Review at least once a year.
Personal Digital Assistants (PDAs), part of the larger group of Portable Electronic Devices (PEDs), can potentially impact security in a variety of ways but are often not part of a security policy. Storage capabilities and portability both lead to greater chances of theft and even accidental misuse. For instance, when exchanging contact data, someone could unknowingly beam a Trojan from his PDA to a colleague's or infect the corporate network when synchronizing to a desktop system. Such Trojans wouldn't be analyzed by the corporate firewall, and may not be virus-scanned when synching with the home or corporate network.
Right now, PDA viruses aren't widespread, but these and other mobile devices are likely the next big target of virus writers, so said folks at the Black Hat Briefings in Las Vegas, and I agree -- after all, there's no challenge left to infecting desktop systems. Write and implement a PED policy while you still have time to do it right!
Does your organization have a policy for mobile devices? Are you going to allow them, if you even have a choice? If so, are you going to support them? Which models? Does the company have to have bought them? Can they hot-synch wirelessly or only by cable? Some considerations for your PED policy to enforce your systems' confidentiality, integrity of data, availability and accountability:
- Train users in computer security awareness
- and risks associated with handheld devices
- Conduct ongoing, random security audits to monitor and track devices
- Label all handheld devices with the owner and organization's information in some way
- Ensure users know where to report a lost or stolen device
- Ensure devices are stored securely when left unattended
- Enable a "power-on" password for each device using proper password management
- Store data encrypted on backup storage modules
- Review vendor Web sites for patches and new software releases
- Avoid putting sensitive information on a handheld device. If that's not possible, delete the sensitive data from it as soon as possible
- Don't download untrusted code
- Turn off communication ports during inactivity when possible
- Install antivirus software on all devices
- Ensure security assessment tools are used on devices
- Perform a risk assessment -- PEDs are just as valuable as other computing devices to the organization and benefit from similar protection strategies
For organizations protecting sensitive information like R&D data, and some government facilities, PEDs with a radio frequency (RF) wireless capability probably should be prohibited because reliable countermeasures don't exist to mitigate that security risk. Removing the antenna isn't enough to eliminate RF operations, as some systems can still communicate even with the antenna physically removed. In these cases, wireless attachments (like LAN cards and modems) should be removed before the device enters your facility, and if it's self-powered, remove the battery. PEDs with infrared (IR) ports are usually allowed, but they're disabled either by software or hardware; covering the IR emitter/detector with opaque tape or something similar isn't a good countermeasure because it's hard to tell what it can and cannot sense. You may even want to require that PEDs brought into your facilities have any internal modems physically disconnected and/or software drivers removed.
Department of Defense (DoD) Directive 8100.2, Use of Commercial Wireless Devices, Services, and Technologies in the DoD Global Information Grid (GIG). See also: NIST Interagency Report -- 6981 Policy Expression and Enforcement for Handheld Devices April 2003, a discussion of handling devices in your organization with a proof-of-concept for control using certificates, and SP 800-48 Wireless Network Security, November 2002. Forensics on PEDs are rather specialized, and many examiners like the tools from Paraben.
About the author Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.
This was first published in September 2004