I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Mobile Device Security Dr. Charles J. Antonelli Information Technology Security Services School of Information

INFORMATIONTECHNOLOGYSECURITYSERVICES

Mobile Device Security

Dr. Charles J. Antonelli

Information Technology Security ServicesSchool of Information

The University of Michigan2008


Roadmap

• Introduction: Securing private data

• Threats to data

• Securing data

• Demonstration

2


Demo participation

• Laptop Windows with Admin authority

Native boot, orVia VMware Server or Player

No network connectivity required

• Flash drive Lexar Jump Drive Secure II

MAIS logo optional

3


Demo prerequisites

• Required Basic Windows user skills

• Nice to have Windows Power User or better System administration experience

4


Meet the instructor

• Research in distributed systems, file systems, and security• At U-M Center for Information Technology Integration since 1989

Faculty in SI & EECS

• Teaching ITS 101 Theory and Practice of Campus Computer Security SI 630 Security in the Digital World, SI 572 Database Applications

Programming EECS 280 C++ Programming, 482 Operating Systems, 489 Computer

Networks; ENGR 101 Programming and Algorithms; SI 654 Database Applications Programming

DCE Internals, SHARE UNIX filesystem tours, …

• Research Advanced packet vault SeRIF secure remote invocation framework

5


Meet the class

• Name

• Unit

• How many GB do you have on mobile devices?

• How many of those GB are sensitive data?

6


Introduction


8

Motivation

• Protecting the confidentiality, integrity, and availability of the University information assets is not only good business …

… it is required by federal and state laws and by contractual requirements


Information Security Regulations

• Family Educational Rights and Privacy Act (FERPA)

• Gramm-Leach-Bliley Act (GLBA)

• Health Insurance Portability and Accountability Act (HIPAA)

• Payment Card Industry Data Security Standard (PCI-DSS)

• State Notification Laws

• Sarbanes-Oxley Act (SOX)

• Federal Information Security Management Act (FISMA)

9


10

Private Personal Information

• What is PPI? Information that can be used to individually identify, contact, or

locate a person, or may enable disclosure of this information Aggregation may expose PPI – name and home address; SSN

and bank account number; unique name and date of birth• Requirements relating to PPI

Non-public (“sensitive”) information that can be linked to an individual must be appropriately protected and handled on a “need to know” basisUnauthorized disclosure of non-public PPI may harm an

individual or the University Regulatory requirement

• Data Classification Guidelines https://www.itss.umich.edu/umonly/dataClass.php


PPI Examples (GLBA)

• Social Security Number

• Credit Card Number

• Account Numbers

• Account Balances

• Any Financial Transactions

• Tax Return Information

• Driver’s License Number

• Date/Location of Birth

11


PPI Examples (FERPA)

• Grades / Transcripts

• Class lists or enrollment information

• Student Financial Services information

• Athletics or department recruiting information

• Credit Card Numbers

• Bank Account Numbers

• Wire Transfer information

• Payment History

• Financial Aid

• Grant information / Loans

• Student Tuition Bills

• Ethnicity

• Advising records

• Disciplinary records

12


PPI Examples (HIPAA)

• Patient Names

• Street Address, City, Country, Zip Code

• Dates related to individuals

• Phone Numbers

• Social Security Number

• Account Numbers

• Patient admission date

• Patient discharge date

• Medical record number

• Patient number: Facility assigned

• Unique patient number: ORS assigned

• Procedure dates

• Carrier codes (Insurance/HMO Name)

• Patient zip‐code

• Health care professional ID

• Health care facility ID

• Fax number

• Health plan beneficiary numbers

• Email addresses

• Internet Protocol Address Numbers (IP addresses)

• Web Universal Resource Locators (URLs)

• Device identifiers and serial numbers

• Certificate/License numbers

• Vehicle identification numbers and serial numbers

• Full face photographic images and any comparable images

• Biometric identifiers such as finger and voice prints

• Any other unique identifying number, characteristic, or code.

13


Threats to data

14


Threats

• Fundamental threats Loss of data Compromise of data

• Basic vulnerabilities To the data To the device where the data reside To the data in transit

15


Threats to data

• Type of data Patient Administrative Research Image

• Threats Corruption Compromise Online (malware) Lost encryption key ITAR/outlawed

encryption

16


Threats to mobile devices

• Devices Laptops/tablets Flash drives PDAs Cell phones Digital cameras

• Threats Loss Coercion Confiscation Theft

17


More motivation

Date Made Public Name Type # Records

Aug 4, 2008 Arapahoe Coll, CO Lost/stolen flash drive 15,000

Aug 5, 2008 TSA Stolen laptop 33,000

Aug 7, 2008 Harris Co Hosp, TX Lost/stolen flash drive 1,200

Aug 28, 2008 Reynoldsburg SD Stolen laptop 4,259

Aug 30,2008 RIT Stolen laptop 13,800

Sep 9, 2008 Pitt Stolen laptop Unknown

Sep 12, 2008 TSU Lost flash drive 9,000

Sep 30, 2008 New York City Lost tapes 3,600

Oct 7, 2008 UND Stolen laptop 84,000

Oct 7, 2008 Charleston, WV Stolen laptop 535

18

http://www.privacyrights.org/ar/ChronDataBreaches.htm


Securing Data

19


Countermeasures

• Protect data at rest Encryption

• Protect data in transit Encryption

• Protect the mobile device Physical security

http://safecomputing.umich.edu/MDS/

20


Protecting data at rest

• Data in permanent storage Disk, tape, flash, optical

• Standards-based solution: Strong symmetric encryption

Accept no substitutes

• Issue: key management Key distribution Key escrow

21


22

Secret-Key (Symmetric Encryption)

P C C P

k k

sender receiver

encryption decryption

Ek Dk

Alice Bob



• Free & built-in encryption: Windows

BitlockerEncrypting File System (EFS)

Mac OS XEncrypted disk image (Disk Utility)FileVault

LinuxTrueCrypt (some assembly required)

23



• Some suggested third-party products: Pointsec for PC and Pointsec for Pocket PC: Encryption software for PCs and

Pocket PC devices. File, folder and full disk encryption. SecureDoc and SecureDoc PDA: Encryption software for PCs and Pocket PC

devices. File, folder and full disk encryption DESlock+: File and folder encryption for PCs. NMS for PC: File, folder and disk encryption for PCs. PKWARE SecureZIP: File and folder encryption for PCs and Unix/Linux. SafeBoot: File, folder and disk encryption for PCs. PGP Desktop: File, folder (and optionally, disk encryption on PCs) encryption

for PCs, Macs, and Unix/Linux. GNU Privacy Guard (http://www.gnupg.org/)

http://www.stanford.edu/group/security/securecomputing/mobile_devices.html

24


Protecting data in transit

• Free & built-in encryption VPN

Cisco VPN client (ITCom)Mac OS X VPN client

SSH & SCPSSH Secure Shell (U-M Blue Disk)

Data encryptionSee “protecting data at rest”

25


Protect the mobile device

• Secure the device Lock it up, lock it down, out of sight

• Secure the data on the device Password protect a laptop Remote wiping of data

DataDefense (Iron Mountain) Data encryption

See “protecting data at rest”

• Be aware of travel-related restrictions Exporting crypto (ITAR) Inpection & confiscation

26


Demonstration


Securing data on Flash Drives

• Encrypted container on the flash drive

• Software on flash drive encrypts and decrypts data in the container on the fly

• User-supplied password

• Demonstration: Lexar Jump Drive Secure II

http://www.safecomputing.umich.edu/tools/download/securityshorts_encrypt_thumbdrive.pdf


29

Questions?

Documents

I NFORMATION T ECHNOLOGY S ECURITY S ERVICES Mobile Device Security Dr. Charles J. Antonelli Information Technology Security Services School of Information