[qc_metal]

Ok, so I implemented a password policy for our ~320 users today. The policy was approved by our director, and I listed various reasons why they should have their BlackBerrys locked.

Of course, now I have a bunch of backlash complaining that the time (10 minutes) is not nearly enough idle time before the lock occurs.

My policy is very simple (at this point), requires a 4-digit password, no password history, 10 minute timeout, users can specify a time lower than that if necessary.

What does everyone else use as a timeout? Are there any industry reports on what kind of havoc can be wreaked upon a company if a BlackBerry gets stolen?

The basic gist of my email stated that the current risks without having a BES-enabled BlackBerry locked down with a password:

A person who has posession of your BlackBerry can:

• View, delete, and reply to corporate email AS YOU.
• View, create, delete, change, Calendar, Contacts, Memos, and Tasks in your corporate mailbox.
• Above changes/deletes, etc. synchronize DIRECTLY with your mailbox.
• Access corporate Intranet and all resources immediately available to the BlackBerry browser.
• Access any data, personal or otherwise, that may be stored on your BlackBerry.

Our corporate workstation screen saver lock policy is 15 minutes, so me, I'm willing to go no more than that since I view the BlackBerry as a similar risk as a Laptop being stolen.

Frankly, I'm getting a bit upset, as I view a lot of this backlash as whining because users are being "inconvenienced" for the sake of protecting our corporate data.

Now, after the execs have made some noise, our director is saying "what about a 60 minute timeout?" - - *the sound you hear is me banging my head against the desk*.

So, if anyone has any Gartner or other industry stats that could help back me up here, I would be very appreciative.

...or am I being too security-conscience (I'm guessing that I'm not)...?

Regards,
Rob

[rliebsch]

I hadn't really thought about it. It is a huge vulerability, especially if mine were lost. SSH/Telnet, VNC, not to mention the core functionality...

Worst to admit, I instantly jumped up and said, yes! Passwords on the handheld...

Then i realized, oh, no locked handheld after 2 minutes. What a pain in the arse.

I am certain my users would freak out.

But it is an excellent point. I mean, the last two handhelds that were lost, were not reported to me until nearly 2 weeks after they had been lost...

sceeery

[jibi]

As of now, we've disabled MDS and have a 30 minute idle timeout policy and 60 minute mandatory timeout. In the desktop world, timeout is 10-15 minutes. Password are also initially mandatory but optional.

...I agree with you, sacrifices made in direct objection to corporate security policies is, without a doubt, quite upsetting. But at the end of the day, you aren't the one signing your own check, right?

In all honesty, your best defense against these sacrifices would be end-user education... but then again, you'll always have those that simply will never 'get it'. In the event of stolen/lost equipment, you may want to make sure that it's policy and procedure to make a call directly to someone who can access the BES user accounts... of course, that is one of those semi-enforceable procedures that will often be ignored and very hard to audit.

[d_fisher]

We have a 60 minute timeout, 4 character password, no history, no complexity requirments. Passwords are manditory.

[jwcanada]

We use a 30 min timeout with a 6 character with no complexity required. We also put the "Owner" message when the device is locked to show the users name, company name, and a msg saying if found please contact our 800 number for our helpdesk. I thought there was no way in hell we would ever get an honest person to call. But funny thing in 3 yrs we have had 5 devices lost that the person that found it called our helpdesk. But when if comes to password policy you have to consider your business. You have to think that financial firms would have a much more strict policy than your avg company. So I don't think there is any wrong answer on the timeout of the password policy....as long as you enforce it.

[Milkman]

Quote:

Originally Posted by qc_metal

Now, after the execs have made some noise, our director is saying "what about a 60 minute timeout?" - - *the sound you hear is me banging my head against the desk*.

I would suggest that if you haven't already, you provide the security exposures (as listed above) to your director. Make sure that he/she actually knows what can happen if a Blackberry is stolen, and at that point let him/her make the call.

[bremere]

We have idle pwd at 10 minutes or so, 5 pwd history, complex pwd alphanum, however the user can change the timeout length at their leisure, up to 30 min, and we have allowed user to remove the "lock on holster" restriction

just my .02

-emb

[jibi]

Quote:

Originally Posted by Milkman

I would suggest that if you haven't already, you provide the security exposures (as listed above) to your director. Make sure that he/she actually knows what can happen if a Blackberry is stolen, and at that point let him/her make the call.

Just another note, GET IT IN WRITING from the Director (or whomever the manager making the decision). This will CYOA/CYOB if you have evidence of the decision, in the event that data is lost/stolen and somehow hurts your bottom dollar. This is the purpose of our initial mandatory password requirement; the users are made aware of the risks, and if they choose to remove the password for convenience purposes, then it's on them.

[edonin]

I'm pushing for a 20 minute timeout as a hopeful best compromise between security needs and the usability issue, coupled with the lock when holstered option. I'm also trying to get a hard-coded policy in writing about reporting lost or stolen Blackberries ASAP for remote-initiated locks or wipes.

I agree 100% with you about the security need and empathize with the headaches caused by getting this past the user population.

Being a user myself, I'll take the inconvenience of having to type a simple password every 20 minutes vs. the considerably larger inconvenience of having proprietary company information exposed to a thief.

I think Jibi has posted a great idea of getting any denials in writing. That kind of accountability, especially with an executive, might be enough to bring reason to the forefront of this issue, and like Jibi said, it's a great CYA at bare minimum.

[d_fisher]

Quote:

Originally Posted by edonin

I'm pushing for a 20 minute timeout as a hopeful best compromise between security needs and the usability issue, coupled with the lock when holstered option.

I think the lock when holstered is worse than even a 2 minute timeout. I always keep my BlackBerry in the holster. Can't tell you how many times I have holstered the BlackBerry only to have it go off. Because I work in a support role, I have to look. So now I need to unlock the BlackBerry again after just 10 seconds of inactivity.

[SimonMac]

5 mins and a 6 letter password we also enforce lock on holstering

[edonin]

I'm on the support side myself, and sure don't disagree that it can be annoying to type a short password everytime the bloody thing buzzes, but if you've ever seen a really good pickpocket at work, you know how easy it is for someone to nick even a holstered device. Again, IMHO, better for me to type the 2 second password, than to risk company data and server access (especially if a user has a Mobile Admin app onboard).

At least I can answer the phone while it's locked, which is the only time-critical function that a hostered lock could possibly impair.

However, I will concede that your daily video sig file, once again mightily rules! Very cool!

[jmanford]

Quote:

Originally Posted by SimonMac

5 mins and a 6 letter password we also enforce lock on holstering

Glad I'm not one of your BES users. I would hate to have to enter my password every 5 mnutes. We have ours set to 60min

[Andi]

20 minutes time out (and they cry about that!) 5 to 14 character password - no forced lock on holstering -- still have MDS running (not by my choice) but we did stop all installing of 3rd party apps

[qc_metal]

Quote:

Originally Posted by rliebsch

But it is an excellent point. I mean, the last two handhelds that were lost, were not reported to me until nearly 2 weeks after they had been lost...

sceeery

This is exactly why I wanted to push this policy - we have had quite a few devices stolen or lost, and most of the time, the person has already spent a few days looking for it, only to come to the conclusion that yep, they don't have it any longer.

Typically by now, I can't send a kill command as the battery may have died or the device is out of range at that time.

Then, a new device gets deployed to the user, and once the PIN is associated with their email address, the old device can't synchronize with our BES, which is great - but then again, there is still data on the device. Those are the ones that are the biggest risk for us right now.

I would say out of all devices I've sent a kill command to because of a loss/theft, I've probably had 2 which processed the command completely.

I would love to have a feature in the Management tool that put our stolen/lost PINs in "the parking lot" - so we can repeat our kill commands on a schedule but obviously that would eat into client licenses...or perhaps a paid service that the carrier can provide to send out repeated device kill commands for a window of time.

In any case, because of various people complaining, and others caving, we are going to modify our timeout to 30 minutes (which seems to be slightly longer than the average response here of 20 minutes).

We'll see if the complaining continues...

I most definitely appreciate all your responses. I'm gladd I'm not the only guy in the boat.

Rob

[qc_metal]

grrr. There's always one guy...

Check out this response to my policy - from a user, mind you.

While I appreciate the comments, I do not appreciate the fact that this person thinks they can do our job for us.

As for the responses, I have a few on hand, but I wanted to put this past you guys for a more informed (and less heated) idea for feedback.

Quote:

I take a fairly dim view of the approach to multiple password entry per dayprotection approach.

The problem (company communications network security) isn't well addressed if everyone has a four letter password composed of the same letters or a simple keyslide that can be performed with only the right hand. You'd think we'd be a better group, but the first time you try to unlock your 'company cell phone / blackberry' to place a call on a very long drive, most users realize that simplicty is absolutely essential. I suspect we don't have a great deal password of diversity.

Perhaps there are other ways to approach the problem that better addresses the problem?

Consider password requirements for device-desktop syncronization. Staged password timeout for functionalities with different risks (30 min email lockout, 8 hours phone lockout). Device email lasts a max of one month. Or use-based software that reacts to possible malignant use senarios (like 3rd party software install) and locks out until a password is entered (if such a thing exists).

Ultimately doespasswording do much to protect our company anyway? Denial of service attacks to disable a blackberry enterprise server's corporate network are still a possiblility. MAPI and BBPROXY would seem to be threats if users can install 3rd party programs, and the blackberry's weak use of memory scrubbing (even with crypo) isn't something I much trust or understand. I guess what I'm saying is passwording only seems likely to block out casual (and probably not particularly dangerous) misuse senarios, without appearing to add security against more dangerous hacking or malware threats.

Has therebeen much blackberry abuse/theft/maluse in our company?

[qc_metal]

My response:

Quote:

%user%,

Thank you for taking the time to respond. This policy has been agreed upon by %our company%'s executive team and mandated by the IS department in an effort to:

· Conform to our security auditor’s requests
· Protect %our company%'s data



It only takes a few minutes for a casual person or a child to delete %our company% data if the device is left unlocked – even if person’s intentions are not malicious. So, a password will in fact prevent most people from trying to get data from the device. And while it is true that we have not implemented the complex password restriction, it is available to us – of course, this is not to say that the IS department will not implement such a restriction in the future. Please note that you as a BlackBerry user are not limited to a 4-digit password, or that there is a ‘standard password’ that people are using – everyone has chosen their own password.

%our company% is comfortable with the (triple-DES encryption) memory scrubbing technique that is part of our BES deployment. As such, appropriate safeguards are (and have been) in place to protect %our company% data at the device and server level, including the denial of service vulnerability as you mentioned.

No electronic system is 100% safe or foolproof, but it can be made substantially safer if we all maintain an effort to secure %our company%'s proprietary assets and information.

If you have any further comments or questions regarding this policy, please refer them to my manager, %my manager%.

Regards,

Rob

I didn't want to get into a techie battle with him, but wanted to go over the fact that this is not his choice, and it will in fact help us protect our data, since 99% of thefts are usually people concerned with the device, and have no care for the data.

What do you think?

[edonin]

Nice job, QC! It professionally defends your and your company's position, and is non-offensive while taking any ands-ifs-and-buts out of the equation. If it's not copy-righted, I'd likely steal it for replies to our user community.

If the patience and euphemisms in your reply were money, you could retire.

[qc_metal]

Go for it - Trust me, it took a lot to not be a little heated...!

[hannahkat]

hmm - we increased out lock time to 15 mins from 5 mins after massive user complaints - my personal favorite was that it was too difficult for a user to unlock his bb while driving to check his email (!). We have disabled MDS, 3rd party apps, all messenger services. The password has to be min 5 characters which is very easy compared to the strong password on the desktop, we enforce a change after 120 days, no patterns or repeats allowed. The device will self-wipe after 5 incorrect password attempts.