Skip Links

Cell phone security

NIST document provides guidelines on cell phone and PDA security

Security Strategies Alert By M. E. Kabay, Network World
February 24, 2009 12:02 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

Cell phones and PDAs have fused. Take the Nokia N810 as an example: it has a full keyboard, a high-resolution (800 x 480 pixel, 64K colors) screen, and a 400-MHz processor running Linux. They include applications for e-mail, calendar, music, Web browsing, maps, and image-handling. Their networking capabilities include IEEE 802.11b/g, Bluetooth, and USB connectivity.

According to PC World, researchers at the Georgia Tech Information Security Center warned in October 2008 that “As Internet telephony and mobile computing handle more and more data, they will become more frequent targets of cyber crime.”

Computer scientists Wayne Jansen and Karen Scarfone of the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology (NIST) have written a new (October 2008) Special Publication entitled “Guidelines on Cell Phone and PDA Security,” (NIST SP800-124) which summarizes the security issues and provides recommendations for protecting sensitive information carried on these devices. 

The Executive Summary presents a succinct overview including a list of vulnerabilities leading to risks for corporate security from cell phones and PDAs:

• The devices are easily lost or stolen and few have effective access controls or encryption;
• They’re susceptible to infection by malware;
• They can receive spam;
• Wireless communications can be intercepted, remote activation of microphones can eavesdrop on meetings, and spyware can channel confidential information out of the organization;
• Location-tracking systems allow for inference;
• E-mail kept on servers as a convenience for cell-phone/PDA users may be vulnerable to server vulnerabilities.

The key recommendations, which are discussed at length in this 51-page document, include the following (quoting from the list on page ES-2 through ES-4):

1. Organizations should plan and address the security aspects of organization-issued cell phones and PDAs.

2. Organizations should employ appropriate security management practices and controls over handheld devices.
a. Organization-wide security policy for mobile handheld devices
b. Risk assessment and management
c. Security awareness and training
d. Configuration control and management
e. Certification and accreditation.

3. Organizations should ensure that handheld devices are deployed, configured, and managed to meet the organizations’ security requirements and objectives.
a. Apply available critical patches and upgrades to the operating system
b. Eliminate or disable unnecessary services and applications
c. Install and configure additional applications that are needed
d. Configure user authentication and access controls
e. Configure resource controls
f. Install and configure additional security controls that are required, including content encryption, remote content erasure, firewall, antivirus, intrusion detection, antispam, and virtual private network (VPN) software
g. Perform security testing.

4. Organizations should ensure an ongoing process of maintaining the security of handheld devices throughout their lifecycle.
a. Instruct users about procedures to follow and precautions to take, including the following items:
• Maintaining physical control of the device
• Reducing exposure of sensitive data
• Backing up data frequently
• Employing user authentication, content encryption, and other available security facilities
• Enabling non-cellular wireless interfaces only when needed
• Recognizing and avoiding actions that are questionable
• Reporting and deactivating compromised devices
• Minimizing functionality
• Employing additional software to prevent and detect attacks. Enable, obtain, and analyze device log files for compliance
b. Establish and follow procedures for recovering from compromise
c. Test and apply critical patches and updates in a timely manner
d. Evaluate device security periodically.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News