Data files. People often use PDAs and portable storage devices as removable hard disks. Trek's Thumb-Drive (aptly named because these devices are about as big as a thumb) is a family of popular storage devices that make it easy to store data that you want to transport to another location. Although a Thumb-Drive is not a computer, it poses a special danger because it's so small and because you can plug it into a USB port on any computer. Some high-security government facilities have gone as far as to ban the devices altogether and actually make visitors empty their pockets at entrances to prevent these tiny devices from entering the facility. You don't have to go to that extreme, but you can put limits on what people can do with small peripherals and devices by configuring Group Policy settings on systems with Windows Server 2003 Service Pack 1 (SP1) and later. You can also develop a company policy that specifies what types of data your users can store on these small devices. If you or the company you work for has an information security policy with different security classifications for different types of documents, you can use those classifications as the basis for the policy. For example, the information security policy at your company might specify that you can store public data on your handheld device, but you can't store confidential or employee information. You can also encourage people to use safe methods to transfer files, such as by accessing your company's LAN through a VPN.
If you're a security-conscious systems administrator and want to access your remote servers without lugging a laptop around, TuSSH (for Palm OS 4.0 and later) lets you do it in total privacy from your PDA. TuSSH is a client for Secure Shell (SSH) that lets you connect to your servers through an encrypted tunnel (as long as the servers are running SSH). For more information about TuSSH for Palm OS, go to http://www.tussh.com
Best Practices
Here are five best practices for using mobile devices securely in a corporate environment.
Develop a mobile device policy. Develop a clear security policy for handheld devices and make sure employees are informed about it. The policy should include the following items:
A statement about whether handheld devices can be used to access and save company data. The policy should require employees to register with the IT department any handheld devices that can be used to store company data or synchronize with a company computer, so IT can track their use.
List the types of employees who can use a handheld device to access and store company data. For example, maybe salespeople in your company can use PDAs but accountants can't.
Describe the type of data users can store on handheld devices. For example, perhaps users can store contacts but not application data files.
Specify a minimum level of security that users should configure on their handheld devices. Ideally, each device should be provisioned through IT.
Run antivirus software on each device. Because handheld devices can synchronize with PCs, they can spread viruses within your organization just like PCs can. Although there have been very few PDA viruses to date, the danger will certainly increase as computing capabilities grow on these devices. Therefore, antivirus software should be loaded on mobile devices. Both McAfee and Symantec make antivirus software for Palm OS, Windows Mobile, and Windows Mobile-based Pocket PCs. McAfee VirusScan PDA Enterprise 2.0 provides enterprisewide management, unlike other vendors' products which treat PDA support as an afterthought.
Password-protect devices. If users store more than contact lists or email messages on their PDA, they should password-protect the PDA functions on their device. Most device OSs can lock PDA functions upon power-on and require a password to access any function. Users might complain about this, but if they lose their PDA, locked PDA functions are the best way to make sure that unauthorized users can't access stored data. However, even when features are locked, an unauthorized user can gain access to a PDA by using hacking tools available online.
Encrypt important files. If users store work files, including email attachments, on their devices, you should take additional steps to protect the data. Palm OS allows the user to store important files in a protected folder that a user can view only after entering a password. However, there are weaknesses to this approach. For the truly paranoid (and aren't all systems administrators in this group?), programs are available to fully encrypt data. For more information about securing data on a mobile device, see the sidebar "Securing Files on Palm OS and Windows Mobile."
Disable unnecessary short-range wireless features. If you don't turn off or disable Bluetooth or IR services when you aren't using your PDA, anyone can access your device. Your wireless-enabled PDA can also help you check for unauthorized wireless networks within your company so that you can locate them and shut them down. A neat little free program named MiniStumbler lets you conduct audits from your PDA for 802.11 wireless networks within range of your current location. To use this program, your PDA must support a Secure Digital (SD) Wi-Fi card and have the newer SD I/O (SDIO) slots (not all PDAs have these). MiniStumbler integrates with programs such as Microsoft MapPoint to let you create graphical maps of your wireless airspace (for more information, see "Map Out Your Wireless-Security Audits," May 2005, InstantDoc ID 45842). It makes doing wireless audits a breeze. There are MiniStumbler versions for both Palm devices and Pocket PCs. For more information and to download Mini-Stumbler, go to http://www.stumbler.net/readme/readme_Mini_0_4_0.html
Properly Secure Your Email Server
If you run your own RIM server (for Blackberry devices) rather than using your company's central mail server, you need to take additional technical security measures. Remote exploit programs targeted at RIM servers can allow access to Blackberry devices and the data stored on them. Make sure you use the latest version of the RIM server software with all appropriate patches. Also, make sure you configure your Blackberry device to allow it to send and receive encrypted data.
Until manufacturers consistently integrate default security technology into handheld devices, your best defense against the loss or misuse of these devices is implementing strong handheld security policies and educating your users about security issues. As always in security, the weakest link is the human one.
Tony Howlett (thowlett@netsecuritysvcs.com) is president of Network Security Services, a network consulting firm. He is a CISSP and a GSNA.
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
louannrockwellhuseth October 19, 2006 (Article Rating: