Securing your corporate data
Once upon a time, all the ever-beleaguered network administrator had to worry about in terms of mobile computers was the laptops that executives and salespeople used. But today, mobile devices continue to proliferate and evolve as computers, cell phones, MP3 players, PDAs, and other productivity devices converge. Most mobile devices now have computer-like features, such as Web browsers, file storage, and email. The wireless PDA market alone grew by 34 percent last year and is expected to grow even faster this year. Research in Motion's (RIM's) Blackberry, Palm's Treo, HP's iPAQ, and other similar devices are starting to have almost as much power as a laptop. Given these devices' small size and increasing ability to process and store larger amounts of information, they are presenting a challenge to IT security administrators who are trying to keep corporate data inside their company.
The scary thing is that almost all of these handheld devices have wireless access to the Internet, whether 802.11, Bluetooth, or cellular. Some cell phones are even assigned a temporary IP address while connecting to the Internet (talk about scary!). A user of such a cell phone could download data from your network (using Bluetooth), then walk out the door with company data stored on the phone. Even within a building, handheld devices pose more of a risk than a desktop does. These devices are so small that it's very easy for someone to take a PDA from an employee's desk or yank it out of a cradle and drop it into a pocket. And because these devices are becoming even smaller, users are more likely to misplace or lose them. You can transfer data to handheld devices using short-range wireless (Bluetooth) or infrared (IR) technology, neither of which is a secure technology (for more information about Bluetooth security, see the sidebar " Bluetooth Blues,"). Finally, users can store large amounts of data on their devices, meaning gobs of corporate data can exit the building on an employee's PDA. (A 1GB Synchronous DRAM—SDRAM—card the size of my thumbnail costs about $79 these days.) All this means trouble for the network administrator trying to keep his company's data out of harm's way.
What can you do? One thing you can't do is stick your head in the sand and hope PDAs go away. Wi-Fi (the 802.11b wireless standard), Internet access, and other nascent technologies have let the genie out of the bottle, and mobile technology is here to stay. Which means you have to come up with strategies to maintain data security.
Securing Mobile Computing Devices
Because cell phones and PDAs have begun to operate like desktop computers, they should be treated in the same manner as desktop PCs and laptops, as far as security goes. First, consider the different types of stored data (e.g., contact lists, passwords, data files, and email) and how a user accesses and uses this data. Keep in mind that each type of stored data comes with its own risks and possible security countermeasures. Your security options may also differ from device to device.
Contact lists. Executives or sales representatives that have a cell phone or PDA typically store on the device phone numbers and contact information that is valuable to a corporation. (Imagine the phone numbers on a movie studio executive's cell phone.) In the latest version of Palm OS, you can mark contact records as private and opt to make the selected private records hidden (not visible from the screen) or masked (marked with a grey placeholder and a lock icon). Once a record is marked private, you can't see or select it until you enter the correct password. Marking records as private provides some level of protection if the device is lost. For Windows Mobile-based PocketPCs and Windows Mobile OSs, a number of third-party solutions secure contact lists: for example, DeveloperOne's CodeWallet Pro. You need to determine whether your users' contact lists warrant this additional layer of security.
Email. Email can contain details about sensitive conversations or corporate negotiations. Also consider that a user might attach a big proposal, a pricing sheet, or some type of employee data to an email message. One strategy you can implement is limiting employees from using mobile devices to send email with sensitive company data. However, you might encounter criticism for such a plan because sending email is one of the most popular uses for mobile devices. A fallback measure might be to forbid users to download email attachments to mobile devices. You can configure such a limitation on most devices, and it usually isn't considered inconvenient for users because attachments are slow to download.
Voicemail. If someone steals a PDA phone or cell phone, he or she can easily access the voicemail Inbox and listen to saved messages. Many cellular providers offer little or no security protection for voicemail Inboxes, and even provide convenient one-button access to them. Have users password-protect their voicemail Inboxes, and encourage them not to store passwords on their one-button access configuration.
Pictures. Although most pictures that users store on mobile devices are personal, I've seen devices used to photograph whiteboards, product prototypes, and other company resources. You might also run into users who store inappropriate images on their phones and show them at work. (Yes, there is PDA porn available, not to mention the potential prurient uses of built-in cameras.) Some companies, and countries, actually forbid the use of camera phones, but enforcement will become more difficult as the camera feature becomes standard on cell phones. For now, you might want to enact a policy to restrict use of mobile phone camera features at work.
Passwords and account numbers. Today, many people are required to recall a growing number of secret codes (such as passwords, credit card numbers, alarm codes, and safe combinations). Storing your passwords on a desktop computer means they won't be available if you need them while you're roaming around a building or working off site, not to mention the possible threat of electronic theft. And putting passwords on paper (and not secured under lock and key) is always a bad idea.
Keyring for Palm OS is a free utility that lets you keep sensitive data on your PDA so you can carry your "little black book" wherever you go and still keep it secure. This program provides triple-DES encryption using a 112-bit key derived from your password. If you are always at a loss when you need to choose a new, unique password, Keyring includes a handy password generator that provides a password that complies with the Federal Information Processing Standard (FIPS) 181 standard for automated password generators. The password generator even offers the option to generate a random password that is pronounceable. This makes it easier to remember, even if it's not a dictionary word. For more information and to download Keyring for Palm OS, go to http://gnukeyring.sourceforge.net
Windows-based PDA users can download a free program called Kee-Pass to store important passwords and codes on their devices. This program provides essentially the same functions as Keyring for Palm OS but has some other nice features. KeePass also runs on your desktop, so you can access your codes from your desktop or your PDA. It also lets you export password lists to different file formats for easier reading and imports comma-separated value (CSV) files and other formats, such as CodeWallet Pro's. KeePass uses the Advanced Encryption Standard (AES) and the Twofish algorithms to protect stored data. To download KeePass, go to http://keepass.net/index.php?news
Data files. People often use PDAs and portable storage devices as removable hard disks. Trek's Thumb-Drive (aptly named because these devices are about as big as a thumb) is a family of popular storage devices that make it easy to store data that you want to transport to another location. Although a Thumb-Drive is not a computer, it poses a special danger because it's so small and because you can plug it into a USB port on any computer. Some high-security government facilities have gone as far as to ban the devices altogether and actually make visitors empty their pockets at entrances to prevent these tiny devices from entering the facility. You don't have to go to that extreme, but you can put limits on what people can do with small peripherals and devices by configuring Group Policy settings on systems with Windows Server 2003 Service Pack 1 (SP1) and later. You can also develop a company policy that specifies what types of data your users can store on these small devices. If you or the company you work for has an information security policy with different security classifications for different types of documents, you can use those classifications as the basis for the policy. For example, the information security policy at your company might specify that you can store public data on your handheld device, but you can't store confidential or employee information. You can also encourage people to use safe methods to transfer files, such as by accessing your company's LAN through a VPN.
If you're a security-conscious systems administrator and want to access your remote servers without lugging a laptop around, TuSSH (for Palm OS 4.0 and later) lets you do it in total privacy from your PDA. TuSSH is a client for Secure Shell (SSH) that lets you connect to your servers through an encrypted tunnel (as long as the servers are running SSH). For more information about TuSSH for Palm OS, go to http://www.tussh.com
Here are five best practices for using mobile devices securely in a corporate environment.
Develop a mobile device policy. Develop a clear security policy for handheld devices and make sure employees are informed about it. The policy should include the following items:
- A statement about whether handheld devices can be used to access and save company data. The policy should require employees to register with the IT department any handheld devices that can be used to store company data or synchronize with a company computer, so IT can track their use.
- List the types of employees who can use a handheld device to access and store company data. For example, maybe salespeople in your company can use PDAs but accountants can't.
- Describe the type of data users can store on handheld devices. For example, perhaps users can store contacts but not application data files.
- Specify a minimum level of security that users should configure on their handheld devices. Ideally, each device should be provisioned through IT.
Run antivirus software on each device. Because handheld devices can synchronize with PCs, they can spread viruses within your organization just like PCs can. Although there have been very few PDA viruses to date, the danger will certainly increase as computing capabilities grow on these devices. Therefore, antivirus software should be loaded on mobile devices. Both McAfee and Symantec make antivirus software for Palm OS, Windows Mobile, and Windows Mobile-based Pocket PCs. McAfee VirusScan PDA Enterprise 2.0 provides enterprisewide management, unlike other vendors' products which treat PDA support as an afterthought.
Password-protect devices. If users store more than contact lists or email messages on their PDA, they should password-protect the PDA functions on their device. Most device OSs can lock PDA functions upon power-on and require a password to access any function. Users might complain about this, but if they lose their PDA, locked PDA functions are the best way to make sure that unauthorized users can't access stored data. However, even when features are locked, an unauthorized user can gain access to a PDA by using hacking tools available online.
Encrypt important files. If users store work files, including email attachments, on their devices, you should take additional steps to protect the data. Palm OS allows the user to store important files in a protected folder that a user can view only after entering a password. However, there are weaknesses to this approach. For the truly paranoid (and aren't all systems administrators in this group?), programs are available to fully encrypt data. For more information about securing data on a mobile device, see the sidebar "Securing Files on Palm OS and Windows Mobile."
Disable unnecessary short-range wireless features. If you don't turn off or disable Bluetooth or IR services when you aren't using your PDA, anyone can access your device. Your wireless-enabled PDA can also help you check for unauthorized wireless networks within your company so that you can locate them and shut them down. A neat little free program named MiniStumbler lets you conduct audits from your PDA for 802.11 wireless networks within range of your current location. To use this program, your PDA must support a Secure Digital (SD) Wi-Fi card and have the newer SD I/O (SDIO) slots (not all PDAs have these). MiniStumbler integrates with programs such as Microsoft MapPoint to let you create graphical maps of your wireless airspace (for more information, see "Map Out Your Wireless-Security Audits," May 2005, InstantDoc ID 45842). It makes doing wireless audits a breeze. There are MiniStumbler versions for both Palm devices and Pocket PCs. For more information and to download Mini-Stumbler, go to http://www.stumbler.net/readme/readme_Mini_0_4_0.html
Properly Secure Your Email Server
If you run your own RIM server (for Blackberry devices) rather than using your company's central mail server, you need to take additional technical security measures. Remote exploit programs targeted at RIM servers can allow access to Blackberry devices and the data stored on them. Make sure you use the latest version of the RIM server software with all appropriate patches. Also, make sure you configure your Blackberry device to allow it to send and receive encrypted data.
Until manufacturers consistently integrate default security technology into handheld devices, your best defense against the loss or misuse of these devices is implementing strong handheld security policies and educating your users about security issues. As always in security, the weakest link is the human one.
Tony Howlett (firstname.lastname@example.org) is president of Network Security Services, a network consulting firm. He is a CISSP and a GSNA.