SmartAdvice: Managing Wireless Risk Part Of Overall Security
Manage security for cell phones and PDAs proactively, The Advisory Council says. Also, telecommuting is a benefit to the company and employees when it's managed correctly.
Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to email@example.com
Question A: How can we secure our enterprise mobile phones and PDAs?
Our advice: The extension of the information network to handheld devices--mobile (cellular) telephones and PDAs--with their concomitant new and extended functions, raises the specter of additional vulnerabilities and risks. Furthermore, their very portability makes control all the harder. Nonetheless, like any information asset, the risks of these devices can be managed cost-effectively.
The main attacks against cellular phones are eavesdropping, cloning, and theft. The possibility of eavesdropping is greatly reduced by using digital communications, which have almost entirely replaced analog. The vendors also are improving their encryption technologies, though they're loathe to publish that (or any security information) in their public information. Press the vendor on that point and push for use of the latest security technology standards. Cloning, where an attacker makes an electronic copy of the cellular phone, is declining. It's used mainly for fraud, although it could be used for call interception. Check usage and bills frequently. The vendor should be responsible for clone use and cost. Physical theft or loss of cellular phones can lead to unauthorized use, information gleaned from telephone lists, messages, etc. Locking cellular phones using maximum PIN length provides some protection. Quick reporting of the loss is important. Never keep information so delicate on the phone that that loss of a cellular phone would cause considerable damage.
As to call theft, i.e., from an attack in which a remote entity uses the organization's cellular phone illegally to access and use the cellular network for long-distance calls, Multimedia Messaging Service, etc., additional steps include, where possible, subscribing only to those services necessary for those users who need them, For example, that means no international calling for most users, and blocking sites such as 976 phone-sex lines. Since cloned phones are declining and are really the vendor's ultimate responsibility, it's mainly awareness of what to do if your phone is lost or stolen. The information in the phone such as client lists, schedules, passwords, and PINs, may be more valuable than the calls.
There are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well-financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it.
Those same products and techniques that now protect the network and the phones should continue to work. There's an option that provides end-to-end BlackBerry E-mail encryption that would help, although compromise of E-mail, while possible, isn't likely.
Managing wireless and PDA risk is similar to and a part of the overall information-security program. It combines an informed constituency, immediate tactical actions, and a careful eye on the evolving technology and concomitant risks.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.