'Re: iTunes for iPhone in an Enterprise'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: iTunes for iPhone in an Enterprise
From:       Todd Haverkos <infosec () haverkos ! com>
Date:       2010-12-02 18:22:40
Message-ID: 20101202182240.D406017E77C4 () lhotse ! onsight ! com
[Download RAW message or body]

Francois Lachance <digitallachance@gmail.com> writes:

> So nobody sees an issue with the number of security related bugs in
> iOS, or the fact that at one time you could be jailbroken just by
> browsing a web site, 

Yes, there are risks and there have been vulnerabilities.  But, that's
just like every other OS that IT inherits support of in an enterprise
environment.  :-)

> or by the fact that you have no way to control what apps your users
> can install?  At least with a BlackBerry BES I can control any
> aspect of the devices centrally.  I don't think that's possible on
> the iPhone, at least not without a third-party add-on.

Yes, best I can tell, someone wanting to manage this to best practice
should absolutely consider third party add-on's mandatory
infrastructure for an iphone deployment.

But... you'll also need to acknowledge that if you try to admin
iphones the same way Blackberry's are typically administered, the user
experience is going to be miserable, and much of the point of the
smartphone proposition will be lost.  Is it a less secure and less
controlled model in which iphone/android have to live to be most
useful?  Absolutely.  It comes down to whether the benefits are deemed
as justifying the risks they pose.  The risks seem manageable given
what else is out there.  After all, how many people don't blink an eye
deploying Windows images with Adobe flash on them (and correspondingly
don't do a great job of keeping Flash updated on those corporate
endpoints).

In a perfect world would we make everyone run lynx to browse the web,
using hardened openbsd on the desktop, abolish web plugins entirely,
and run around patting ourselves on the back and claiming victory for
security?  Sure.  But would users ever get anything done or enjoy
working with the tools they're given?  Or would they even be
supportable with sufficiently trained staff? Probably not. 
 
> It seems like every update released by Apple for the iPhone contained
> at least one security vulnerability fix.  Not so for the BlackBerries.
> There has been a few vulnerabilities on the BES (all related to the
> PDF rendering), and all that was required was to upgrade one server,
> not every devices.  I am not saying that there are no bugs in
> BlackBerry devices, but so far, none that have had a security
> implication. Am I being paranoid here?
> 
> Please someone set me straight if I'm wrong here.

I'd say it's entirely normal and healthy for a security person to want
to vomit at the prospect of adding iPhones to their world if they are
used to Blackberry's very tight and granular controls.  I'd also agree
that it's normal to wish that Apple would have this solution fully
baked with single vendor tools that they support.

But none of that will do much to stem the tide of IT being asked from
all sides when they can ditch their ugly and slow blackberries for a
touch screen device that doesn't crash, renders normal web pages
acceptably, can take a photo, has an App store of a decent
size/selection, etc...

So the question then becomes "okay, we have to support this cruft--how
can we manage the risks?"  And, it seems they're as manageable as
other risks IT has to deal with day to day.  After all, infosec has to
stop being the department of "No" and become better at
managing/mitigatign the risks of technologies that make employees more
productive.  "Angry Birds" notwishstanding. 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL \
certificate.  We look at how SSL works, how it benefits your company and how your \
customers can tell if a site is secure. You will find out how to test, purchase, \
install and use a thawte Digital Certificate on your Apache web server. Throughout, \
best practices for set-up are highlighted to help you ensure efficient ongoing \
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic