and certify?

  22. Application ImplementationCustomer Application Example My Solution!

  23. Application ImplementationCustomer Application Example • Multiple Solutions are really multiple problems • Multiple instances of same/competing libraries • Resource Utilization • Host Processor Performance • Platform Security is better approach

  24. Secure Voice Issues • Voice must be secured between two users • no intervening infrastructure involved • Users may not belong to same organization • how to manage credentials? • Peer-to-peer authentication • Platforms are not consistent (WinMo/Symbian/RIM/iPhone etc.) • Audio re-routing issues difficult on Symbian, next to impossible on WinMo; not available on RIM • Connecting two incompatible platforms is not easy

  25. Evaluating Solutions to Mobile Communication Security

  26. Implementing Security • Three areas of expertise (in descending importance) • Key Management • Authentication • Encryption • Each have particular issues to be handled • Multiple solutions for each abound • But…all components must be carefully integrated • Platform vs. point-specific solutions

  27. Fine mesh system • Carefully tuned • Fully integrated

  28. Need for end-to-end Security • Connection • Hub-and-spoke? • Peer-to-Peer? • Conferencing? • Security • End-to-end? • Managed? • Data Security • In Motion? • At Rest? • Key escrow • Lawful Intercept • Mandated capability Networks themselves must be considered insecure In a global context, IT infrastructure approach ill-suited Data must be available only to designated partiesAccess to secure data must be easily manageable Not good enough just to have a “VPN” Data must be protected at all times: at rest, in USB tokens,memory cards etc. Securing the pipe is only a partial solution Need to support lawful access without divulging underlying technology

  29. Examples of three popular platforms • Blackberry / WinMo / iPhone • Three distinctly different operating systems • Why do enterprises like each? • How have each handled security? • What are their risks?

  30. Blackberry • Winning in the Enterprise/Gov’t • Because of Email Integration & Security • Widely adopted throughout the world • E-mail handled by BES – adequate security • Other applications don’t have security • Voice security not addressed

  31. Highly integrated into Enterprise Easily understood and managed by IT administrators Recent efforts at improving security infrastructure Improved methods for device connectivity No consistent method for application security Authentication/Security Left up to individual application designer Key Management mystery; often poorly managed Voice Security left unaddressed Result Device often packed with multiple separate instances of security technologies that often bring with them more vulnerabilities than the solution they provide No service opportunity for managed security Windows Mobile

  32. iPhone • Easy-to-use, consistent interface • Not fully integrated into enterprise • Rapidly gaining market share • Powerful, elegant, flexible • App Store • Voice security unaddressed

  33. Best Practices for Mobile Voice & Data Security • Voice and Data security common problem • Both must be addressed • Ensure business voice calls are encrypted • Networks are un-trusted pipes • End-to-end security is preferred • Data must be secured at all times: in motion, at rest • Security must persist no matter what • Educate senior staff on risks • Ensure that employees understand the nature of mobile phone intercepts

  34. Best Practices for Mobile Voice & Data Security • Platform security makes sense • Use standards-based approach wherever possible • Integrate data-at-rest, data-in-motion security • Common framework for both transport and application security • Use single, well thought out integrated Key Management, Authentication and Encryption solution supporting multiple contexts • Implement in plug-in hardware • Adaptable to any modern handset • Secure hardware resolves all security issues • Software bridges adaptability • Best of both worlds! • Management must be secure at all times

  35. Thank YouTony FascendaKoolSpan Inc.4962 Fairmont Ave.Bethesda, MD. 20814Phone: 240 880-4402E-mail: tfascenda@koolspan.comhttp://www.koolspan.com

More Related