Nowadays, it seems like everybody has a PDA. However, as an inevitable corollary, it seems like everyone is eventually bound to misplace their PDA.
To help ease this pain, a rash of products on the market intend to keep PDA data backed up and confidential from unauthorized use in the event of loss or theft. These products can indeed increase security. However, the best and most often overlooked defense against data loss remains common sense, manifested in a well-instituted business security policy.
Over the last four to five years, PDA use and functionality has evolved tremendously. Clearly, the PDA no longer poses as a replacement for the leather-bound address book. Instead, a more fitting categorization would be mini-laptops, with PDAs including such features as multi-color displays, powerful processors, cell-phone integration, seamless desktop synchronization and custom applications. Businesses, capitalizing on this increased functionality, and knowing that 60 percent of their workforce will be mobile in 2002 (Forrester Research), now deploy PDAs on a wide scale. Using a PDA, employees increase efficiency, connectivity, and productivity.
However, as ownership becomes commonplace and usage becomes second nature, the information held on PDAs becomes more and more sensitive. In terms of personal data, users might input credit card information or ATM PIN codes. Even worse, from a business standpoint, small and easily lost PDAs might contain corporate databases, the boss' home address, passwords, network configuration data, meeting notes, customer lists, and/or connections to corporate email. This presents a daunting task, especially when considering that analyst firm Gartner estimates more than 250,000 cell phones and PDAs were lost at airports alone last year. The estimated business cost of these lost PDAs: $2,500 per unit because of the expense of compromised proprietary data. In addition to loss, businesses must also worry about theft and momentary misplacement that leads to unauthorized use. The bad elements of society ensure that as PDA data sensitivity increases, so will attempted attacks and intrusion.
Because of this potentially damaging loss or theft of confidential data, businesses should take great care in protecting business-issued PDAs (as well as personal PDAs allowed to synchronize with business data). Several software solutions seek to assist in solving this problem. Available solutions include:
- On-demand encryption/decryption of files and applications. Encryption options include 128-bit AES, 512-bit Blowfish, Twofish, RC4 and TEA.
- Record hiding and masking.
- Password protection based on the MD5 hash algorithm, so that the actual password is not stored on the device.
- Extended password key functionality to include button taps and other gestures instead of just letters and numbers.
- Dynamic biometric signature recognition for PDA authentication and access, tracking not only signature graphics, but also signature speed, stroke order, stroke count and pressure.
- Required password for infrared/cabled synchronization.
- The ability to wipe data if the PDA is not hot synched within a certain period of time.
- The ability to wipe data if the wrong password is entered repeatedly.
Installing any of these security programs reduces the probability of confidential data loss if unauthorized users gain access to a PDA. However, none of these programs can guarantee total security, so relying on them 100 percent would be a mistake. Sometimes, simply executing a soft reset can bypass the password locking programs. Operating system-level shortcuts, trap doors and backdoors also exist that may undermine security software effectiveness.
If these workarounds fail, intruders can always turn to free and easily downloadable program hacks, which frequently get re-engineered and refined to stay up-to-date. Basically, a skilled intruder can hack into almost any PDA if they set their mind to it, no matter what programs exist on the device. Until someone invents a combination fingerprint/DNA reader for PDA access, no program can guarantee total security.
Other factors, such as user operation, can also limit the effectiveness of software programs. What good is a password protection mechanism if the password chosen is simple and easily guessable? Aside from using basic passwords, users may also inhibit programs that interfere with seamless operation by opting to disable them. Sometimes, they may even disable a program unintentionally by not shutting down in a predefined sequence.
Clearly, a PDA security program based strictly on software results in several weaknesses and vulnerabilities. The best strategy compliments security software with a sound security policy. This 'defense-in-depth' approach minimizes weaknesses and reinforces strengths. When instituting a PDA security policy, businesses should think about and incorporate the following:
- Password standards. If users hold sensitive information on their PDA, consider enforcing 7-character minimum length passwords with necessary mixtures of letters and numbers. This will make it harder for intruders to guess a password without the assistance of computer programs.
- PDA insurance. Consider buying insurance for PDAs if your company supports large deployments and experiences frequent losses. Insurance might be more cost-effective than replacing each lost device.
- Track and tag the devices. In this respect, treat PDAs like desktops and laptops, properly labeling and keeping records of them. Knowing who has what helps with storage and distribution, and as a side benefit enables tracking down a PDA when employees leave the company.
- Display contact info on the opening screen. Requiring employees to display their contact information will help to recover some lost devices. Good Samaritans exist, and having easily viewable contact information will assist in the expedient return of PDAs to their owners. Also, if the PDA has a case, encourage employees to include a business card with it. This facilitates PDA return even if the finder doesn't feel comfortable powering on the PDA. According to estimates by the analyst firm Gartner, companies with more than 5,000 employees could save between $300,000 and $500,000 annually by tracking, tagging, and providing contact information on PDAs and mobile phones.
- Define standard security software. Determine the necessary default programs and install them before issuing each PDA. If only some PDA users will have access to confidential information, consider dividing the users into groups and separately defining necessary security software for each. This makes security a business-level issue and places the software decision-making capability where it should be.
- Personal PDA policy. If employees have their own PDAs, will the business allow synching with work computers? Is the standard business security software compatible with personal PDAs that use a different operating system?
- Define synch limits. Can all data get downloaded to PDAs, or only specific files and folders?
- Consider firewall reconfiguration. If employees will use the PDA for wireless connectivity to the corporate network, consider installing extra protection. Reconfiguring or installing a firewall at the points where a PDA might upload or download information is critical.
- Make an employee contract. Set your policy, and distribute it among employees to read and sign. If you deem necessary, include the right of the business to inspect and audit PDA contents at will. This will help to ensure maximum adherence to policies.
Creating and instituting a security policy that includes PDA guidelines helps a business to properly emphasize PDA security. A well-planned policy frames and manages the overall security posture, mapping out strategy and minimizing vulnerabilities. Security software should be an integral part of a policy, but the software itself is only part of an overall sound security program.
Oba McMillan, CISSP, is executive vice president of Tetrad Digital Integrity LLC (www.tdisecurity.com).