SmartAdvice: Managing Wireless Risk Part Of Overall Security
Manage security for cell phones and PDAs proactively, The Advisory Council says. Also, telecommuting is a benefit to the company and employees when it's managed correctly.
Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to firstname.lastname@example.org
Question A: How can we secure our enterprise mobile phones and PDAs?
Our advice: The extension of the information network to handheld devices--mobile (cellular) telephones and PDAs--with their concomitant new and extended functions, raises the specter of additional vulnerabilities and risks. Furthermore, their very portability makes control all the harder. Nonetheless, like any information asset, the risks of these devices can be managed cost-effectively.
The main attacks against cellular phones are eavesdropping, cloning, and theft. The possibility of eavesdropping is greatly reduced by using digital communications, which have almost entirely replaced analog. The vendors also are improving their encryption technologies, though they're loathe to publish that (or any security information) in their public information. Press the vendor on that point and push for use of the latest security technology standards. Cloning, where an attacker makes an electronic copy of the cellular phone, is declining. It's used mainly for fraud, although it could be used for call interception. Check usage and bills frequently. The vendor should be responsible for clone use and cost. Physical theft or loss of cellular phones can lead to unauthorized use, information gleaned from telephone lists, messages, etc. Locking cellular phones using maximum PIN length provides some protection. Quick reporting of the loss is important. Never keep information so delicate on the phone that that loss of a cellular phone would cause considerable damage.
As to call theft, i.e., from an attack in which a remote entity uses the organization's cellular phone illegally to access and use the cellular network for long-distance calls, Multimedia Messaging Service, etc., additional steps include, where possible, subscribing only to those services necessary for those users who need them, For example, that means no international calling for most users, and blocking sites such as 976 phone-sex lines. Since cloned phones are declining and are really the vendor's ultimate responsibility, it's mainly awareness of what to do if your phone is lost or stolen. The information in the phone such as client lists, schedules, passwords, and PINs, may be more valuable than the calls.
There are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well-financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it.
Those same products and techniques that now protect the network and the phones should continue to work. There's an option that provides end-to-end BlackBerry E-mail encryption that would help, although compromise of E-mail, while possible, isn't likely.
Managing wireless and PDA risk is similar to and a part of the overall information-security program. It combines an informed constituency, immediate tactical actions, and a careful eye on the evolving technology and concomitant risks.
2014 Next-Gen WAN SurveyWhile 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?