Hello all,
I am new to this forum and also to BlackBerry.
I have been assigned the task to lead a project about the information security of the BlackBerrys of my company. All of security : loss, theft, problems of confidentiality, server protection, software update...

We have around 60 devices of different models (all RIM) and a BES server interfaced with our Exchange server.

I would like to know what are the usual problems or risks in information security with BlackBerrys, what happened to you or your companies. In a word, what must I not miss when I speak about security, outside of what's in the manuals and the usual FAQs ?

Also, do some of you use the BB Policy Service?

Everyone uses the BB Policy by default if they are on a BES. Albeit that the default policy doesn't do much if anything at all for locking a device down. When I consult for companies that are thinking about migrating to Blackberry, I show them my personal BES that I have setup at home for testing things because my ISP blocks SMTP so I'm not able to use it for production but instead use it for testing SP's and playing around with policies. I show them all the entries in each section and explain to them what can be done. For kicks I've even VPN'd into my Office BES and pushed down a policy that I have that basically renders my BB useless as it disables the phone, locks right away with a stupid long password, etc.

All said and done, reading the Admin Manual and the security of the Blackberry should be enough to turn someone white if they have no clue as to what we can do with the policy's.

Loss of company data can be eliminated just by disabling mass storage so they can't put in a media card and also by not allowing Desktop Manager on the users computers. RIM has some of the best encryption that I've seen in 20+ years in the security field so I wouldn't worry about emails getting sniffed out of the air. Disabling BBM and BIS services is also a great way to eliminate theft of data because they can't email or send the data to another person. EVERYTHING can be logged on the BES and as long as the logs are reviewed, it's easy to catch something that doesn't look right and appropriate action taken.

Anyways that's just my .002

I'm sure you'll get plenty of great answers about this question from other BES Admins as it is a common question.

^ audit
"Everyone uses the BB Policy (Service) by default if they are on a BES."

Before you start toying with the Default policy on the BES, make a copy of it and play with the copy. You can lock down just about anything you want on the device by the Policy on the BES.
Example of our policy: (Yes, I am that strict. Other BB Admins who have met me in person know it to be true!)

• Minimum 8 characters
• Password must contain at least 1 UPPERCASE letter, 1 lowercase letter, 1 special character and 1 number
• Password must be changed every 90 days
• Previous 10 passwords cannot be used
• BlackBerry device will lock after 30 minutes of inactivity
• Letter repetition in passwords is restricted (e.g.: aaa, bbb, ccc)
• 5 invalid attempts will erase & scrub all data from the device
• Data encryption enabled

Yes I agree with that as I leave the default alone and create 4 new policies and use those. The default is only used in "special situations" when I'm ordered to use that one for someone, other then that my general policy is very similar to yours. I do lock things down a little more for the people that have camera enabled devices and I do change policies for people based on where they are going such as clients that don't allow camera phones unless they are locked and not able to use the camera. Then I have my own policy that only goes on my device.

I would agree that the best security on the device is the PIN and Password.

I would also recommend implementing the duress policy, it's a very useful feature which a user can input the password in an alternative format (put the first character of the password at the end) and this will trigger an e-mail to be sent to a predefined e-mail address. There's no indication on the device that anything has been sent.

Useful for lone workers.

Thanks for all your answers.

With a device like the BB that wipes itself after in your case 5 bad passwords and the bad password time out is really long - other than loss of productivity for your users is the point of such a severe policy ?

Long complex passwords are designed to prevent a brute force attack or guessing - both of which are not an issue since the device wipes itself after 5 attempts. IMO a 4 character simple password is more than enough for most BB's

MY guess is the answer will be something like you make it overly complicated to look good to your boss, or because you can, or because you like enforcing your will on others..

PS letter repetition is prevented by the newer devices themselves irrespective of the IT policy

Guess it depends on what he is protecting.

Sometimes opinions are like farts, everyone elses stinks and yours smell great.

My company is going to push a requirement on our BB that locks the phone after 30 mins of use...then a 5 digit PIN must be entered. I am being told by our IT that it will lock Email, Internet and outgoing calls...incoming requires no password if locked. This is kind of a bummer when on the road a lot.
Question, can an IT policy be created that will lock out email/internet only, but not in/out phone use?
Tks

The IT Policy can be set to allow outgoing calls when locked. Once that is set, there is also as setting on the device that needs to be changed to allow the outgoing calls while locked.

The policy is pretty granular - its easy and common to set it to allow outgoing calls while locked BUT you will only be able to dial recently recieved/sent numbers - you wont be able to get to the address book OR type in a new number

You are exactly right -

But if you were protecting the access codes to fort knox you could force a 100 character password that must contain 3 foreign language phrases BUT if the device locks after 5 bad attempts a 4 or 5 digit password would be adequate to secure the device.

My point of view is that with a device like BB that locks after 5 attempts, Entropy and bit strength are less important on those devices since they are essentially secure from brute force attacks

A 4 character password is 10 bits in strength and would require a minimum of 20,000,000,000 attempts to crack - The 5 attempt limit and the remote wipe capability make that impossible

Mine Smell Great ...

Edit - assuming the BB let you try a new password every minute with no wipe - which we know wont/cant happen, it would only take 38,051 years to crack the 4 digit password