Protect Your PDAs, PDQ!

You know about security for networks and laptops. But what about security for hand-helds? What? You don't have a plan?

Sometimes you want people to look at your stuff; sometimes you don’t. When you’re trying to sell something, you want people to read about your wares. If you have secrets, though, you want to keep them. But there are also times you might allow strangers a closer look—for instance, allowing bag inspection at the airport or financial inspection by the IRS. Even though you may not want to expose things considered private, the law may force your hand.

The point here is that we all make choices about what we expose and when we expose it. When I travel now, I don’t pack anything in my carry-on bag that, if examined in public, would embarrass me. On the other hand, I do wear brightly colored toe socks (in case I’m asked to take off my shoes) and wild T-shirts underneath my coat. It makes the routine searches less of an intrusion into my privacy, and I usually get a smile out of the otherwise serious airport security guards.

But even though my bags and I are subject to inspection, my Pocket PC still keeps its secrets. Does yours? I’m talking about the data sitting on your Pocket PC or Palm device. What’s keeping it private? And what’ll happen if someone steals your Pocket PC? Where does the data go when you lose it? Yeah, yeah, I know—it’s just a bunch of addresses and a calendar. Harumpfh! Whose addresses? Your customers’? That’s not valuable, is it? Whose calendar? Maybe you think your schedule would be of no consequence if it were lost—but what about the schedules of your C-level executives?

They’re Everywhere!
Jolt. Yep, something to think about. Contemplate this: Those tiny digital notepads are used for more than personal data. They’re clients for patient databases, information collection front-ends for warehouse inventory, and gateways straight into your corporate networks. And they’re stolen, lost and abandoned around the world in frightening numbers. No one knows how many, but we do have projections on the total numbers of devices available: IDC says that 4 million have been shipped so far, and it estimates that 6 million will be available by 2004. What’s more, they’re not the only devices to worry about. Some projections claim that by the end of this year there will be millions of Internet–enabled mobile phones sucking data into the palm of someone’s hand. Others provide estimates of 20 million PDAs and handheld devices, and 1 billion handheld computers and mobile telephones with wireless connectivity by 2003.

Ask most people—including vendors—about security for Pocket PC or Palm, and you’ll probably hear about the power-on password and Virtual Private Network (VPN) client. They don’t tell you about the maintenance backdoor. (Palm had one once. Can we be absolutely sure that no PDA is free of them now?) Vendors don’t remind you that a single password is lightweight protection or that an estimated 50 percent of PDA owners never turn it on; they don’t warn you about unauthorized IRDA or Bluetooth connections or unauthorized PDA-to-PC synching. Their job is to sell products, not tell you what’s lacking in them. Your job, on the other hand, is to make sure that whatever platforms your organization chooses to allow, they’re managed with the appropriate level of security. What’s appropriate depends on many things and should be an official management policy.

There are many areas of concern with mobile devices, and it might be time to review—or write—your security policy for handhelds. My recommendations are in italics, followed by some solutions that can fulfill that policy. Other ways to improve the security of your PDAs can be found at www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/ mobile/maintain/MBLSECUR.asp.

You’ll want to adjust this policy for your unique operation, declare products as standard and add implementation procedures.

Physical Protection
 Handhelds should be physically secured. The level of security depends on the role the handhelds play and their location.

These things are so small, yet so powerful—and so powerful a target. The first line of defense is to protect the handheld from theft and loss. Few options exist for that. Unlike most laptop computers, handhelds aren’t manufactured with a security slot. Ordinary laptop locks are useless. Two companies produce appropriate physical PDA-connected locking devices, but they’re not available for all PDAs.

Kensington (www.kensington.com), markets the Kensington PDA Saver, a six-foot galvanized steel cable, lock and connector that attaches to the stylus slot on the PDA. You can still use the PDA when it’s secured. Unfortunately, it’s only compatible with Palm Pilot, Palm Pilot Pro, Palm III series, Palm VII series, Handspring Visor, Handspring Visor Plus, Symbol Tech SPT 1500, IBM Workpad and IBM Workpad Companion. Check the details; some warn that it’s not effective with some models of Palm Pilot. It’s not available at the Kensington Web site anymore, but you can find it at www.pdamart.com/kenpdaseclea.html.

Force (www.force.com) sells “The Bond,” a small device that attaches to the base of a Palm III, Palm IIIX, Palm VII, IBM WorkPad PC Companion and Symbol Technologies’ SPT-1500. Once attached, the device provides a place to attach commonly available locks, lanyards and other devices. The site doesn’t advertise it as a security device, but having the ability to attach a lanyard provides some security against loss. And being able to lock the PDA to the desk is more effective than no lock at all.

Organizations should evaluate these devices for the protection they may provide and their application in a specific environment. It’s important, though, that users don’t see a lock as the end-all in handheld security. Locking devices for laptops and PDAs are inhibitors but aren’t designed to resist a planned attack. Cable cutters can certainly make mincemeat out of most provided cables, and a determined thief can even destroy them with toenail clippers.

Those locks were for Palm and related devices, but Pocket PC owners need to lock their PDAs, too. Until someone figures out that there’s a market here, you can use more traditional methods of protecting the device. Try locking it in your desk drawer, suitcase or hotel safe.

Registration can also be effective. You can obtain registration plates and stickers from several sources. Registration services range from simple “Here’s-a-sticker” deterrents to more exotic, expensive techniques. They include individualized offline recording of each handheld’s unique registration number and the use of tamper-proof plates and labels like those from the Secure Tracking of Office Property (STOP) method offered by the company Australian Project (www.austprojects.com.au/stop.htm). Most of the bar-coded labels provided also have toll-free numbers. If your handheld is found by honest individuals or recovered by police, you’ll get it back. Some registration databases will also provide you with documentation from their databases for insurance purposes (think major catastrophe that wipes out an office and destroys all your computer equipment). While these tags don’t prevent a thief from snatching the device, some insurance companies quote statistical evidence that tagged items are much less likely to be stolen.

Finally, if you use external storage of any kind, also consider the value of the data on this storage and physically protect it.

Access Control
 All handhelds should use power-on passwords and/or devices and software designed to prevent unauthorized access and usage.

While the power-on password isn’t adequate for all implementations, it’s a start. One thing’s for sure: If it’s not used, it’s not doing any good. To go beyond the basics, you can use two-factor authentication like RSA SecurID (www.rsa.com), the Digipass Pro from Vasco (www.vasco.com) and many smart cards. Another option, from Authentec (www.authentec.com), is a tiny fingerprint reader that easily fits on the handheld and doesn’t require external devices. In addition to providing better access control, some of these solutions also offer digital signatures, with encryption based on the password. Others add more unique services.

F-Secure’s FileCrypto for Pocket PC Enterprise Edition allows three tries at its PIN-based authentication process. After this, a passphrase is requested. Failure to enter a correct passphrase locks the device. Only a master key, produced during installation, can be used to unlock the system. F-Secure Key Manager provides centralized key creations and storage of backup keys. This also provides recovery of encrypted data should the user forget the passphrase. A Personal Edition is also available at www.f-secure.com.

One innovative product will delete all the PDA’s data if the Access Control function is attacked. For more information, look at PDA Defense (www.pdadefense.com). This tool can also cause your PDA to self-destruct if it’s not synched within a certain time frame and can’t be bypassed by a soft reset. Such programs can be set to wipe the system if a certain number of incorrect attempts at entering the password is made. While this may seem a drastic move, I’m not recommending it for every casual user. But what if the PDA belongs to George Bush?

Protection from Malicious Code
 Anti-virus protection should be extended to handhelds, along with the use of handheld-specific anti-virus programs and sound, enterprise-wide anti-virus action.

Handhelds haven’t been targets of massive malicious code attacks. Perhaps it’s because the attack surface is smaller (there’s no macro language for Pocket PC, for example, as the OS is much different), and perhaps the target isn’t sexy enough. In a quick search, I found only two reported cases of PDA-specific malicious code. No one thinks that will be the case for long, and it’s widely believed that the current danger is that handhelds may be targeted as unsuspecting vectors. The fear is that they’ll transfer a Windows or Linux virus from some source to another. Perhaps they’ll download it from a Web page and place it on the desktop when synching, or it’ll be transferred when other communications are consumed. Two widely known products can help.

VirusScan for Pocket PC from McAfee (www.mcafee.com/myapps/vsw/handscan/ov_pocketpc.asp) works by scanning your PDA’s files when you synch with your computer.

F-Secure’s Anti-Virus for Pocket PC resides on the device for local protection. Local storage can be scanned at startup, auxiliary storage upon insertion. Updates are pushed to the device from the user’s PC or can be downloaded via a wireless connection such as WLAN, Bluetooth or a GSM/GPRS phone.

On-board Data Protection
 Critical data should be erased if access control mechanisms are under attack or damaged. Sensitive data should be protected by encryption, and non-sensitive data should be optionally protected by encryption.

Several encryption programs exist. They can be comprehensive and encrypt all data or be set for specific databases on the device. They can be automatic or under the control of the user. Different software works in various ways, from decryption of specific data when accessed, to on-demand with password entry for each decryption. Some software automatically begins to encrypt decrypted data if the system is idle for a predetermined length of time.

Note: I’ve used the terms critical, sensitive and non-sensitive to describe different policies for different types of data. You should substitute your meaningful data classification terms in the policy. I’ve deliberately refrained from using the typical government terms for classifying data to emphasize that all organizations—not just governments—should differentiate sensitivity levels and write policies accordingly.

You should also ensure that data kept on external storage is protected by encryption. Neither of the previously mentioned locking devices has any means for preventing the removal of storage cards or other attached external storage media. Encryption products include standalone products and those that are part of a larger security suite:

Sentry (www.softwinter.com/sentry_ce.html), a file encryption product for Pocket PC, fits into the stand-alone category.

F-Secure’s FileCrypto automatically encrypts data and decrypts as needed—without user intervention. FIPS (Federal Information Processing Standards)-certified encryption of data on memory cards, microdrives and other auxiliary storage is also supported.

Certicom’s movianCrypt provides 128-bit data encryption, as well as password authentication. There’s also a government version at www.certicom.com/products/movian/moviancrypt.html.

Data Transfer/Connection Protection
There are several connection issues to consider: connections for synching, wireless connections for data transfer, local area network connections, and external or untrusted network connections. Of these, only the synching concept is unique to PDAs. In addition, the need to protect data in flight is shared with other devices.

Synching, Wireless Data Connections
 Handhelds should be protected against unauthorized synching. “Beaming” or other data transfer via wireless means must be secured or disabled.

Because synching and other forms of data transfer via wireless means is now accepted practice, give thought to potential attacks. For example, if an inbound data transfer requires the user to give permission, he or she might not understand what that means. Users of handhelds, just like users of PCs, may click “OK” to get rid of annoying or unrecognized pop-up messages.

PDASecure Enterprise (www.trustdigital.com/prod16c.htm) can stop unauthorized synching via password protection. This product also has the ability to create unique policies for each user and push security to their PDAs. Encryption, lock after power off and other features are available. There’s a matching desktop product called ForeverSecure.

External Connections and Protecting Data in Flight
 External connections to company networks—via Internet, dial-up and other untrusted network—should only be allowed through an approved VPN or Secure Sockets Layer (SSL). LAN connections require authentication and other protection as determined by the application.

Software abounds to permit PDAs to connect using VPNs and enable SSL. Still, not all organizations require such connectivity. What’s more, data should be protected while in flight. Which applications require which type of protection should be determined irrespective of client device. Thus, if a connection’s approved for access from the Internet, the next decision is whether the access and data transfers should be protected via a VPN, SSL or some other means. This is then followed by a decision on whether a PDA can meet the client-side requirements—not just in regard to capability, but also in regard to suitability and securability.

One potential solution to the secure network access issue is the use of Microsoft Mobile Information Server (www.microsoft.com/miserver). This product supports standard security protocols, including PPTP VPNs, wireless transport layer security (WTLS) and SSL. MIS also supports hop-by-hop encryption and IPSec encryption between MIS Enterprise Edition and MIS Carrier Edition.

In a typical installation, MIS sits on your network and serves as the carrier interface. Your clients connect to the carrier that, in turn, connects to MIS. Client access to your network is controlled by MIS. MIS also offers unique client models for managing two secure deployment issues.

First, having a corporate account on the client can mean that a client compromise would equate a network compromise.

Second, many handheld devices make it difficult to enforce strong passwords. Entry of long, alphanumeric passwords isn’t easy and may not be possible. If shorter, weaker passwords are allowed, changing the password policy for the entire domain will weaken all access controls, not just wireless.

MIS mitigates this vulnerability by providing alternative-user account scenarios. In each, unique accounts are used and, thus, access permissions can be tightened to reduce a user’s access when working from these devices. In one scenario, an auxiliary wireless account is created in the same domain as the user; in another, a separate account is created in an auxiliary domain. A third scenario creates a special Access user account in a separate forest. A number of other security-related functions are available.

Usage Definitions and Data Decisions
Handhelds used for business purposes should be owned and managed by the business. Handhelds should be used for business purposes only.

It’s far more difficult to enforce security on privately owned devices. Users tend to assume ownership grants them privileges as to the configuration of the device, as well as the data it may or may not contain. In addition, significant legal hurdles stand in your way if you suspect improper use of company data.

On the other hand, company-owned devices can be required to follow strict configuration and usage policies and can be reclaimed (along with the company data) for breach of policy or at employee termination.

 Users who are issued handhelds should be required to follow the appropriate security policies and protect the device, its data and its connections at all times. Failure to follow policy can result in recall of the handheld and disciplinary action, including dismissal.

 Each application must be reviewed to determine if the handheld is an appropriate or secure place for data location.

It’s time to determine where data can best be protected. In many cases, it may be best if data is centrally located and accessed by—not downloaded to—the handheld. Best-practice examples are those where client connections allow access to patient data or other personal data. The U.S. HIPAA (Health Insurance Portability and Accountability Act) laws require stricter control of patient data. In Europe, strict privacy laws may involve prosecution of the individual responsible for allowing access to personal data.

Awareness Training
All employees should be required to attend or otherwise meet awareness-training objectives that address both the security issues and company policies, as well as provide up-to-date education and information on best practices for handheld protection.

It’s not enough to just have a policy in place, nor administrative or technical enforcement of that policy. Employee buy-in of the goals of data protection and device loss prevention must be a major objective.

Featured