NIST weighs in on cell phone, PDA security
- By William Jackson
- Nov 03, 2008
The use of increasingly powerful cell phones and other portable devices as business tools can open an enterprise to a new class of cyber threats, and the National Institute of Standards and Technology has released guidelines for mitigating these risks.Special Publication 800-124
, titled 'Guidelines on Cell Phone and PDA Security' is an overview of common cell phone and personal digital assistant devices, their associated risks and guidelines for mitigating the risks. The guidelines are not mandatory standards, but are recommendations intended to help users and administrators make informed information technology security decisions on their use.
'Cell phones and Personal Digital Assistants (PDAs) have become indispensable tools for today's highly mobile workforce,' the publication says. They are being used not only for voice calls, text messages, and managing personal information, but also for many functions that are typically done on a desktop laptop computer, including 'sending and receiving electronic mail, browsing the Web, storing and modifying documents, delivering presentations, and remotely accessing data.'
The devices also can contain specialized features such as cameras, a Global Positioning System, and small removable-media card slots, and employ a range of wireless interfaces that include infrared, Wi-Fi, Bluetooth, as well as multiple cellular interfaces. Through these features, the devices are increasingly subject to many of the threats common to desktop systems as well as others. The threats include loss or theft; malware infection through tainted storage media or wireless connections; text and voice spam as well as the e-mail variety, which can be used for phishing as well as resulting in charges for inbound messages; electronic eavesdropping through a variety of channels; location tracking; theft of service through cloning; and exposure of sensitive data at the server.
'To date, incidents from malware and other identified dangers that have occurred against handheld devices have been limited when compared with those against desktop and networked computers,' the guide says. 'One factor is that no single operating system dominates handheld devices to the same extent, fragmenting the number of potential homogeneous targets.'
Cellular service providers also typically have used closed systems in which they retain a large degree of control over devices used on their networks. But as the industry shifts to a more open architecture in which users will be able to acquire access while choosing the devices and services they use, these safeguards are likely to diminish.
'An increasing amount of mobile malware has been reported over the past several years, which raises concerns for the future,' the guide warns.
The publication offers guidelines for ensuring the usefulness of these tools while mitigating the associated risks:
- Plan and address the security aspects of organization-issued cell phones and PDAs. Addressing these issues in a coherent way from the beginning is easier and more effective than playing catch-up after the devices are in use.
- Employ appropriate security management practices and controls over handheld devices. The devices should be managed as part of the enterprises IT assets, including applying security policies, risk assessment and management, configuration management, certification and accreditation and education.
- Deploy, configure and manage handheld devices in accordance with overall agency security requirements. This includes patching and upgrading, eliminating unneeded services, applying user authentication and access controls, securing data and communications, and performing security testing.
- Maintain security of devices throughout their lifecycle. This includes user education, device registration, control policies for client software and settings and for passwords, policies on communications links use and associated security, and remote diagnostics and auditing of devices on the network.
William Jackson is a Maryland-based freelance writer.