Now that cell phones and personal digital assistants (PDAs) have become such popular personal accessories, no one would ever think of banning them from the business premises. In reality, however, devices that use the cellular network may resemble rogue access points in terms of the risks that they pose. Rogue wireless access points are barred from many facilities. Yet cell phones and PDAs are usually accepted without question, even though they can threaten the security of data assets.
The point of this column isn't to forbid the use of cellular devices within organizations. It's to raise awareness of the security risks that these devices can pose. Once those risks are recognized, it's possible to minimize them.
The security issues posed by cellular digital devices include:
Theft of cell phones and PDAs
Cell phones and PDAs can contain confidential data, such as phone numbers, log-in credentials, passwords, private messages, and proprietary company data. This data may not be encrypted on the device. Yet the value of the data in the device is worth far more than the hardware itself. In case a cell phone or PDA is stolen, misplaced, or lost, encryption tools can be used to protect the data on these devices.
Theft of company secrets using cell-phone-based or PDA-based cameras, e-mail, or Flash-storage media
Cell phones and PDAs with built-in cameras can pose a serious risk. Unauthorized photos of a confidential nature can be taken inside a business or factory facility and sent out over the cellular network without prior knowledge and consent. Such confidential photos can include prototypes of new products before they're released, data from proprietary internal documents, or snapshots of the sensitive information that's displayed on computer screens. Data also can be copied onto very small, removable Flash-storage media, such as CompactFlash, SecureDigital, or Memory Stick cards. By inserting these cards into a smart phone or PDA, an individual can send the data out over the cellular network as an e-mail attachment. Because this task can be done so discreetly, it is very difficult to detect.
To solve this problem, a security policy must be implemented that requires such devices to be safely collected before people are allowed to enter certain facilities. Data encryption also is helpful. In addition, employee awareness of this type of risk must be raised. Employees will then be more aware of the need to better protect vital information.
Bypassing Internet firewalls
A notebook computer that's connected to the wired network can access the Internet using a cell phone and notebook adapter. Doing so, it will bypass all firewalls, intrusion-detection systems, and other screening devices. The risks here are at least twofold. An alternate path to the Internet has been created that bypasses the organization's security measures. As a result, it is very difficult for the organization to detect what information is being accessed or to block access to the files. Secondly, by creating this alternate path, rampant viruses and worms can infiltrate the network through this unsecured channel.
One of the best ways to prevent these risks is by using proper policies and their enforcement against this type of Internet access. Additional safeguards include installing personal firewalls and anti-virus programs on every employee's computer.
Malicious downloadable code or content
Access to the Internet is as portable as the cell phone. Users with "smart" phones, cellular-access PDAs, and wireless notebook computers can browse the Internet, download files, and retrieve and send e-mail from almost anywhere. These same devices can become infected with "malware." They then turn into latent carriers of viruses. Once the users reconnect to the corporate infrastructure, they contaminate the network.
Deploying anti-virus programs on PDAs and smart phones can help to alleviate this problem. The notebook and desktop computers that are used to transfer files to and from these devices also should be armed with strong anti-virus programs.
Turning on wireless encryption doesn't mean that data is protected end to end.
Wireless encryption for cell phones doesn't guarantee that data is protected as it travels the entire path from source to destination. The wireless portion of the data transmission can certainly be encrypted from the cell phone to the provider's transmission tower. But it's very possible that the wired portion of the transmission (for example, over the Internet itself) can travel in the clear. If that's the case, it's possible for anyone on the Internet to read secrets as they're being transmitted.
In this scenario, choosing the appropriate encryption service is an important part of the solution. Wireless encryption alone may not be enough if the data must also travel across wired networks. The virtual private networks (VPNs) that offer end-to-end encryption can help to alleviate this problem.
This list is merely a glimpse at some of the security issues that arise when sending data over cellular networks. As is true with any technology that offers ultimate convenience, there are risks involved if security is ignored. The key to using cellular technology wisely is to recognize the possible threats. Then, define the appropriate policies for the proper use of wireless devices. Support these policies with proper enforcement and training. Without foresight and planning, there is no security.
Digital Solutions and Video, Inc.
Wireless Services Division, 104-40 Queens Blvd., Suite 122, Forest Hills, NY 11375; (718) 459-3867, e-mail: [email protected]