Once upon a time, all the ever-beleaguered network administrator had to worry about in terms of mobile computers was the laptops that executives and salespeople used. But today, mobile devices continue to proliferate and evolve as computers, cell phones, MP3 players, PDAs, and other productivity devices converge. Most mobile devices now have computer-like features, such as Web browsers, file storage, and email. The wireless PDA market alone grew by 34 percent last year and is expected to grow even faster this year. Research in Motion's (RIM's) Blackberry, Palm's Treo, HP's iPAQ, and other similar devices are starting to have almost as much power as a laptop. Given these devices' small size and increasing ability to process and store larger amounts of information, they are presenting a challenge to IT security administrators who are trying to keep corporate data inside their company.
The scary thing is that almost all of these handheld devices have wireless
access to the Internet, whether 802.11, Bluetooth, or cellular. Some cell phones
are even assigned a temporary IP address while connecting to the Internet (talk
about scary!). A user of such a cell phone could download data from your network
(using Bluetooth), then walk out the door with company data stored on the phone.
Even within a building, handheld devices pose more of a risk than a desktop
does. These devices are so small that it's very easy for someone to take a PDA
from an employee's desk or yank it out of a cradle and drop it into a pocket.
And because these devices are becoming even smaller, users are more likely to
misplace or lose them. You can transfer data to handheld devices using short-range
wireless (Bluetooth) or infrared (IR) technology, neither of which is a secure
technology (for more information about Bluetooth security, see the sidebar "
Bluetooth Blues,"). Finally, users can store large amounts of data on
their devices, meaning gobs of corporate data can exit the building on an employee's
PDA. (A 1GB Synchronous DRAM—SDRAM—card the size of my thumbnail
costs about $79 these days.) All this means trouble for the network administrator
trying to keep his company's data out of harm's way.
What can you do? One thing you can't do is stick your head in the sand and
hope PDAs go away. Wi-Fi (the 802.11b wireless standard), Internet access, and
other nascent technologies have let the genie out of the bottle, and mobile
technology is here to stay. Which means you have to come up with strategies
to maintain data security.
Securing Mobile Computing Devices
Because cell phones and PDAs have begun to operate like desktop computers, they
should be treated in the same manner as desktop PCs and laptops, as far as security
goes. First, consider the different types of stored data (e.g., contact lists,
passwords, data files, and email) and how a user accesses and uses this data.
Keep in mind that each type of stored data comes with its own risks and possible
security countermeasures. Your security options may also differ from device
to device.
Contact lists. Executives or sales representatives that have
a cell phone or PDA typically store on the device phone numbers and contact
information that is valuable to a corporation. (Imagine the phone numbers on
a movie studio executive's cell phone.) In the latest version of Palm OS, you
can mark contact records as private and opt to make the selected private
records hidden (not visible from the screen) or masked (marked with a grey placeholder
and a lock icon). Once a record is marked private, you can't see or select it
until you enter the correct password. Marking records as private provides some
level of protection if the device is lost. For Windows Mobile-based PocketPCs
and Windows Mobile OSs, a number of third-party solutions secure contact lists:
for example, DeveloperOne's CodeWallet Pro. You need to determine whether your
users' contact lists warrant this additional layer of security.
Email. Email can contain details about sensitive conversations or corporate negotiations. Also consider that a user might attach a big proposal, a pricing sheet, or some type of employee data to an email message. One strategy you can implement is limiting employees from using mobile devices to send email with sensitive company data. However, you might encounter criticism for such a plan because sending email is one of the most popular uses for mobile devices. A fallback measure might be to forbid users to download email attachments to mobile devices. You can configure such a limitation on most devices, and it usually isn't considered inconvenient for users because attachments are slow to download.
Voicemail. If someone steals a PDA phone or cell phone, he or
she can easily access the voicemail Inbox and listen to saved messages. Many
cellular providers offer little or no security protection for voicemail Inboxes,
and even provide convenient one-button access to them. Have users password-protect
their voicemail Inboxes, and encourage them not to store passwords on their
one-button access configuration.
Pictures. Although most pictures that users store on mobile devices are personal, I've seen devices used to photograph whiteboards, product prototypes, and other company resources. You might also run into users who store inappropriate images on their phones and show them at work. (Yes, there is PDA porn available, not to mention the potential prurient uses of built-in cameras.) Some companies, and countries, actually forbid the use of camera phones, but enforcement will become more difficult as the camera feature becomes standard on cell phones. For now, you might want to enact a policy to restrict use of mobile phone camera features at work.
Passwords and account numbers. Today, many people are required
to recall a growing number of secret codes (such as passwords, credit card numbers,
alarm codes, and safe combinations). Storing your passwords on a desktop computer
means they won't be available if you need them while you're roaming around a
building or working off site, not to mention the possible threat of electronic
theft. And putting passwords on paper (and not secured under lock and key) is
always a bad idea.
Keyring for Palm OS is a free utility that lets you keep sensitive data on
your PDA so you can carry your "little black book" wherever you go and still
keep it secure. This program provides triple-DES encryption using a 112-bit
key derived from your password. If you are always at a loss when you need to
choose a new, unique password, Keyring includes a handy password generator that
provides a password that complies with the Federal Information Processing Standard
(FIPS) 181 standard for automated password generators. The password generator
even offers the option to generate a random password that is pronounceable.
This makes it easier to remember, even if it's not a dictionary word. For more
information and to download Keyring for Palm OS, go to http://gnukeyring.sourceforge.net
Windows-based PDA users can download a free program called Kee-Pass to store
important passwords and codes on their devices. This program provides essentially
the same functions as Keyring for Palm OS but has some other nice features.
KeePass also runs on your desktop, so you can access your codes from your desktop
or your PDA. It also lets you export password lists to different file formats
for easier reading and imports comma-separated value (CSV) files and other formats,
such as CodeWallet Pro's. KeePass uses the Advanced Encryption Standard (AES)
and the Twofish algorithms to protect stored data. To download KeePass, go to
http://keepass.net/index.php?news
Previous
Register
louannrockwellhuseth October 19, 2006 (Article Rating: