As security operations manager, one thing that concerns me is the ability to use vendor information within our risk management methodologies. Vulnerability and configuration compliance tools are important assets. The discovery tool allows a team to find vulnerable systems. Configuration tools permit us to set a standard, discover outliers and enforce new policies. Nonetheless, there is a missing component -- the vendor interaction and how it affects your resource planning and immediate risk management.

Already in 2007, we've experienced some interesting vendor dynamics, which have forced us to stretch our normal operational methods. FreeBSD recently froze its ports distribution tree in order to upgrade Xorg and its interdependencies. The freeze meant that even though port maintainers had submitted patched versions of PHP, our normal methods of software patching were hindered. With Apple, we saw a handful of Java and Quicktime interdependent bugs. In one case, a third party's suggestion was to disable Java. This mitigation method left many enterprises at an impasse -- disable Java and hinder work performance or accept the risk. April brought the remote DNS RPC bug from Microsoft. Even though this vulnerability didn't affect us, its what began my dive into these thoughts. What's a consumer to do when put in a position of a serious vulnerability without a clear mitigation or solution strategy?

When put in such a position with little information and no place to acquire assistance, we become dependent on our own skills and strategies. The decisions made are highly driven by the vendor's ability to provide assistance. The ad hoc rating system below was spawned by this dilemma. This is a comparison of Apple, Microsoft and FreeBSD. How do your vendors rank?

Item	Reason
Regular Bulletin Release Schedule	ERP
Security Announcement Mailing List	Communications
RSS Feeds	Communications
Email Cryptographically Signed	Info Integrity
Security Bulletin: Pre Announcement	ERP
Security Bulletin: Summary	Communications
Security Bulletin: FAQ	Communications
Security Bulletin: Mitigations	Risk Mgmt
Security Bulletin: Workarounds	Risk Mgmt
Security Bulletin: Update/Patch	Risk Mgmt
Security Bulletin: CVE Usage	Interoperability
Security Bulletin: CVSS Usage	Interoperability
Security Bulletin: Acknowledgments	Communications
Security Bulletin: Website Uses SSL	Info Integrity
Vendor Free Detection Tool	Risk Mgmt
Vendor SDLC Public	Communications
Alt Vendor Communication Forum	Communications

The dawn is near; the iPhone blitz lays prepared to turn your security team into zombies. On June 29th, your helpdesk systems will be inundated with whines to "make my new flashy iPhone work with my work PC". No amount of beer, ThinkGeek gadgets or favors will get me or my team to kowtow.

Thanks to Andy Greenberg at Forbes for allowing me to interject some commentary into his article "is the iPhone Insecure?" While I took a bashing from the MacDailyNews community, I stand by my statement - 'It's [the iPhone] going to be entering enterprise networks whether we like it or not, and it's a nightmare for security teams.'

Most pundits rest their entire counter viewpoint on the fact that the iPhone runs OSX (or some derivative there of) -- "its from Apple, its OSX, therefore its secure". First off, OSX isn't all puppy dogs and candy canes. Allow me to also dispense the myth of my favorite OS affiliation - no its not Windows. And my personal history of *nix operating systems began in 1990. Hopefully, though, we can diverge this topic and thwart the quagmire of OS wars. One should adopt the right OS for the right situation (period).

The topic of enterprise security is what I write about here. As the iPhone currently stands, it has no place in the enterprise network simply because it lacks enterprise security controls. No doubt most of our commentary on the iPhone is speculative. The most anyone can get out of Apple are the demonstrations of the iPhone's fantastic usability interfaces...and boy aren't they cool! Given the complete lack of Apple to address enterprise security (yet), enterprise security teams must prepare for the worst. The vendor plays an important role in security methodologies, something I've written on before. Faced with a lack of vendor information, we must hunker down and prepare our defenses. For all our sake, lets hope Apple pulls this one off (besides, I'd like an iPhone too). Though I suppose perhaps that Apple's market analysis probably has already told them this - despite the fact of my own concerns, people like me will still want to pony up the $$ regardless.

Since so much of this topic is purely speculation and Apple wouldn't even answer questions for Forbes, I've assembled a straw list of questions. The list below is by no means exhaustive. Apple, if you read this, would you please address these questions in a public forum - we'd all like to know what to expect and how to reel this new gadget into our security policies.

Questions for Apple regarding the iPhone:

• Is data encrypted while in transit?
• Is data encrypted on the device?
• Is data encrypted on removable memory?
• Is data removed if the device hasn't checked in centrally, hasn't received a policy update within a time window or if battery power is too low?
• Is there S/MIME support?
• Is there PGP support?
• Are there electromagnetic analysis countermeasures?
• Are there DRM applications? (Ability to read, but not forward data)
• Is there user authentication by means of password, passphrase or smart card?
• Does the device automatically lock and requires authentication to unlock?
• Are the encryption keys stored on the devices and are they also encrypted?
• Do the network devices have firewalls?
• Are the network interfaces disabled by default and does the user has ability to disable at will?
• Is there the ability to remotely lock and disable the device?
• Is there the ability to remotely wipe and backup data?
• Is there the ability to centrally develop and enforce policy settings?
• Is there centralized reporting of all device events - calls made, data transferred, usage statistics?

Update: This just in from Network World

The analyst firm Gartner will tell IT executives to keep Apple's iPhone away from their networks, in a research report to be released within a week.

"We're telling IT executives to not support it because Apple has no intentions of supporting (iPhone use in) the enterprise," Gartner analyst Ken Dulaney says. "This is basically a cellular iPod with some other capabilities and it's important that it be recognized as such."

Full story available here

Update 6/22/07

EWeek has a nice writeup covering viewpoints including mine, Matasano (Dave Goldsmith) and Gartner. Check out the last page of the article where you'll find that EWeek got Microsoft to answer to my list of questions above.