Address Security Problems With A Solid PDA Usage Policy
By: Brien M. Posey, MCSE
Although there are numerous security threats associated with PDAs, the two biggest issues are viruses and the theft of sensitive data. At first, the thought of losing sensitive data or contracting a virus because of a PDA may seem ridiculous. However, both threats are very real, and I’ll explain why. I’ll also give you a few tips on constructing an effective PDA policy for your users.
Before you send me an e-mail message, let me explain I'm well aware that there has never been a documented case of a virus attacking a PDA. This may be because the Windows CE operating system is so simple. When Windows CE was initially designed several years ago, the engineers at Microsoft stripped down the Windows 95 operating system to its core, added a few simple applets, and the finished product became Windows CE.
There’s a basic rule in computing that says that the more lines of code an application has, the greater the chance the application may be exploited. Because Windows CE was such a simplified operating system, many of the weaknesses that viruses could exploit in other operating systems simply didn’t exist. As the years went on, the Windows CE operating system got a little more bloated, but it still lacks most of the features found in elaborate operating systems such as Windows XP. Because of this, virus attacks have never been an issue.
Although viruses are not known to attack PDAs, a PDA can act as a carrier for a virus. For example, imagine that a user employs a PDA to check e-mail. Now suppose an e-mail message contains an attachment that’s infected with a virus. If the user were to open the attachment, the virus would probably not infect the PDA. However, if the user were later to synchronize the file to a desktop PC and then open the file on the PC, an infection would occur. In this situation, the virus didn’t harm the PDA, but the PDA was able to act as a carrier that allowed the virus to be put onto the network.
Everyone in your organization who uses a PDA should be running antivirus software, just as they would on a laptop or desktop computer. There are two ways that this antivirus software works. One type of antivirus software stores an auto-protection file and a virus-definition file on the PDA so that virus scanning occurs automatically each time a file is accessed. Another breed of software stores the virus definitions on a network server. Because virus-definition files take up a lot of space that many PDA users simply don’t have, storing them on a network server ensures that the definitions can be updated regularly. Any time the PDA user attaches to the network, the antivirus software automatically connects to the virus definition files and scans the PDA before any infections can occur.
Whenever a PDA is lost or stolen, there’s a risk that the data stored on the device could fall into the wrong hands. When I speak to IT managers about the data that could be compromised if a PDA were stolen, they almost always tell me that the PDAs don’t need any real protection because there is no sensitive data on them. However, I feel there’s actually quite a bit of sensitive data on the typical PDA.
For example, suppose a VP at your company lost a PDA. Fortunately, this particular VP used the PDA as little more than an electronic organizer. So there’s no sensitive information on the PDA, right? First of all, the executive probably has an appointment book or a calendar stored on the PDA. And how much sensitive information is stored within the calendar? If you’re not sure, ask yourself what your competitor could learn by sneaking a look at the calendar, contact list, etc.
Let’s say that the executive in question never kept juicy information about top-secret meetings or customer contact information in his PDA. In fact, let’s pretend that the PDA was brand new and for all practical purposes was empty. There is still useful information that could be gathered from the PDA.
If your company uses a wireless network, someone could steal your company’s SSID, channel, and WEP pass phrase from a PDA. Depending on the configuration, someone might even be able to obtain usernames, IP addresses, domain names, or even passwords. Most, if not all, of the information that someone would need to break into your company’s network could be stored on the PDA, either in the form of data or as configuration information. I say it could be stored as data, potentially, because an alarming number of people store passwords and PINs on their PDAs. According to one statistic, one in four PDA users store PINs and passwords on their PDA—but don’t protect the PDA itself with a password.
Personal PDAs vs. company-issued PDAs
So the real question now is what to do about all of the security threats that face your PDA users. The first thing that I recommend doing is supporting company-issued PDAs only. Although I like giving users as much personal freedom as possible, I strongly recommend banning privately owned PDAs. If employees really want to use their own personal PDAs, my philosophy is that you can’t (and probably shouldn’t) stop them from using them—but you can prevent them from connecting them to your network.
I'm opposed to privately owned PDAs being attached to the network because it’s difficult for a company to control what it doesn’t own. If a user owns a PDA, you really have no way of verifying that the user is running the appropriate antivirus software. Likewise, there’s no way to really tell if an application installed by a user is legal or pirated.
For your users who have company-issued PDAs, you should create a security policy that is fully documented so there are no questions of what will be expected from them. The policy will likely be very similar to the policy for your laptop users. For example, it should address things such as how often passwords should be changed, what applications are allowed, and what types of data may be stored on the PDA. In the following sections, I’ve outlined more detailed security recommendations that you might consider including as a part of your PDA security policy.
Under no circumstances should PINs or passwords be stored on a PDA. I also strongly recommend implementing a power-on password. Different devices offer different types of power-on passwords. Some PDAs support long and strong passwords, while others support a mere four-digit PIN.
As you select PDA devices for your company, I recommend doing some homework regarding power-on passwords. But don’t rule out a device just because it offers only a four-digit PIN. Some of these devices use an incremental timer to prevent brute-force PIN cracks. For example, after the first time the PIN is entered incorrectly, there’s a one-second delay before the user can try the password again. After the second attempt, there’s a two-second delay. After the third attempt, there’s a four-second delay. The delay time doubles after every incorrect guess. This makes it very difficult for someone to enter 10,000 possible PIN numbers in a brute-force crack.
If your device supports long passwords, use at least eight characters. Whatever password mechanism is used, be sure to have your users change the PIN or password every six weeks or so. I also recommend maintaining a password history to prevent passwords from being reused. Although most PDAs don’t really have this capability built in, there is software under development by several companies to test PDA passwords for things that can be easily guessed, or for passwords that are repetitive (e.g., password1, password2, password3, etc.).
Another issue that you should consider is encryption. Remember that whatever method the PDA uses to connect to the network, the traffic should be encrypted with a strong scheme. I also recommend encrypting any sensitive files that are stored on the device.
I recommend designing your security policy in a way that prevents any more data than is absolutely necessary from being stored locally on the device. It might be counterproductive to ban contact lists and calendars, but your users shouldn’t be carrying around spreadsheets and documents. If your users need access to a lot of data, I recommend implementing Microsoft Terminal Services. You can then install a terminal server client onto each PDA. By doing so, you give users full access to any desired applications or data as long as they are signed into the network. However, while the users are not attached to the network, there is no actual data on the PDA.
Likewise, I recommend developing a list of approved applications. Once you’ve developed an approved application list for the PDA, you can perform the occasional security audit to make sure that those applications exist on the PDA. Microsoft is actually developing an application that compares a PDA’s contents against a profile. If the PDA is found to be different from the profile, the PDA is erased and the profile is copied to the PDA. By doing so, if someone erases an approved application and installs Quake, the auditing software will detect the change and put the PDA back to its original configuration.
Additional security with flash cards
If your PDA users simply must keep sensitive data on hand, one way of securing that data is by storing the data on a flash card and keeping the flash card somewhere other than in the device case. That way, if someone were to steal the PDA, the thief wouldn’t get the flash card.
At a recent Microsoft Exchange Conference, I saw several next-generation flash cards that were in development for PDAs. One flash card contained 512 MB of storage, plus an integrated fingerprint scanner. Using this device requires users to enter the device’s PIN, plus pass a fingerprint scan before they are given access to the data stored on the card.
Another version of this card that’s not quite finished yet contains 3 GB of storage plus a fingerprint reader. What makes this device unique, however, isn’t so much its storage capacity as the fact that it supports multiple users. You can associate multiple fingerprints with user profiles on the device. You can also control who has access to which folders on the flash card by associating the folders with fingerprints.
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email