CHAPTER 10, PART 3
PORTABLE ELECTRONIC DEVICES AND WIRELESS
TECHNOLOGY
1 BACKGROUND
Portable Electronic Devices (PED)
and Wireless technology have
now
become part of the evolving business landscape. Cellular telephones, pagers and handheld electronic devices can
be seen with greater frequency being used in business meetings, while on
business travel and on street corners to communicate with the office, business
associates or customers.
A PED is any
electronic device that is capable of receiving, storing or transmitting
information using any format (i.e., radio, infrared, network or similar
connections) without a permanent link to Federal networks. Handheld devices such as personal digital
assistants (PDA) and cell phones allow remote users to synchronize personal
databases and provide access to network services such as wireless e-mail, Web
browsing, and Internet access.
Moreover, these technologies can offer dramatic cost savings and new
capabilities to diverse applications ranging from retail settings to
manufacturing shop floors to first responders.
Many of the serious security issues regarding PEDs stem from the manner
in which they interact with other computer resources. Typically PEDs communicate wirelessly over limited distances to
other devices within and outside USDA.
Transmissions using these devices are unprotected, could spread malware
to USDA and other networks or they could serve as a back channel through which
vulnerabilities are exploited. Users
could also use these devices to access a third party Internet Service Provider
(ISP) and download applications in violations of security policy. Generally PEDs include but are not limited
to: cell phones, pagers, text messaging devices (Blackberries), hand scanners,
portable digital assistants, voice recorders, and flash memory. All of these devices can be used to
transport data surreptitiously to be read/decoded at a later time.
DR 3300,
Telecommunications and Internet Services and Use, defines Wireless
Communications as anything that supports communication between mobile,
portable, or fixed facilities through the use of the electromagnetic
spectrum. Examples include but are not
limited to: AM and FM broadcasting, UHF and VHF television, satellite,
microwave, citizen’s band, paging, cellular service, wireless local area
networking technology, infrared and Personal Communications Service (PCS). Wireless technology offers portability,
flexibility, increased productivity and lower installation costs. Wireless Local Area Networks allow users to
quickly move workstations and laptops to different office locations without the
need for wires and loss of network connectivity. Wireless
networks are many and diverse but are frequently categorized into three groups
based on their coverage range: Wireless Wide Area Networks (WWAN), WLANs, and
Wireless Personal Area Networks (WPAN).
Personal Area Networks, such as those enabled by the Bluetooth standard,
allow data synchronization with network systems and application sharing between
devices. Bluetooth functionality also
eliminates cables for printer and other peripheral device connections.
However, risks are inherent in
any wireless technology. Some of these risks are similar to those of wired
networks; some are exacerbated by wireless connectivity; some are new. Perhaps
the most significant source of risks in wireless networks is that the
technology’s underlying communications medium, the airwave, is open to
intruders, making it the logical equivalent of an Ethernet port in the parking
lot. The loss of confidentiality and
integrity and the threat of denial of service (DoS) attacks are risks typically
associated with wireless communications. Unauthorized users may gain access to
agency systems and information, corrupt the agency’s data, consume network
bandwidth, degrade network performance, launch attacks that prevent authorized
users from accessing the network, or use agency resources to launch attacks on
other networks. In addition,
immediate
concerns include device theft, theft of service and
industrial
or foreign espionage. To reduce or eliminate these threats, the
following policy and procedures have been developed.
2 POLICY
All
USDA agencies and staff offices will develop an agency secure approach for the
implementation of PEDs and wireless technology. This strategy will consider recommendations contained in the
Telecommunications Advisory Sub-Council (TASC) USDA Wireless Strategy Report
dated March 2003, National Institute of Standards and Technology (NIST)
Interagency Report 6981 dated April 2003 and Special Publication 800-48,
Wireless Network Security.
All
implementations of PEDs and Wireless technology require that a formal risk
assessment be conducted in the environment where this technology will operate
prior to deployment of the PED or wireless technology. Agencies will plan and execute measures to
safeguard their systems and lower security risks to a manageable level using
the Procedures and Checklists included in this material. Strong encryption and authentication
techniques will be used in the transmission and storage of sensitive
information, where applicable. Each agency will secure and be accountable
for PEDs including establishing password protection to devices, if available,
and any built-in or removable flash memory used in such devices. Precautions will be taken to employ
management, operational and technical countermeasures that are appropriate for
the use of these devices and wireless technology. This policy does not necessarily just apply to Government
Furnished Property (GFP), but to any equipment and device used for official
purposes. Each agency and staff office
will develop a formal PED and Wireless Plan that documents use of this
technology and planned implementations.
Elements of this plan will also be documented in the Overall Agency
Security Plan, including funding levels and countermeasures employed. For additional operational information on
PEDs and wireless, please consult DN 3300-12 and DN3300-13.
Policy
Exception Requirements –
Agencies will submit all policy exception requests directly to the ACIO for
Cyber Security. Exceptions to policy
will be considered only in terms of implementation timeframes; exceptions will
not be granted to the requirement to conform to this policy. Exceptions that are approved will be interim
in nature and will require that each agency report this Granted Policy
Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA
reporting, with a GPE notation, until full compliance is achieved. Interim exceptions expire with each
fiscal year. Compliance exceptions that
require longer durations will be renewed on an annual basis with a updated
timeline for completion. CS
will monitor all approved exceptions.
3 PROCEDURES
All
USDA agencies and staff offices will follow the procedures below for use of
PEDs and Wireless technology:
a Encryption
techniques, including digital certificates/PKI/Biometrics, that conform to USDA
and NIST requirements will be used for Infrared and wireless transmissions and
for data storage on PEDs;
b Restrictive
security profiles will be established to specifically address device rights,
time –of-day usage, server and service access;
c Stringent
security controls will be established for PEDs which transmit or store data
with a medium or high level of
sensitivity or
confidentiality;
d Strict
physical security standards for PEDs will be implemented to include
requirements to hand carry PEDs during travel, powering off device not in use,
tracking and tagging of PEDs and contact information in case device is lost or
stolen;
e All
PEDs, flash memory devices and wireless devices will be provided by the
government unless an approved detailed exception has been granted by the CIO;
f PEDs
will be screened by the agency or staff office IT Staff at least quarterly for
appropriate configurations, viruses, antivirus protection and patch level will
be updated, as required;
g Where
applicable, Virtual Private Network (VPN) technology is required; split
tunneling profiles will be disabled;
h Agencies
and staff offices will issue a detailed “Personal Use Policy” for PEDS to
include: restrictions on storage of unencrypted SBU data, corporate passwords,
Use of Private ISPs, use of Unauthorized software or Copyrighted material, removal of security controls and the use of
non-government devices;
i The
Personal Use Policy will be signed by all users and kept with the accountable
records for PEDs;
j Agencies
will develop a specific set of guidelines for mobil users to include:
restrictions on use of Private ISPs, specified user locations, disabling of
security features and methods of access;
k Standardized
configurations will be established for all PEDs to include Operating System
software, firmware and authorized applications; modems will be disabled/removed
unless specifically required for official duties;
l Security
for PEDs and Wireless technology will be coordinated and managed by the Agency
Information Systems Security Program Manager (ISSPM);
m Each
agency and staff office will be required to conduct PED and Wireless technology risk assessments and complete the
appropriate checklists in
Tables 1 - 3 to assess the security posture and countermeasures necessary to
ensure all security requirements are satisfied; and
n Agencies
and staff offices will develop and retain the right to delete or purge data on
a PDA in cases of suspected compromise.
4 RESPONSIBILITIES
a The Associate CIO for Cyber Security
will:
(1)
Publish and
disseminate policy and procedures for PEDs and Wireless Technology;
(2)
Provide
technical assistance to agencies and staff offices in planning and implementing
PEDs and Wireless Technology;
(3)
Periodically
review agency internal procedures, risk assessments, checklists and formal
plans for the use of these devices and technology; make recommendations for the
security weaknesses identified;
(4)
Research and
suggest appropriate security software and security countermeasures for PEDs and
Wireless Technology, as required;
(5)
Monitor
agency implementations to ensure that devices are configured properly, have appropriate
antivirus software and system patches;
(6)
Collaborate
with the OIG and law enforcement in cases of suspected abuse of the personal
use policy, as required; and
(7)
Review
agency exception requests promptly and make security recommendations to the CIO.
b The Associate CIO for Information
Resources Management
(IRM) will:
Receive,
review and coordinate a response with the Associate CIO for Cyber Security to
any requests for exceptions to this policy.
c The
Associate CIO for Telecommunications Services and Operations (TSO) will:
(1)
Ensure that
PED and Wireless Technology used by agencies and staff offices is in accordance
with the Telecommunications Architecture;
(2)
Review the
operational support capability of wireless technology and make recommendations
for implementation to agencies; and
(3)
Review all
exceptions, in conjunction with CS, to ensure that PEDs and Wireless Technology
complies with TSO operational guidelines.
d Agency
Management and Information Technology Officials or Chief Information Officer
will:
(1) Implement applications of PEDs and Wireless Technology in accordance with policy and procedures;
(2) Ensure that agency guidelines are developed and implemented to include requirements for technology plans, risk assessments and strict physical accountability;
(3) Require that the appropriate PEDs and Wireless Technology Checklist be completed prior to installations; strict security controls be employed and standardized configurations be established and monitored;
(4) Ensure that encryption, authentication and VPN Technology is employed, where appropriate;
(5) Require that a Personal Use Policy be developed, executed and maintained for all implementations of PEDs and Wireless Technology and that all other procedures and policy be followed; and
(6) Ensure that formal exceptions are prepared, signed and approved prior to deployment of PEDs or Wireless Technology that does not comply with this policy.
d The
agency Information Systems Security Program Managers will:
(1)
Coordinate
and manage the security control required for PEDs and Wireless Technology;
(2)
Assist
agency managers in completing the appropriate checklists, as required;
(3)
Routinely
monitor agency implementation of these devices and technology to ensure that
policy and procedures are followed; advise agency managers in cases of lax
security controls or improper use;
(4)
Assist in
developing exception packages, as required;
(5)
Participate
in the development of technology implementation plans; and
(6)
Update the
Overall Agency Security Plan to reflect the funding and planned implementation
of PEDs and Wireless Technology.
e The
agency Systems or Network Administrators will:
(1)
Provide
appropriate administrative access and permissions for these PEDs and Wireless
Technology based job requirements;
(2)
Install
encryption, VPN Technology and require strong authentication for these devices,
especially in cases where Sensitive But Unclassified (SBU) information will be
transmitted or stored;
(3)
Install
standardized configurations, strict security features, profiles and disable
modems;
(4)
Routinely
patch and update PEDs and check devices for unauthorized software or
copyrighted material; and
(5)
Verify
appropriate security controls are in place using the appropriate checklists.
-END-
Table 1: Checklist for
Wireless Local Area Networks (LAN)
Agency __________________________________________
Description
|
Y/N |
Info New/Updated |
Comments
|
|
|
|
|
|
Management
Considerations
|
|
|
|
|
1. Develop an agency security policy that addresses
the use of wireless technology, including 802.11. 2. Ensure that users on the network are fully
trained in computer security awareness and the risks associated with wireless
technology. 3. Perform a risk assessment to understand the value
of the assets in the agency that need protection. 4. Ensure that the client NIC and AP support
firmware upgrade so that security patches may be deployed as they become
available (prior to purchase). 5. Perform comprehensive security assessments at
regular and random intervals (including validating that rogue APs do
not exist in the 802.11 WLAN) to fully understand the wireless network
security posture. 6.
Ensure that external boundary protection is in place around the perimeter of
the building or buildings of the agency. 7. Deploy physical access controls to the building
and other secure areas (e.g., photo ID, card badge readers). 8.
Complete a site survey to measure and establish the AP coverage for the
agency. 9. Take a complete inventory of all APs and 802.11
wireless devices. 10. Ensure that wireless networks are not used until
they comply with the agency’s security policy. 11. Locate APs on the
interior of buildings instead of near exterior walls and windows as
appropriate. 12. Place APs in secured
areas to prevent unauthorized physical access and user manipulation. |
|
|
Technical Considerations
|
|
|
|
|
1. Empirically test AP range boundaries to determine
the precise extent of the wireless coverage. Status 2. Make sure that APs are turned off during when
they are not used (e.g., after hours and on weekends). 3. Make sure that the reset function on APs is being
used only when needed and is only invoked by an authorized group of people. 4. Restore the APs to the latest security settings
when the reset functions are used. 5. Change the default SSID in the APs. 6.
Disable the broadcast SSID feature so that the client SSID must match that of
the AP. 7. Validate that the SSID character string does not
reflect the agency’s name (division, department, street, etc.) or products. 8. Ensure that AP channels are at least five
channels different from any other nearby wireless networks to prevent
interference. 9. Understand and make sure that all default
parameters are changed. ! 10. Disable all insecure and nonessential management
protocols on the APs. 11. Enable all security features of the WLAN product,
including the cryptographic authentication and WEP privacy
feature. 12. Ensure that encryption key sizes are at least
128-bits or as large as possible. 13. Make sure that default shared keys are
periodically replaced by more secure unique keys. 14. Install a properly configured firewall between
the wired infrastructure and the wireless network (AP or hub to APs). 15.
Install antivirus software on all wireless clients. 16. Install personal firewall software on all
wireless clients. 17. Disable file sharing on wireless clients
(especially in untrusted environments). 18. Deploy MAC access control lists. 19. Consider installation
of Layer 2 switches in lieu of hubs for AP connectivity. 20. Deploy IPsec-based
Virtual Private Network (VPN) technology for wireless communications. 21. Ensure that encryption
being used is sufficient given the sensitivity of the data on the network and
the processor speeds of the computers. 22. Fully test and deploy
software patches and upgrades on a regular basis. 23. Ensure that all APs
have strong administrative passwords. ! 24. Ensure that all
passwords are being changed regularly. ! 25. Deploy user
authentication such as biometrics, smart cards, two-factor authentication,
and PKI. 26. Ensure that the “ad hoc mode” for 802.11 has been disabled unless the environment is such that the risk is tolerable. Note: some products do not allow disabling this feature; use with caution or use different vendor. 27. Use static IP
addressing on the network. 28. Disable DHCP. 29. Enable user
authentication mechanisms for the management interfaces of the AP. s 30. Ensure that management
traffic destined for APs is on a dedicated wired subnet. |
|
|
|
Operational
Considerations
|
|
|
|
|
1. Configure SNMP settings on APs for least
privilege (i.e., read only). Disable SNMP if it is not
used. SNMPv1 and SNMPv2 are not recommended. 2. Enhance AP management
traffic security by using SNMPv3 or equivalent cryptographically protected
protocol. 3. Use a local serial port
interface for AP configuration to minimize the exposure of sensitive
management information. 4. Consider other forms of
authentication for the wireless network such as RADIUS and Kerberos. 5. Deploy intrusion
detection agents on the wireless part of the network to detect suspicious
behavior or unauthorized access and activity. 6. Deploy auditing
technology to analyze the records produced by RADIUS for suspicious activity. 7. Deploy an 802.11
security product that offers other security features such as enhanced
cryptographic protection or user authorization features. 8. Enable utilization of
key-mapping keys (802.1X) rather than default keys so that sessions use
distinct WEP keys. 9. Fully understand the
impacts of deploying any security feature or product prior to deployment. 10. Designate an individual
to track the progress of 802.11 security products and standards (IETF, IEEE,
etc.) and the threats and vulnerabilities with the technology. 9. Wait until future
releases of 802.11 WLAN technologies incorporate fixes to the security
features or provide enhanced security features. 10. When disposing access
points that will no longer be used by the agency, clear access point
configuration to prevent disclosure of network configuration, keys,
passwords, etc. 11. If the access point
supports logging, turn it on and review the logs on a regular basis. |
|
|
|
Evaluation performed by: ________________________________ Date: ___________________
General comments:
Table 2:
Bluetooth Checklist
Agency __________________________________________
Description |
Y/N |
Info New/Updated |
Comments
|
|
|
|
|
|
Management
Considerations
|
|
|
|
|
1 Develop an agency
security policy that addresses the use of wireless technology including
Bluetooth technology. 2 Ensure that users on the
network are fully trained in computer security awareness and the risks
associated with wireless technology (i.e., Bluetooth). 3 Perform a risk assessment
to understand the value of the assets in the agency that need
protection. 4 Perform comprehensive
security assessments at regular intervals to fully understand the
wireless network security posture. 5 Ensure that the wireless
“network” is fully understood. With piconets forming scatter-nets with
possible connections to 802.11 networks and connections to both wired
and wireless wide area networks, an agency must understand the overall
connectivity. Note: a device may contain various wireless
technologies and interfaces. 6 Ensure external boundary
protection is in place around the perimeter of the building or buildings of
the agency. 7 Deploy physical access
controls to the building and other secure areas (e.g., photo ID, card badge
readers). 8 Ensure that handheld or
small Bluetooth devices are protected from theft. 9 Ensure that Bluetooth
devices are turned off during all hours when they are not used. 10 Take a complete
inventory of all Bluetooth-enabled wireless devices. 11 Study and understand all
planned Bluetooth-enabled devices to understand any security
idiosyncrasies or inadequacies. |
|
|
|
|
Technical Considerations |
|
|
|
|
1. Change the default settings of the
Bluetooth device to reflect the agency’s security policy. 2. Set Bluetooth devices to
the lowest necessary and sufficient power level so that transmissions
remain within the secure perimeter of the agency. 3. Ensure that the
Bluetooth “bonding” environment is secure from eavesdroppers (i.e., the
environment has been visually inspected for possible adversaries before
the initialization procedures during which key exchanges occur). 4. Choose PIN codes that
are sufficiently random and avoid all weak PINs. 5. Choose PIN codes that
are sufficiently long (maximal length if possible). 6. Ensure that no Bluetooth
device is defaulting to the zero PIN. ! 7. Configure Bluetooth
devices to delete PINs after initialization to ensure that PIN entry is
required every time and that the PINs are not stored in memory after power
removal. 8. Use an alternative
protocol for the exchange of PIN codes, e.g., the Diffie-Hellman Key Exchange
or Certificate-based key exchange methods at the application
layer. Use of such processes simplifies the generation and distribution
of longer PIN codes.
|
|
|
|
|
Operational Considerations |
|
|
|
|
1. Ensure that combination keys are
used instead of unit keys. 2. Invoke link encryption for all
Bluetooth connections regardless of how needless encryption may seem (i.e.,
no Security Mode 1). 3. Ensure that encryption is
enabled on every link in the communication chain. 4. Make use of Security Mode 2 in
controlled and well-understood environments. 5. Ensure device mutual
authentication for all accesses. 6.
Enable encryption for all broadcast transmissions (Encryption Mode 3).
7.
Configure encryption key sizes to the maximum allowable. 8.
Establish a “minimum key size” for any key negotiation process. 9.
Ensure that portable devices with Bluetooth interfaces are configured with a password to prevent
unauthorized access if lost or stolen. 10. Use application-level (on top of the Bluetooth stack)
encryption and authentication for highly sensitive
data communication. For example, an IPSec-based Virtual Private Network
(VPN) technology can be used for highly sensitive transactions. 11. Use smart card technology in
the Bluetooth network to provide key management. 12. Install antivirus software on
intelligent, Bluetooth-enabled hosts. ! 13. Fully test and deploy software Bluetooth patches and upgrades regularly. 14. Deploy user authentication such as biometrics, smart cards,
two-factor authentication, or PKI. 15. Deploy intrusion detection
agents on the wireless part of the network to detect suspicious behavior or
unauthorized access and activity. 16. Fully understand the impacts of
deploying any security feature or product prior to deployment. 17. Designate an individual to track the progress of Bluetooth
security products and standards (perhaps via
the Bluetooth SIG) and the threats and vulnerabilities with the
technology. 18. Wait until future releases of Bluetooth technology incorporate
fixes to the security features or offer enhanced security features. |
|
|
|
* Requirements added as result of OIG audit
Evaluation performed by: ________________________________ Date: ___________________
General comments:
Personal
Electronic Device (PEDS) Assessment Guide
This assessment should be completed by the Agency’s ISSPM or designated alternate in conjunction with the Agency Assessment Checklist. Answer all questions. Provide supplemental information as appropriate. All “No” and “Partial” answers must include supplemental information (such as the given reason why the requirement cannot be met) and an action plan that describes how the requirement will be met, as well as a schedule for completion of the plan. Typically, this would be done by developing the action plan in this document and reflecting this in the security plan for the agency.
Agency/System
Identification:
|
Agency (Agency, Office, Bureau, Service, etc.): |
|
|
Address |
|
|
Date of last Assessment: |
|
|
Test Number: 1 |
Site/system:
|
Date:
|
Time:
|
|
|
Test Name: Basic Policy Procedures for Personal
Electronic Devices (PED) |
||||
|
Resources Required: |
Local policies for PED
systems. |
|||
|
Personnel Required: |
Systems
Administrator/Information Security Personnel |
|||
|
Objectives: |
To determine if general
policies and procedures are established to control the use of PED systems in
the USDA. |
|||
|
Procedure Description: (Summary) |
Verify that policy is in
place addressing the use of USDA owned and privately owned PED systems, and
to verify that appropriate security measures are taken when connecting PED
systems to USDA resources. |
|||
Detailed Procedures and Results
|
Step
# |
Procedure
Description |