Most organizations recognize that laptops are every bit as capable and vulnerable as desktop computers. However, hand-held computers, such as Palm Pilots and Pocket PCs, are considered in a different light - as if the limitations of these devices somehow eliminate the risks associated with their laptop counterparts. Over the past few years, the processing power, system software, and connectivity of these small devices have increased, to the point where such a distinction no longer applies.
Because of their size and use, hand-held computers are far more likely to be stolen or left behind in cabs, hotels, and airports. In addition, unlike their desktop counterparts, they connect to networks outside the control of their parent organization. In fact, one of their most attractive features is that they provide multiple communication mechanisms, including dial-up, Bluetooth, infrared, serial, and wireless. This combination increases the risk that sensitive information will be exposed in transit across networks.
There are other threats to worry about as well. Access to data and services can be gained in many easy ways, for example, via login - if either the device is not password-protected or the password has been taped to the back of the device. Without layered protection, access is open to any data or services.
If removable memory modules are stolen, access can be gained to data, unless it has been encrypted. Also, if a user installs software that contains malicious code (Trojan horse) or downloads infected documents access can be gained.
If a device uses TCP/IP services, an application or operating system could be attacked while a user is on a network.
And finally, a hand-held device can be used to breach the parent organization's infrastructure. These devices often (at least temporarily) store passwords and encryption keys and automatically gain access to email, file shares, and other corporate services.
As organizations increasingly rely on hand-held devices to store and manipulate sensitive information, it is imperative they develop a security program that includes three components:
- a security policy that deals specifically with hand-held devices;
- a set of centralized corporate processes to consistently establish and maintain the security of these devices;
- a set of security products to protect the integrity of the device (including virus protection), the confidentiality of data stored there, and the authenticity, integrity and confidentiality of hand-held network communications.
Unlike desktop systems, companies often encourage their employees to purchase their own hand-held devices. Only rarely is system management or security software installed. Frequently, employees load these systems with games and other recreational software. Consequently, hand-held devices are the embodiment of an insecure platform.
In recognition of this situation, some organizations are beginning to develop standard secure builds for their hand-held devices. They have changed to issuing hand-helds, rather than allowing uncontrolled, unmanaged machines into their environments.
The most important step is to recognize that hand-held devices require more, not less, security attention than laptops. Currently, these devices are used in only a limited number of production applications, but that is changing quickly. This class of device needs to be considered and managed as a real computer.
Jonathan Gossels is president and Dick Mackey is principal of SystemExperts Corporation www.systemexperts.com