Wireless Handheld Device Security

{LANG_NAVORIGIN} Wireless Security Portable Devices
Tom Olzak 04/12/2005



The world of business communication is changing. More employees are carrying electronic information in wireless handheld devices than ever before. These devices include smartphones and wireless PDAs. It is predicted that over four/fifths of mobile knowledge workers will have the opportunity to use wireless email by 2008, and smartphones may outnumber PDAs as electronic organizers by the end of 2006 (Dulaney et al, 2004).

This change in the way employees interface with company information presents some special challenges for security managers. The purpose of this paper is to help identify some of those challenges and to provide recommendations for reducing the associated risks to your business.

The Challenges

When an employee connects to your network with a handheld device, your security may be bypassed. Data can be moved in and out of your network without management’s knowledge or control. The data that can be found on wireless handheld devices include:

1. Passwords and user ID’s used to access corporate resources
2. In-process project information
3. Calendar items
4. Work contacts (fodder for social engineering attacks)
5. Electronic Protected Health Information (defined in HIPAA as ePHI)
6. Price lists
7. Employee information
8. Email
9. Company credit card information

Two major threats to this information are:

1. Loss of the handheld device
2. Malware attack

Loss

The loss of a handheld device containing sensitive information is a very real threat. A recent survey by Pointsec Mobile Technologies shows that, over a six month period, 21,460 PDA/Pocket PCs and 85,619 mobile phones were left in the back of cabs in Chicago alone (Missing in Action, 2005). This does not include devices left in airports and restaurants, stolen, etc. But this should not be a problem since your company’s handheld devices are protected, right?

During a recent training session, I asked the attendees to raise their hand if they used a wireless handheld device at the office. About 15 hands went up. I then asked how many configured their device to require a password to gain access to the device. About 3 people raised their hands. I then asked how many displayed their name, address, and phone number on the device so that it could be easily returned to them. No hands went up.

Given the information that can be stored on a handheld device, the fact that password policies with associated enforcement through automated business rules usually do not exist is troubling. Even if the person finding a lost device is ethical and honest, he or she will not be able to return the device since no contact information is provided. This set of circumstances may result in:

1. The compromise of sensitive company information
2. The compromise of regulated information, such as ePHI
3. The unauthorized use of company information resources through the use of compromised user names and passwords
4. The loss of productivity due to the loss of information that was available only on the handheld device

Malware Attack

Prior to 2004, smartphones and wireless PDAs were not a preferred target of Malware developers. However, this is changing with the increasing number of wireless devices used worldwide. Current attacks are primarily focused on Symbian OS and Windows Mobile devices. Table 1 provides a brief history of Malware attacks on these platforms since mid-2004.

First Appeared
Year	Month	Malware	OS Affected	Impact
2004	June	Cabir	Symbian	Affects mobile phones. Spreads via Bluetooth connections. Many variants appeared throughout 2004. No real damage caused by infection.
2004	August	Brador	Windows Mobile	Allows the remote control of Pocket PCs.
2004	November	Dust(a.k.a. Duts)	Windows Mobile	Pocket PC virus spread by synching with desktop, via Bluetooth connections, email, or Internet. No real damage caused by infection.
2004	November	Skulls	Symbian	Breaks all links to Symbian system applications. Replaces the icons with images of skulls. Variants continue to appear.
2005	January	Gavno	Symbian	Can infect to the point of making a phone unusable.
2005	January	Lasco	Windows Mobile Symbian	Proof of concept malware. The first to infect both Symbian and Windows Mobile platforms. No real damage caused by infection. Primary infection vector is Bluetooth connection.
2005	March	CommWarrior	Symbian	Spreads via Bluetooth connections. Resets phone on the 1st hour of the 14th of any month.

Table 1: Malware Outbreaks

Although most attacks to date have not been malicious, malware attacks may result in:

1. Loss of productivity
2. Exploitation of software vulnerabilities to gain access to resources and data
3. Destruction of information on a SIM card
4. Hi-jacking of air time resulting in increased costs

Risks associated with wireless handheld devices will continue to increase. The following section describes a layered model that will assist in securing your handheld environment.

The Solution

Your security program should manage the risks caused by wireless handheld devices with a layered approach. Figure 1 depicts a model for a layered security model.


Figure 1: Wireless Handheld Device Security Model

The objective of layered security is to implement a variety of controls that, in their entirety, effectively neutralize incoming threats. Information moving to and from a wireless handheld device must pass through several different tests, both actual and virtual, before reaching its target. These layers comprise administrative, physical, and technical safeguards. The effectiveness of this model must extend to all devices, whether located on the company network, at home, or at a customer site.

Is it necessary to implement all layers to ensure end-user device security? Not necessarily. Which layers to implement, and to what extent, is a risk management decision. To help with this decision, each of the layers is discussed below.

Elements of Layered End-user Device Security

Carrier Security

If the wireless carrier you use for company handheld device communication is short on security practices, it will make your job much more difficult. Ensure the carrier you use has a well defined and operational security program that:

1. Keeps the handheld operating system (OS) up to date in order to take advantage of improved security technology, such as firewalls, code signing, intrusion prevention, encryption, etc.
2. Secures information in the carrier’s data stores
3. Filters unwanted activity, including known and unknown
4. Provides strong end-to-end encryption

When you interface your network with that of a wireless carrier, make sure the carrier is as concerned about the security of your information as you.

Management Support

The foundation of any security program is management support. This support should be comprised, at a minimum, of effective policies, adequate budgets, and consistent enforcement. Efforts to change user behavior and to implement security measures carry no weight unless there is visible executive management support.

Security Program

An organization’s security program facilitates the security objectives of management. It consists of policies and procedures.

Policies are high level statements of management’s goals and objectives. They do not provide step-by-step directions to reach those goals and objectives; these directions are provided by procedures. A policy should consist of three elements:

1. Purpose
2. Scope
3. Compliance

The purpose of the policy clearly explains the objectives it is intended to achieve. It should also reflect management commitment to a secure enterprise. Scope describes all enterprise technology and activities affected by the policy. Finally, compliance defines consequences if the policy is not followed. It is the compliance piece – necessary to strongly encourage implementation - that is often missing from security policies.

Procedures are the administrative, physical, and technical recipes for producing a secure enterprise. They are derived from and support management policies. The step-by-step nature of procedures helps to ensure consistent compliance with security policy.

User Awareness

Unless fully engaged in the company’s security efforts, end-users can be an organization’s greatest vulnerability. Awareness training, and related activities, is the best way to obtain end-user participation in a security program. Training should include:

1. Review of policies
2. Procedure implementation
3. Password protection
4. How to deal with social engineering attacks
5. Proper protection of devices
   1. Locking the device when finished
   2. Preventing the use of systems by unauthorized users
   3. Elimination of potential shoulder surfing opportunities
   4. Protecting the devices from loss or theft
6. Ensuring the information on a handheld device is absolutely necessary
7. Ensuring the information on a handheld device is also stored on the company network where it is regularly backed up
8. How to encrypt sensitive information

Enhancing user awareness should begin with new hire orientation. Existing employees should receive the same training at least annually. In addition to formal training, daily reminders should be everywhere in the workplace; posters and login messages are two good vehicles for reminder distribution. Finally, first line managers must ensure that security compliance is part of every operational task.



More Portable Devices tutorials and guides














Your IP address will be sent with this e-mail

From e-mail to e-mail