Security Basics for PDAs and Handheld PCs

by Laura Taylor

So many employees own these handy devices, but when they start connecting them to the company network, it's time to set ground rules to keep your data safe.

Even though most companies — both large and small — don't provide PDAs to their employees as industry forecasters once predicted, many people frequently use their personal devices as work tools, often connecting them to the company network.

If your organization hasn't considered PDA security before, this is the time to do so. As often-forgotten pieces of the security infrastructure, PDAs can both transmit and receive viruses.

PDA Security Concerns
If you plan to let your employees use PDAs and connect them to company desktops, you should absolutely institute security policies and hold the employees accountable for compliance. Security policies describe rules of behavior and configuration guidelines that employees and administrators must follow.

Without them, it's hard to hold people accountable. In fact if you don't provide your employees with any security guidance for their PDAs, you can't expect them to even consider the security issues.

PDAs and smartphones share many of the same vulnerabilities that affect laptops. The most predominate vulnerabilities include:

  • Viruses, Trojans and worms
  • Theft of the physical PDA device
  • Data theft
  • Mobile code exploitation
  • Authentication theft
  • Wireless exploitation
  • Denial of service attacks
  • TCP session hijacking

While more likely to be virus carriers rather than targets of directed attacks, PDAs can be identified and attacked by hackers through automated port scans.

Though the likelihood of a directed attack may not be high now, as Wi-Fi and CDMA (cellular) wireless access becomes more available, these types of attacks will likely increase. When used in standalone mode and not connected to any type of network, PDAs are not vulnerable to direct attacks.

Device theft poses one of the biggest security risks with PDAs. Thieves are probably more interested in the device for their own use rather than obtaining the data.

Still, any sensitive data (classified information or propriety trade secrets) should be encrypted. While most PDAs don't come bundled with encryption software, you can purchase applications that will encrypt just about anything.

TIP: If you want to increase the chance of someone returning a lost PDA, put your phone number in a visible location on the outside of the device. If your PDA or smartphone is password protected, no one else can use it. That fact — combined with the phone number — might be enough motivate someone to give it back.

Continued on Page 2

Continued From Page 1

PDA Safeguards
Fortunately, you can easily find products that can strengthen PDA security in a variety of ways. Make certain you install bit-wiping software if you keep classified or highly sensitive information on the device.

In the event that you lose your PDA, if someone inputs the wrong password, or if the PDA is not synchronized within a certain timeframe, the software automatically erases the data. No one should use bit-wiping software lightly, since it's possible to delete your data permanently.

PDAs operate in "always on" mode, and if you own a Wi-Fi enabled PDA, you could transmit data to wireless access points unknowingly. MobileCloak makes an electronic shielding bag to put your PDA in to prevent wireless transmission leakage.

Anti-virus vendors have created versions of their products for PalmOS and PocketPC operating systems, along with a handful of VPN clients, too. You can also find various encryption solutions, authentication products and firewalls. We list some of the better-known PDA security products in a chart on page two of this story.

PDA Security Policies for Businesses
Here's a sample of basic PDA policies that you may want to enforce at your workplace:

  • PDAs connected to company equipment must be password protected
  • The wireless port on PDAs must be disabled
  • All PDAs must have installed anti-virus software
  • PDAs must be scanned for viruses prior to connecting to the company network
  • PDAs cannot connect to the corporate infrastructure using any wireless means unless the traffic is transmitted through a secure, remote-access VPN
  • Storing sensitive corporate information is not allowed unless it is encrypted
  • PDAs must have the latest security patches installed on their operating system
  • PDAs that contain classified information must have automatic bit wiping software
  • Password enforcement software must be installed on all PDAs that connect to company equipment

PDA Security Lowdown
PDAs and smartphones can increase productivity and businesses should not discourage their use.

However, it's important to make sure employees understand the inherent security risks these devices pose.

Publishing PDA security policies on the corporate intranet — and periodic reminders to read these policies — will educate your employees on the acceptable use of PDAs within the company. At the same time, these rules will hold them accountable for security lapses.

Finally, don't assume that your employees understand the security implications. Businesses should articulate clear guidelines for the safe usage of PDAs.

Product Type Product NameCompanyURL
Anti-virus, encryption, and authentication solutions FileCrypto, SSH, Anti-Virus F-Securewww.f-secure.com
Anti-virus & loggingSecurity for PDAsKasperskywww.kaspersky.com
Anti-virus & loggingAnti-virus for HandheldsSymantecwww.Symantec.com
Database security and authenticationCradle Robber and ALPDenton Software www.dentonsoftware.com
Electromagnetic shielding bagmCloakMobile Cloakwww.mobilecloak.com
EncryptionCCrypt Freeware Palmwww.freewarepalm.com
Encryption and authentication solutionsPointsec for Pocket PC, Pointsec for PalmOSPointsecwww.pointsec.com
Encryption, password protection, hotsync protection, bit wiping, VPN clientPDA SecureTrustDigitalwww.trustdigital.com
FirewallMobile Firewall PlusBluefirewww.bluefiresecurity.com
ForensicsPDA SeizureParabenwww.paraben-forensics.com
Password enforcement, hotsync security and IrDa port security, bit wiping, database securityPDA DefenseAsynchronySolutionswww.asolutions.com
VPNVPN-1 SecureClientCheck Point www.checkpoint.com
VPN and encryptionMovianCrypt, MovianVPNCerticomwww.certicom.com
VPN gateways for PDAsVPN 3000Ciscowww.cisco.com

Adapted from smartphone.com.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Friday Aug 27th 2004
Mobile Site | Full Site