SmartAdvice: Managing Wireless Risk Part Of Overall Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Infrastructure
Commentary
2/10/2005
08:50 PM
Commentary
Commentary
Commentary
50%
50%

SmartAdvice: Managing Wireless Risk Part Of Overall Security

Manage security for cell phones and PDAs proactively, The Advisory Council says. Also, telecommuting is a benefit to the company and employees when it's managed correctly.

Editor's Note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory service firm. The feature answers two questions of core interest to you, ranging from career advice to enterprise strategies to how to deal with vendors. Submit questions directly to [email protected]


Question A: How can we secure our enterprise mobile phones and PDAs?

Our advice: The extension of the information network to handheld devices--mobile (cellular) telephones and PDAs--with their concomitant new and extended functions, raises the specter of additional vulnerabilities and risks. Furthermore, their very portability makes control all the harder. Nonetheless, like any information asset, the risks of these devices can be managed cost-effectively.

The main attacks against cellular phones are eavesdropping, cloning, and theft. The possibility of eavesdropping is greatly reduced by using digital communications, which have almost entirely replaced analog. The vendors also are improving their encryption technologies, though they're loathe to publish that (or any security information) in their public information. Press the vendor on that point and push for use of the latest security technology standards. Cloning, where an attacker makes an electronic copy of the cellular phone, is declining. It's used mainly for fraud, although it could be used for call interception. Check usage and bills frequently. The vendor should be responsible for clone use and cost. Physical theft or loss of cellular phones can lead to unauthorized use, information gleaned from telephone lists, messages, etc. Locking cellular phones using maximum PIN length provides some protection. Quick reporting of the loss is important. Never keep information so delicate on the phone that that loss of a cellular phone would cause considerable damage.

Related Links

Open Mobile Alliance

Personal Digital Assistant Vulnerability Assessment



As to call theft, i.e., from an attack in which a remote entity uses the organization's cellular phone illegally to access and use the cellular network for long-distance calls, Multimedia Messaging Service, etc., additional steps include, where possible, subscribing only to those services necessary for those users who need them, For example, that means no international calling for most users, and blocking sites such as 976 phone-sex lines. Since cloned phones are declining and are really the vendor's ultimate responsibility, it's mainly awareness of what to do if your phone is lost or stolen. The information in the phone such as client lists, schedules, passwords, and PINs, may be more valuable than the calls.

There are locking mechanisms on the cellular phones that require a PIN to access the phone. This would dissuade some attackers, foil others, but might not work against a well-financed and equipped attacker. An 8-digit PIN requires approximately 50,000,000 guesses, but there may be ways for sophisticated attackers to bypass it.

Those same products and techniques that now protect the network and the phones should continue to work. There's an option that provides end-to-end BlackBerry E-mail encryption that would help, although compromise of E-mail, while possible, isn't likely. Managing wireless and PDA risk is similar to and a part of the overall information-security program. It combines an informed constituency, immediate tactical actions, and a careful eye on the evolving technology and concomitant risks.

-- Richard Feingold

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
News
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll