Computer scientists Wayne Jansen and Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) have written a new (October 2008) Special Publication entitled "Guidelines on Cell Phone and PDA Security," which summarizes the security issues and provides recommendations for protecting sensitive information carried on these devices.
Cell phones and PDAs have fused. Take the Nokia N810 as an example: it has a full keyboard, a high-resolution (800 x 480 pixel, 64K colors) screen, and a 400-MHz processor running Linux. They include applications for e-mail, calendar, music, Web browsing, maps, and image-handling. Their networking capabilities include IEEE 802.11b/g, Bluetooth, and USB connectivity.
According to PC World, researchers at the Georgia Tech Information Security Center warned in October 2008 that “As Internet telephony and mobile computing handle more and more data, they will become more frequent targets of cyber crime.”
Computer scientists Wayne Jansen and Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) have written a new (October 2008) Special Publication entitled “Guidelines on Cell Phone and PDA Security,” (NIST SP800-124) which summarizes the security issues and provides recommendations for protecting sensitive information carried on these devices.
The Executive Summary presents a succinct overview including a list of vulnerabilities leading to risks for corporate security from cell phones and PDAs:
• The devices are easily lost or stolen and few have effective access controls or encryption;
• They’re susceptible to infection by malware;
• They can receive spam;
• Wireless communications can be intercepted, remote activation of microphones can eavesdrop on meetings, and spyware can channel confidential information out of the organization;
• Location-tracking systems allow for inference;
• E-mail kept on servers as a convenience for cell-phone/PDA users may be vulnerable to server vulnerabilities.
The key recommendations, which are discussed at length in this 51-page document, include the following (quoting from the list on page ES-2 through ES-4):
1. Organizations should plan and address the security aspects of organization-issued cell phones and PDAs.
2. Organizations should employ appropriate security management practices and controls over handheld devices.
a. Organization-wide security policy for mobile handheld devices
b. Risk assessment and management
c. Security awareness and training
d. Configuration control and management
e. Certification and accreditation.
3. Organizations should ensure that handheld devices are deployed, configured, and managed to meet the organizations’ security requirements and objectives.
a. Apply available critical patches and upgrades to the operating system
b. Eliminate or disable unnecessary services and applications
c. Install and configure additional applications that are needed
d. Configure user authentication and access controls
e. Configure resource controls
f. Install and configure additional security controls that are required, including content encryption, remote content erasure, firewall, antivirus, intrusion detection, antispam, and virtual private network (VPN) software
g. Perform security testing.
4. Organizations should ensure an ongoing process of maintaining the security of handheld devices throughout their lifecycle.
a. Instruct users about procedures to follow and precautions to take, including the following items:
• Maintaining physical control of the device
• Reducing exposure of sensitive data
• Backing up data frequently
• Employing user authentication, content encryption, and other available security facilities
• Enabling non-cellular wireless interfaces only when needed
• Recognizing and avoiding actions that are questionable
• Reporting and deactivating compromised devices
• Minimizing functionality
• Employing additional software to prevent and detect attacks. Enable, obtain, and analyze device log files for compliance
b. Establish and follow procedures for recovering from compromise
c. Test and apply critical patches and updates in a timely manner
d. Evaluate device security periodically.
After reading this document, it is clear to me that organizations should consider the benefits of issuing centrally selected and centrally controlled devices to their employees rather than allowing employees to download potentially sensitive information to a wide variety of uncontrolled mobile targets for industrial espionage. NIST SP800-124 will provide a useful framework for discussions and planning of reasonable security programs to prevent serious losses from unsecured cell phones and PDAs.