Wireless Handheld Device Security

{LANG_NAVORIGIN} Wireless Security Portable Devices
Tom Olzak 04/12/2005

Physical Access Controls

The effectiveness of the security program is directly proportional to the effectiveness of the physical access controls surrounding electronic information. Strong passwords, biometrics, and other logical access methods will not prevent the financial loss associated with the theft or loss of critical business information. In addition, the level of effort applied to extracting information from secure devices within the normal business environment will probably fall far short of the effort applied in a cracker’s basement.

Continuous effort is necessary to ensure that employees remain aware of the importance of maintaining physical control of their mobile information. Policies governing physical control may include:

1. Physically securing the device when it is not in use
2. Sanctions for failure to maintain physical control of the device

Logical Access Controls

Logical access controls prevent either unauthorized users from gaining access to any information resources or authorized users from gaining access to information for which they have no permissions. Logical controls include passwords, biometrics, and tokens. Regardless of the controls used, they should:

1. Have minimal impact on end-user productivity
2. Be reliable
3. Be effective with a ROI resulting from their initial and ongoing deployment costs

An analysis of the various logical access controls is beyond the scope of this paper. However, the following principles are provided as a guide:

1. Relying on strong, easy to forget passwords may be a mistake for your organization. Users often write down their passwords where can be potentially accessed by unauthorized individuals.
2. Establishing an effective account policy is crucial to a logical access control implementation. The policy should include
   1. Automatic password expiration, usually 60 to 90 days
   2. A minimum password length
   3. Password history to ensure that a password is not reused when it expires
   4. A threshold of login attempts that when exceeded locks the user account, usually set at 3
   5. An effective lockout duration that will deter brute force attacks

Finally, it is a good idea to combine password controls with another access control, such as biometrics. This is known as two factor authentication. If a password is compromised, the second control will help stop unauthorized use of system resources.

Personal Firewall

A personal firewall should not be confused with the hardware firewall that is commonly found on company network perimeters. Rather, it is a set of related programs “…installed and administered on end-user devices to protect a single Internet-connected computer from intruders” (Noakes-Fry & Diamond, 2004). The personal firewall acts as the first logical line of defense against penetration attacks. Some of the functions performed by a personal firewall are:

1. To screen incoming traffic and block suspicious code
2. To screen outgoing messages that infect other company resources
3. To prevent the unauthorized use of logical ports by hiding them from malicious code or human penetration attempts

Although I have separated antivirus and personal firewall software into two separate layers, most security software vendors provide solution suites that consist of both.

Antivirus Software

Malicious code attacks, including spyware, are the most common type of penetration into a company’s internal network. I provided a history of attacks against smartphones and wireless PDAs earlier in this paper. Like desktop and laptop systems, your handheld devices should run up-to-date antivirus software. In addition, you should strongly encourage your carrier to screen transmissions.

But no matter how up to date you keep your antivirus solution, there is always a delay between the time new malicious code is identified and when your software vendor provides an update. You can fill this gap with Host-based IPS.

Host-based IPS

There are two primary types of Intrusion Protection Systems (IPS)-Network and host. Network-based IPS systems protect the entire network or a network segment. Host-based IPS systems reside on and protect individual systems. In this model, we focus on host-based systems.

In an ideal environment, malicious code and unauthorized users are always denied access to handheld devices. In addition, the protections in an ideal environment prevent authorized users from destabilizing their systems as well as the network. But who works in an ideal environment?

Host-based IPS is a layer of protection that attempts to “catch” activities not blocked by the layers lower in the security model pyramid. These activities include, but are not limited to:

1. Deleting files
2. Moving files
3. Copying files
4. Installing executable files
5. Registry modifications
6. Denial of service processes

Version Management

An attacker can take advantage of one or more of the many publicly known vulnerabilities in the handheld device environment. Organizations that do not adequately update handheld OSs may face increasing costs associated with attacks that exploit these weaknesses.

Version management, as referenced in our model, is a set of policies, processes, and tools employed to ensure that all handheld devices are at the proper OS level. Processes include:

1. Checking vendor resources for new OS releases
2. Checking devices for current OS level
3. Applying OS updates as appropriate

These processes can be very time consuming and expensive if your carrier is not responsible for OS upgrades, leaving you to perform them manually. Most organizations are prime candidates for one of the many centralized mobile management solutions available today. Attempting to manage the growing number of handheld devices across the enterprise without centralized control may result in costs higher than productivity gains.

Device Configuration

Training users to protect information on handheld devices is very important. However, companies must assist in this effort by locking down these devices through the use of centrally managed device policies. Device policies should be set in a system at the corporate office and automatically distributed and enforced. Policies managed in this way can include anything from forcing the use of passwords to controlling whether a device can connect at all. Policies you should strongly consider include:

1. Forcing the use of a password to access the device
2. Forcing the user to enter contact information so the device can be returned
3. Ensuring that all devices require end-user authentication.
4. Shutting down any service not required for proper operation, including Bluetooth capabilities
5. Controlling device configurations through the use of standard system settings that are locked to prevent modification.
6. Using the security features included in the operating system to restrict access to information, including encryption
7. Erasing all data on a handheld device when certain conditions are met
8. Automatic checking of each device to ensure it meets certain criteria, such as running antivirus software, before granting it access to the network
9. Requiring wireless access to the company network only through approved, secure paths

Putting It All Together

Each of the layers in this model supports the layer below it. It is the implementation of different safeguards at each layer that provides effective protection. Is it necessary to implement all the layers? Not necessarily. What to implement and how much to spend on implementation is a business decision; a business decision that should be based on the results of a risk assessment.

A risk assessment takes into account the potential threats to the device, the vulnerabilities of the device, and the business impact in dollars of a security incident directed at the device. The following formula defines the relationship between these risk elements:

Risk = Threats X Vulnerabilities X Business Impact

The resources applied to minimizing risk should be proportionate to the level of risk. Resources should be applied to reduce one or more of the risk factors as close to zero as possible. So what is the best approach to mitigating risk?

Another consideration is the impact of security controls on performance. Make sure there is a balance between securing company information and the ability of users to productively employ handheld devices.

Threats will always exist. Organizations have little control over this factor. Business impact is relatively static. There are, however, many opportunities to eliminate or mitigate vulnerabilities. The effective implementation of the layered model will result in reduced risk by eliminating or reducing end-user device vulnerabilities.

It is unreasonable to expect that any organization can completely eliminate losses related to wireless handheld devices. But the reasonable and appropriate application of a layered security model should help reduce risk to an acceptable level.

Works Cited

Dulaney, K., Hart, T. J., Basso, M., Fiering, L., Jones, N., Chapman, J., Simpson, R., & Redman, P. (2004). Predicts 2005: mobile and wireless technologies. Gartner document G00123537. Retrieved March 4, 2005 from http://www.Gartner.com

Missing in Action (2005, March). Information Security, 8(3), 22.

Noakes-Fry, K. & Diamond, T. (June, 2004). Personal firewalls: technology overview. Gartner document G00121188. Retrieved December 19, 2004 from http://www.Gartner.com

Copyright 2005 Thomas W. Olzak. Tom Olzak, MBA, CISSP, MCSE, is President and CEO of Erudio Security, LLC. Tom can be reached at tom.olzak@erudiosecurity.com.














Your IP address will be sent with this e-mail

From e-mail to e-mail