Infrastructure
Commentary
2/10/2005
08:50 PM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

SmartAdvice: Managing Wireless Risk Part Of Overall Security

Manage security for cell phones and PDAs proactively, The Advisory Council says. Also, telecommuting is a benefit to the company and employees when it's managed correctly.

Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to smartadvice@tacadvisory.com


Question A: How can we secure our enterprise mobile phones and PDAs?

Our advice: The extension of the information network to handheld devices--mobile (cellular) telephones and PDAs--with their concomitant new and extended functions, raises the specter of additional vulnerabilities and risks. Furthermore, their very portability makes control all the harder. Nonetheless, like any information asset, the risks of these devices can be managed cost-effectively.

The main attacks against cellular phones are eavesdropping, cloning, and theft. The possibility of eavesdropping is greatly reduced by using digital communications, which have almost entirely replaced analog. The vendors also are improving their encryption technologies, though they're loathe to publish that (or any security information) in their public information. Press the vendor on that point and push for use of the latest security technology standards. Cloning, where an attacker makes an electronic copy of the cellular phone, is declining. It's used mainly for fraud, although it could be used for call interception. Check usage and bills frequently. The vendor should be responsible for clone use and cost. Physical theft or loss of cellular phones can lead to unauthorized use, information gleaned from telephone lists, messages, etc. Locking cellular phones using maximum PIN length provides some protection. Quick reporting of the loss is important. Never keep information so delicate on the phone that that loss of a cellular phone would cause considerable damage.

Related Links

Open Mobile Alliance

Personal Digital Assistant Vulnerability Assessment



As to call theft, i.e., from an attack in which a remote entity uses the organization's cellular phone illegally to access and use the cellular network for long-distance calls, Multimedia Messaging Service, etc., additional steps include, where possible, subscribing only to those services necessary for those users who need them, For example, that means no international calling for most users, and blocking sites such as 976 phone-sex lines. Since cloned phones are declining and are really the vendor's ultimate responsibility, it's mainly awareness of what to do if your phone is lost or stolen. The information in the phone such as client lists, schedules, passwords, and PINs, may be more valuable than the calls.

There are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well-financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it.

Those same products and techniques that now protect the network and the phones should continue to work. There's an option that provides end-to-end BlackBerry E-mail encryption that would help, although compromise of E-mail, while possible, isn't likely. Managing wireless and PDA risk is similar to and a part of the overall information-security program. It combines an informed constituency, immediate tactical actions, and a careful eye on the evolving technology and concomitant risks.

-- Richard Feingold

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.