Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Blackberry Security Policy
Cyber Security/Q-CERT
The Supreme Council of Information & Communication Technology ‘ictQATAR’
May 17th 2011
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Document Reference
Table of Contents
Table of Contents ............................................................................................................... 2
Definitions ......................................................................................................................... 3
References: ........................................................................................................................ 3
1. Introduction ................................................................................................................ 4
2. Policy Objectives .......................................................................................................... 5
3. Scope and Application .................................................................................................. 5
4. Security Guidelines and Provisions, Articles or Proposals ................................................. 7
5. Blackberry and the government information classification policy ...................................... 8
6. Recommended Network Architecture ............................................................................ 8
7. BES Configuration ........................................................................................................ 9
8. Blackberry devices and Handhelds ............................................................................... 10
9. Usage Policy and Procedures ....................................................................................... 10
10. S/MIME AND PGP ................................................................................................... 11
Annex A (Network Architecture) ........................................................................................ 12
Annex B (BES Installation) ................................................................................................. 13
Annex C (BES IT Policy Setting) ........................................................................................... 14
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Definitions
IctQATAR: Supreme Council of Information and Communication Technology (Qatar)
RIM: Research in Motion, A Canadian based company and makers of the Blackberry
ICT: Information and Communication Technology
Q-CERT: Qatar Computer Emergency Readiness Team, an ictQATAR initiative
GIAM: Government Information Assurance Manual
OS: Operating Systems
Agencies: State of Qatar government agencies, Ministries, Supreme Councils…etc.
LAN: Local Area Network
DMZ: Demilitarized Zone, the portion of the corporate network facing the internet
PGP: Pretty good privacy, an open source encryption platform
BES: Blackberry Enterprise Server
BIS: Blackberry Internet Service
MDS: Mobile Data Service
References:
[IAP-GOV-DCLS]: Government Information classification policy, 2009 , State of Qatar
[IAP-NAT-IAFW]: Information Assurance Framework , 2008 , State of Qatar
[IAP-GOV-INFA]: Government Information Assurance Manual, 2009, State of Qatar
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
1. Introduction
This document provides the ICT security policy on the installation, configuration and use of Blackberry in the Qatari Government. The information is derived from Q-CERT’s labs research into the Blackberry Enterprise Server Express edition (BES Express) and the associated Blackberry handhelds (OS 5.X and OS6.X). As well as RIM’s best practices and the Australian government guidance for the use of Blackberry developed in 2006 and 2007 by the Australian defence signals directorate. The document enhance the security and confidentiality of the Qatari government data/information as well as the personnel private data /information handled and processed and stored by the various Blackberry infrastructure components many of which reside outside the geographical boundaries of the state of Qatar, posing significant confidentiality and privacy risks.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
2. Policy Objectives
Mobile communication is becoming central in almost all aspect of our lives and the benefits are clear and acknowledged. Everyday thousands of Qatari government electronic mail, private messages and confidential files are shared over the Blackberry mobile networks. All of this is stored by design outside the physical boundaries of the state. To maintain the quality of this important conduit while mitigating the risks that come with any new technology, it is the responsibility of the Government to state the principles that govern the official use of the Blackberry technology within the Qatari government. Therefore this policy aims to fulfil the following objectives:
Increase confidence and usage of the Blackberry technology, by ensuring appropriate control is being applied.
Ensure that issues regarding Blackberry Internet security and safety are addressed to prevent them acting as barriers to mobile collaboration adoption.
Protect the staff personal information and ensure that their privacy is maintained.
Provide protection to the government information stored or communicated using the device.
The basic principles that govern this policy are:
Provisions should encourage the positive development of the knowledge economy, contribute to further innovation, growth and employment by ensuring the security and quality of the mobile communication is maintained.
Individual privacy shall be respected and preserved within the boundaries of the law.
Provisions should be technically neutral, fair to all parties affected by them and not adversely affect the commercial viability of ISPs and Content/Hosting Service Providers.
Provisions should provide protection to government sensitive information while being processed or stored in foreign countries.
3. Scope and Application
This document applies to all agencies and ministries in the Qatari government that use Blackberry devices and services as part of their mobile communication solutions and information technology services. Note: The Blackberry handhelds with OS versions 3.6 to 4.x may only be used for UNCLASSFIED communications.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Disclaimer:
This document in no way endorses the use of a particular vendor or technology,
All of ictQATAR Lab Research and finding are based upon the lab environment which comprised mainly of:
o Windows Server 2003 Standard Edition SP2 o Blackberry Enterprise Server (BES) Express edition 5.1 o MS Exchange server 2003 SP2 o Blackberry devices Operating system 5.x and 6.x
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
4. Security Guidelines and Provisions, Articles or Proposals
This document contains the following topics:
Blackberry and the Information classification manual,
Network architecture policy,
Blackberry Enterprise server Express configuration,
Blackberry handhelds,
Usage guidelines and procedures.
The document owner is ictQATAR’s Cyber Security division (Q-CERT) and is issued as a policy, ictQATAR as the information and communication technology regulator is definitely encouraging the information technology departments within the Qatari government to benefit from the controls, best practices and recommendations stated in this document.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
5. Blackberry and the government information classification policy
As per the Government Information Assurance Policy [IAP-GOV-DCLS], it’s recommended that agencies SHOULD NOT use Blackberry for the transmission and/or storage of information labeled/classified as:
Confidential,
Secret,
Top Secret.
Agencies MAY use Blackberry for the transmission and/or storage of information labelled/classified as:
Unclassified,
Public,
Internal.
Agencies SHOULD NOT use Blackberry without the appropriate additional encryption requirements for the transmission and/or storage of information labelled/classified as:
Restricted. Note: the classification of the information should take into account the contact details, venue and meeting appointments which may be classified above [Internal].
6. Recommended Network Architecture
ictQATAR strongly RECOMMENDS all agencies to implement the following security best practices.
General design recommendations: a) Distributing the Blackberry system components over multiple servers will help mitigate the effects of
propagation of any future exploits on a single server
b) Hardening the servers OS as per the vendors and the Government manual [IAP-GOV-INFA]
recommendations
c) Install the Blackberry Attachment Service and the Blackberry configuration database on separate
servers to reduce the threat vector on any single server
d) Apply the latest patches, as per the agency patching policy and procedures as stated in the government
manual [IAP-GOV-INFA] to all the various Blackberry infrastructure components (Email server,
Operating systems, Internet Explorer, SQL server, BES, MDS, Attachment server…etc.)
e) Install Host Based firewall on the BES configured to limit traffic to the minimum necessary.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Blackberry router f) Install the Blackberry router in a neutral VLAN between the trusted agency LAN and the Internet.
Configuring the external firewall g) Configure the external firewall to permit only a single, out bound initiated but bi-directional connection
on port 3101 between the router and RIM.
Attachment Service h) Install the Blackberry Attachment Service which has known vulnerabilities on a separate server to the
BES.
Additional firewall i) Install an internal firewall between the BES and agency mail servers to isolate and protect the agency
mail server.
BES management j) Manage the BES via a physical console (Example: KVM) to eliminate the need for SNMP traffic to be
allowed on the server k) Configure the MDS (Mobile Data service) to use the agency proxy server.
7. BES Configuration
a) Agencies SHOULD use the Enterprise server as their Blackberry server b) Agencies SHOULD rename AND change the default IT policy on the BES to at least meet the controls
contained in this document – for reference purposes we shall rename it (QGOV-BES-IT )Policy c) Agencies SHOULD make sure that all staff are included in the (QGOV-BES-IT) Policy as the minimum
security policy at any point in time d) ictQATAR RECOMMENDS that agencies install a host based firewall on the BES, to allow minimum
traffic necessarily to perform the authorized tasks e) Agencies SHOULD NOT use the Blackberry Desktop Redirector f) ictQATAR RECOMMENDS that agencies configure the MDS to use the Agency Proxy server, since MDS
allows the BES to act as proxy between the agency internet connection and the Blackberry handheld g) Agencies SHOULD include the various BES components in their Patch Management process as stated in
the (IAP-GOV-INFA) Manual, deviations from these requirements MUST be supported with a risk assessment report showing how the associated risk will be mitigated.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
8. Blackberry devices and Handhelds
a) Agencies SHOULD NOT allow privately owned Blackberry devices to connect to the Agency systems
b) Agencies SHOULD ensure that any new devices are configured to use the (QGOV-BES-IT) policy before
activating the Blackberry service
c) All unused handhelds SHOULD be kept in a safe and secure storage in a controlled and monitored area
d) Agencies SHOULD ensure that only devices with OS 5.x and above to be allowed on the system
e) Agencies and Blackberry Assigned staff SHOULD disable the wireless functionality of the Blackberry
devices in areas processing or discussing [Confidential, Secret or Top Secret] classified information by
following these steps:
1. Turning off the RF wireless function
2. Or, removing the battery.
f) Bluetooth: Agencies SHOULD ensure that users are clearly instructed that only [Unclassified, Public or
Internal] Conversations maybe conducted using a Bluetooth-enabled peripheral
g) Bluetooth: Agencies SHOULD NOT allow the Bluetooth serial port connection on any Blackberry
handheld allowed to deal with [Confidential, Secret or Top Secret] classified information.
9. Usage Policy and Procedures
a) Agencies providing Blackberry services SHOULD endorse a policy for Blackberry acceptable usage and
ensure that eligible staff acknowledges and accepts the policy before allowed to use the service
b) Agencies SHOULD train the Blackberry eligible staff before they are allowed to use the service, the
training SHOULD cover topics like (Security risks and how to report device related incidents like theft)
c) Agencies SHOULD ensure that the devices comply with the password requirements in Annex C
d) Agencies SHOULD be able to use the” Remote Wipe” feature in case the device was reported stolen or
missing.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
10. S/MIME AND PGP
IctQATAR strongly RECOMMENDS the use of secure multipurpose Internet Mail Extension (S/MIME) or PGP, since these technologies would ensure an additional layer of end-to-end encryption that is independent from RIMs infrastructure. IctQATAR strongly RECOMMENDS that encryption is applied to all emails exchanged between the agency users regardless of the message/content information classification. IMPORTANT: The use of S/MIME or PGP in the agency messaging infrastructure would significantly mitigate many of the confidentiality and integrity risks associated with the use of the Blackberry system. Please check Annex C (BES IT Policy Settings) for more details on the recommended S/MIME or PGP encryption settings.
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Annex A (Network Architecture)
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Annex B (BES Installation)
RIM provides a comprehensive guide on preparing and installing the Blackberry system
o URL: http://www.Blackberry.com/knowledgecenterpublic
Check and apply the latest security patches issued by RIM on this portal o URL: http://us.Blackberry.com/support/downloads/
A complete List of Blackberry IT policy rules and rationale o URL: http://docs.Blackberry.com/es-es/admin/deliverables/25765/Desc_IT_policy_rules_1331311_11.jsp
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Annex C (BES IT Policy Setting)
The BES management console contains more than 180 IT security controls to provide security
granularity and general usability
ictQATAR reviewed the controls most applicable to and with direct impact on security
Some specific controls were left to the agency to match their own unique risk appetite Blackberry Messenger policy group
Name Value Notes
Allow BBM (Peer to Peer Messages) True Allow BBM
Bluetooth policy group
Name Value Notes
Allow outgoing calls 1 Allow
Disable Address book transfer True Prevent bulk contact transfer over Bluetooth
Disable Bluetooth Agency Preference
Note: To be prevented on devices with Top Secret information classification
Disable Bluetooth desktop connectivity True
Disable Bluetooth dial-up networking True
Disable Discoverable Mode Agency Preference
Note: To be prevented on devices with Top Secret information classification
Disable File Transfer Agency Preference
Note: To be prevented on devices with Top Secret information classification
Disable Hands free Profile Agency Preference
Note: To be prevented on devices with Top Secret information classification
Disable Headset Profile Agency Preference
Note: To be prevented on devices with Top Secret information classification
Disable serial port profile True
Disable Pairing Agency Preference
Note: To be prevented on devices with Top Secret information classification
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Bluetooth policy group - Continued
Name Value Notes
Disable wireless bypass True
Require encryption True Peripheral must support encryption
Require LED connector indication True
Require Password for Enabling Bluetooth Support
True
Require Password for Discoverable Mode True
Browser policy group
Name Value Notes
Disable execution on java script on handheld browser
True
Allow IBS browser False Will remove the search bar in Blackberry browser that offers search in Wikipedia and dictionary.com, These search services are offered by the wireless service provider and do not exist by default
Disable Auto synchronization in Browser True
MDS Browser java script enabled False
Camera policy group
Name Value Notes
Disable Camera Agency Decision
No device with a camera should be brought into an area used to process classified information of Restricted and above
CMIME Application policy group
Name Value Notes
Allow auto attachment download False Only from known and trusted sources
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Common policy group
Name Value Notes
Blackberry server version Null The server version may allow attackers to determine the patch level of the server
Disable Kodiak PTT True Not applicable in Qatar
Disable MMS True The MMS does not go through BES and the agency has no control over it
Disable Voice Activated Dialing Agency decision
IT policy notification True Letting users know whether the policy setting have changed
Lock Owner Info 3 Lock down the owner information with as little information as possible
Set Owner info change Change to : If Found please return to Agency Po Box XXX or call Tel :12345678
Set Owner Name change Change to: government device [Asset Number if applicable]
Desktop policy group
Name Value Notes
Desktop password cache time out 10 min
Desktop allow desktop add-ins False Desktop manager software to be managed by the agency and to be included in the patch management program
Desktop allow device switch False Users Not allowed to switch the device contents to another device
Desktop-only items
Name Value Notes
Auto backup enabled True
Auto backup include all True
Do not save sent messages False Save a copy of all sent emails
Message conflict mailbox wins True
Force load count 0 To force updates (-1 to turn off updates)
Show application loader False
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Device-only items
Name Value Notes
Allow peer to peer messages Agency decision
Allow SMS Agency decision
SMS cannot be logged by BES, only unclassified messages may be sent
Default browser UID Null Only RIMs browser will be used
Enable long term timeout True This rule specifies whether a Blackberry device locks after a predefined period of time, regardless
of user activity
Enable WAP configuration False Forcing all internet browsing to go through BES
Maximum password age 90 days
Maximum security timeout 5 min
Minimum password length 8
Password pattern check 3 Checks the last 3 passwords
Password required True
User can change timeout False
User can disable passwords False
Global items
Name Value Notes
Allow browser True Its recommended that the agency only allows internet through the certified RIM browser and not any third party browsers this all also allow that access is controlled by the MDS service of
the BES
Allow phone True
Auto Signature Change Agency should ensure that no identifiable information such as version number or model or that the email was sent from a Blackberry device
a message such as (Sent while Mobile) is recommended
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Location Based services
Name Value Notes
Disable Blackberry maps Agency decision
There is a risk that Maps can be used to trace back saved destinations
Enable enterprise location tracking False This feature allow users tracking every 15 minutes and might be a violation for users privacy outside working hours
MDS Policy Group
Name Value Notes
Disable activation with public MDSS True Users should not be allowed to configure the MDS settings
Disable user initiated activation with MDSS
True
Verify MDSS certificate True
Password policy group
Name Value Notes
Forbidden passwords Agency Decision
ictQATAR recommends that a list of popular and easy passwords is denied such as
(p@ssword,12345678)
Maximum password history 3 No reuse within 9 month
Periodic challenge time 60 min
Set maximum password attempts 5
Set password timeout 5 min This rule specifies the number of minutes of inactivity before the security timeout occurs and a Blackberry device user must type the password
to unlock the Blackberry device
Suppress password echo True This rule specifies whether, after a given number of incorrect password attempts, the characters that a user types in the Password
dialog box appear on the screen
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
PGP Application policy group
Name Value Notes
PGP allowed content ciphers 0,1,2,5 Allow AES(128),AES(192),AES(256) and 3DES
PGP blind copy address Agency Decision
This rule specifies an email address that is added as a BCC recipient to all encrypted PGP messages
that a Blackberry device sends-agencies must check with their legal departments before
enabling this control
PGP Minimum strong DH key length 1024
PGP Minimum strong DSA key length 1024
PGP Minimum strong RSA key length 1024
S/MIME application policy group
Name Value Notes
S/MIME allowed content ciphers 0,1,2,5 Allow AES(128),AES(192),AES(256) and 3DES
S/MIME blind copy address Agency Decision
This rule specifies an email address that is added as a BCC recipient to all
encrypted S/MIME messages that a Blackberry device sends-agencies must check with
their legal departments before enabling this control
S/MIME Minimum strong DH key length 1024
S/MIME Minimum strong DSA key length 1024
S/MIME Minimum strong RSA key length 1024
S/MIME Minimum strong ECC key length 163
Security policy group: These controls affect various aspects of security
Name Value Notes
Allow external connections True Allow 3rd party apps to connect to the internet
Allow Internal connections True Allow 3rd party apps to connect to the MDS for example
Allow outgoing call when locked False
Allow smart card password caching False
Allow split pipe connections False Opening internal and external connections simultaneously might present a security issue
because applications can collect data from inside the firewall and send it outside the firewall
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
without any auditing
Allow 3rd party apps to use the persistent store API
True
Allow 3rd party apps to use serial port False
Application download control True Only allows the download of certified applications
Certificate status cache timeout 1 day
Message classification title 1 This rule specifies the set of message classifications that are available to apply to email
messages sent using the BES
Disable 3DES transport crypto True Use AES
Disable external memory False
Disable email normal send Notes If agencies have not implemented S/MIME or PGP then set to false
Disable invalid certificate use True
Disable IP modem True
Disable key store backup True
Disable key store low security True
Disable Media Manager False Change to true for devices with information classified as and/or equivalent to secret
Disable persistent plain text True Ensure data store in nonvolatile memory is encrypted
Disable revoked certificates True
Disable unverified CRLs True
Disable USB mass storage False Change to true for devices with information classified as and/or equivalent to secret
FIPS Level 2
Force include address book in content protection
True
Force LED blinking when microphone is ON
True
Forced lock when holstered True
Minimal encryption key store security level
2
Minimal signing key store security level 2
Secure wipe delay after IT policy received False BES periodically sends policy updates to the handsets, this setting can wipe the handset if a new policy has not been received within a time frame, Change to true (2 days) for devices with information classified as and/or equivalent to
secret
Supreme Council of Information & Communication Technology
المجلس األعلى لالتصاالت و تكنولوجيا المعلومات
Blackberry Security Policy
Service exclusivity policy group
Name Value Notes
Allow other browser services False Force all web browsing to go through BES
Allow other message services False Force all email to go through the BES
Allow public AIM services False
Allow Google talk services False
Allow ICQ services False
Allow Yahoo! Messenger services False
TLS policy group
Name Value Notes
TLS device side False This rule specifies whether a Blackberry device and the BES can use proxy
mode TLS or proxy mode HTTPS
TLS disable invalid connection 0 0=true and 1=false
TLS disable untrusted connection 0 0=true and 1=false
TLS disable weak ciphers 0 0=true and 1=false
TLS Minimum strong DH key length 1024
TLS Minimum strong DSA key length 1024
TLS Minimum strong RSA key length 1024
TLS Minimum strong ECC key length 163
TLS restrict FIPS ciphers True
WTLS policy group: Note: Wireless transport layer security allows users to bypass the agency gateway infrastructure
Name Value Notes
WTLS disable invalid connection 0 Disabled
WTLS disable untrusted connection 0 Disabled
WTLS disable weak ciphers 0 Disabled
WTLS Minimum strong DH key length 1024
WTLS Minimum strong RSA key length 1024
WTLS Minimum strong ECC key length 163
WTLS restrict FIPS ciphers True