.

VA of Blackberry Enterprise Server

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Sep 11, 2012 7:06 am

VA of Blackberry Enterprise Server

Hi everyone,

I have been asked to perform a vulnerability assessment of a Blackberry Enterprise Server later in October and frankly, I don't know much about it...

Does anyone know about some good reading, tools and/or methodologie?
I couldn't find much on the web...

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Tue Sep 11, 2012 8:17 am

Re: VA of Blackberry Enterprise Server

The National Vulnerability database has the DoD requirements for securing BES (currently 5.0.3):

http://web.nvd.nist.gov/view/ncp/reposi ... ail?id=252

Hopefully, you'll at least get an overview of what can be secured and inversely any possible vulnerabilities if there not implemented.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Sep 11, 2012 12:25 pm

Re: VA of Blackberry Enterprise Server

Thanks, I will start with that and see what I can find from there.
I will post my findings...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

amol_d

Newbie
Newbie

Posts: 12

Joined: Tue Apr 10, 2012 8:49 am

Post Mon Dec 31, 2012 3:37 am

Re: VA of Blackberry Enterprise Server

hey so how did it go? I was hoping to read about your experience on this one
OSCP CISSP CSSLP CISA
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Dec 31, 2012 9:46 am

Re: VA of Blackberry Enterprise Server

I ended up working with two guys who knew more about it than me, so I didn't much myself.

But they spent more time looking at the policies than anything else. So for what I have seen, RIM seems to know what they are doing and they kind of making it easy for people to secure the Blackberry Enterprise Server infrastructure properly.

So sorry about this, but I ended up not doing much on that regard.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

amol_d

Newbie
Newbie

Posts: 12

Joined: Tue Apr 10, 2012 8:49 am

Post Mon Dec 31, 2012 11:44 pm

Re: VA of Blackberry Enterprise Server

no worries and Thanks for the reply hitmonkey. i suppose what you could and could not do would be based on the contract with the client.
OSCP CISSP CSSLP CISA
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jan 01, 2013 8:16 pm

Re: VA of Blackberry Enterprise Server

Yes, indeed. And I was quite busy on other things...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jan 06, 2013 10:28 am

Re: VA of Blackberry Enterprise Server

Yeah BES is pretty cut and dry.  Keep it patched and configure the policies correctly, then there isn't much to worry about.  Granted you compromise a BES server and you have a nice MIM for the corporate email.  Compared to the other mobile solutions out there, BES is still top notch for securely sending data to your mobile workforce.  Not to mention you have the ability to centrally manage the phones without adding other 3rd party solutions.  As much as I hate the blackberry phone itself, I can't argue about the security of the device.  Going to a full Microsoft solution, you still need something to manage the applications and other non-Exchange related data.  Though that all may be changing with Windows 8 mobile and Exchange 2010.  MS has InTune which comes in local or cloud flavor (pick your debates for that one).  Depending on the cost, it may make moving platforms to Windows mobile a considerable idea.  I think BES currently runs almost 100 bucks a license for SMBs, 500 or more drops to 55 a license.  For a Windows 8 solution, ActiveSync would be use to talk to Exchange.  That should still have the ability to lock and remote-wipe a device.  But managing the device configurations would require a subscription to InTune which is 6-11 per device per month.  So the an org with 500 devices is looking at 65K a year to manage them.  Exchange and ActiveSync are already bought and paid for.  BES I believe is a one time cost with yearly support costs.  So MS is looking a bit higher in the price tag. 

Anyway sorry a bit off topic, but good things to way if an organization is thinking of moving away from BES in order to look at a BYOD type solution or switch to Microsoft only platform. 
Certs: GCWN
(@)Dewser
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jan 07, 2013 7:55 am

Re: VA of Blackberry Enterprise Server

Thanks 3xban,

And RIM's new Blackberry OS 10, with their multi-layered security model seems promessing too.

I used to be a BB fan, but now that I have an Android phone, I wouldn't go back...

But like you said, you can't blame RIM for not taking security seriously.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jan 13, 2013 10:09 pm

Re: VA of Blackberry Enterprise Server

RIM has always been the EZ-Mode for Mobile security I think, compared to Apple/Android.  I am in the middle of doing a mobile device security assessment between tablet platforms.  Luckily Android is out per the corp response.  But that still leaves us with Apple and Windows.  Apple is proven technology, but their love for the enterprise is non-existent.  MS has huge support for the enterprise and will sometimes jump through hoops to customize something, but their tech has not been out long enough.  In either case both solutions require a 3rd party MDM/MAM solution to secure the devices.  I would love to say "get whatever, we only support VDI or Citrix with no local data storage" but not quite there yet.
Certs: GCWN
(@)Dewser

Return to Mobile

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software