| Companies today do not have a firm grasp of | | | | stolen or lost resulting in sensitive information |
| the security vulnerabilities associated with their | | | | being disclosed to unauthorized individuals. |
| handheld devices. Personal Electronic Devices | | | | The first and best step to getting a grip on hand |
| (PEDs), Personal Digital Assistants (PDAs), email | | | | held devices, is to ensure that your company |
| and paging devices (such as the Blackberry), and | | | | includes them in their written security policies. |
| other hybrid handheld communication devices are | | | | Companies must issue clear and concise guideline |
| found in the hands of most every business | | | | on what devices may and MAY NOT be used and |
| manager these days but their inherent | | | | for what specific purposes. |
| vulnerabilities are largely overlooked. | | | | How the devices are used and the type of |
| Perhaps this is because of their size, mobility or | | | | information that is allowed to be stored on the |
| relatively inexpensive costs. Either way, these | | | | devices will directly impact the overall risk to the |
| devices do not register on the radar of most | | | | organization. Good policies will specify the |
| systems administrators and are wrongly | | | | approved configuration of the devices and modes |
| perceived as not as vulnerable as end user | | | | of operation including whether wireless radio |
| terminals connecting via hardwire to a LAN, WAN | | | | frequency and/or infrared transmission is |
| or the Internet. The popularity, proliferation and | | | | permitted and whether the user is allowed |
| rapidly evolving technology associated with the | | | | System Administrator rights to the base PC with |
| devices make them extremely susceptible to | | | | which the device synchronizes. Clearly define the |
| security vulnerabilities. | | | | purpose and acceptable use conditions of the |
| There are several general classes of hand held | | | | devices. Corporate provided devices should be |
| device operating systems: the Palm Operating | | | | used only for work related activities. Users should |
| System (OS) (Palm Pilots, Handspring Visor, etc.); | | | | sign an agreement to abide by the acceptable use |
| Apple IPhone OS; Symbian; and those running | | | | policy. Devices should not be used to enter or |
| Windows CE and Pocket PC (Compaq, HP | | | | store passwords, safe/door combinations, |
| Jornada, Casio, etc.). Hand held devices are | | | | personal identification numbers, or classified, |
| equipped with a wide variety of accessories from | | | | sensitive or proprietary information. |
| cameras, modems and synchronization cables to | | | | Effective policies should delineate approved |
| Bluetooth and wireless connections and flash | | | | connectivity requirements, prohibiting up and |
| memory storage. All of the operating systems | | | | downloads via wireless or infrared while connected |
| have software libraries with applications, widgets | | | | to desktop PCs and stating approved methods |
| and plugins developed and distributed throughout | | | | for infrared data transfers. Users should be given |
| both the commercial and freeware shareware | | | | precise instructions regarding requirements to |
| channels and as with any software developed by | | | | sync their devices to receive patches, fixes and |
| non-trusted sources, freeware programs may | | | | updates. It's imperative that your policies spell out |
| possibly contain hidden code - be it adware or | | | | device-specific build and configuration requirements |
| malware. | | | | to include: firewall, VPN, encryption, biometric, |
| Given their size and portability, the primary | | | | authentication and anti-virus software needs. |
| security concern associated with hand held | | | | Physical security requirements should be simple |
| devices is their ability to store large amounts of | | | | and achievable but at a minimum should state that |
| information. Add to this the breadth of | | | | devices shall not be left unattended when |
| communication options available and you have a | | | | attached to a computer, secured with password |
| device that introduces formidable risks. Since the | | | | protection when not in use and reported |
| devices are relatively inexpensive, users buy their | | | | immediately if lost or stolen and insured against |
| own or receive them as gifts and they tend to | | | | theft, loss or breakage. |
| come into use in an organization regardless of | | | | Your organization should have a mechanism to |
| whether they are approved or not. As such, | | | | manage the policies for hand held devices from a |
| companies have little or no control over data | | | | central location and establish a registry of all |
| leaving the organization. | | | | devices in use. This registry should include: serial |
| A wide variety of vulnerabilities exist when these | | | | number, configuration, make and model and to |
| devices are attached to PCs or other | | | | whom the device has been issued. Each device |
| network-connected automated information | | | | owned by the organization should be marked as |
| systems (AIS): Trojan horse and malware | | | | such with an asset tag or other permanent |
| programs can easily be installed thus creating a | | | | marking. |
| backdoor on host networks to permit exploitation | | | | While handheld devices may currently be a lesser |
| since antivirus products for hand held devices are | | | | target than networks, end user terminals or |
| not as evolved as PC antivirus software and | | | | laptops for virus and hacker attacks, that won't |
| operating systems currently do not limit malicious | | | | always be the case. The applications and |
| codes from modifying system files. Wireless | | | | functionality we see on PDAs today is what we |
| device connections can be intercepted and data | | | | saw on a laptops five years ago. What we'll find |
| captured without the knowledge or permission of | | | | on PDAs five years from now is what we find on |
| the user as recently demonstrated in | | | | laptops today. The increased power and flexibility |
| well-publicised incidents of drive-by hacking, blue | | | | in the operating systems will bring greater |
| snarfing and blue jacking. Hand held devices using | | | | security risk. The sooner you get a grip on this |
| infrared data transport technology might also be | | | | risk the better. |
| intercepted as well. Finally, hand held devices by | | | | Last but not least: don't forget that handheld |
| their very nature are small and therefore easily | | | | devices are subject to PCI requirements too! |