Worried about security
issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Even though the IT industry buzzes with talk of the wonders
of wireless, mobile computing isn’t going to replace the corporate desktop
anytime soon. However, that doesn’t mean your organization shouldn’t start
preparing to embrace elements of wireless technology.
For example, personal digital assistants (PDAs) are among
the hottest and most requested services among busy executives. While these
devices do help boost productivity, they also introduce a significant—but manageable—risk
to the security of any network.
The most common PDAs run Palm OS, Microsoft Windows CE, and
Java-compatible platforms. But unlike earlier PDAs, these devices do more than
just take notes; they also provide wireless links to office e-mail and file
servers, making your corporate data all the more vulnerable.
Unfortunately, many organizations overlook this growing
vulnerability. It’s important to be aware that attackers have written and
deployed several hacks and viruses to take advantage of the general lack of
security measures implemented during the deployment of these devices. Let’s
look at how your organization can lock down its mobile devices against would-be
When it comes to mobile security, perhaps the most important
security measure you can apply is common business sense. Start by asking this
question: “Is there a business justification tied to the deployment of
If no one can present a true business justification, then
there should be no IT support for such devices. You should then treat these
PDAs as unauthorized devices and take steps to prevent users from installing these
rogue devices on the network.
Of course, there may be a strong business justification for
allowing PDAs on your network. If so, your next step is to implement additional
security measures to help protect these mobile devices. Let’s look at some of
your best bets.
If the PDA supports encryption, then, by all means, use it. PDAs are accessing
your company’s information, and you need to make sure to safeguard it. If the
device doesn’t support passwords, it doesn’t belong on your network.
Educate PDA users about security best practices, and urge them to be vigilant
about e-mail and attachments. While they should know better than to open
unexpected e-mail from an unknown source; you must enforce this rule particularly
when it comes to mobile computing platforms.
If the mobile device is capable of e-mail, then it needs to be capable of
loading some type of antivirus client software. You don’t allow workstations or
laptops to operate without antivirus software—don’t make an exception for PDAs.
Because PDAs are wireless-capable and spend time connected to internal
networks, treat them as DMZ devices by implementing a workstation firewall.
When a user connects to your organization’s LAN using a PDA, a workstation
firewall helps ensure that they can’t spread any infection to their
workstations and the rest of the network.
Beware of unsigned mobile
The most dangerous hacks and viruses for PDAs use unsigned executable code. All
reputable software vendors use licensed versions of software developer’s kits
(SDKs) and sign their code with a public key and information about the author.
You can defeat most of the malware targeted at your PDA
users by disabling unsigned code through a policy and training users not to
click through warnings about unsigned code.
Mobile computing devices have earned their place on the
corporate network. However, organizations can’t allow users to treat PDAs as
toys. They are powerful computing platforms that demand the same protection as
any machine that spends time on a public network and returns to the corporate
Treat PDAs like laptops, and use policy and software to
protect your network from potential problems they might introduce whenever
possible. And, as always, train users on how they can minimize security risks
when using these devices.
Mike Mullins has
served as a database administrator and assistant network administrator for the
U.S. Secret Service. He is a network security administrator for the Defense
Information Systems Agency.