|
|
|
|
|||
| Home | News | Reviews | Features | FREE Downloads | Forums | Compare PDA Prices | Compare SmartPhone Prices | |||
|
 |
|
PDAStreet.com > Features > Handheld Security: Part V – Enforce Policies, Keep Network Safe Handheld Security: Part V – Enforce Policies, Keep Network Safe
By Laura Taylor
After much resistance, you've finally decided to allow your employees to connect their cell phones, personal digital assistants, and smartphones to your corporate network. From an operational standpoint, you've already set up provisions for a handheld VPN client for users to make use of and have made handheld firewalls and anti-virus software available to them.
The only thing you have left to do before you give the green light for launching the new functionality and privileges are the security policies that need to be put into place. What security policies should you make your users and administrators adhere to regarding the use of handhelds? In this article, Laura Taylor helps you draft some handheld interconnection policies.
Justification for Security Policies Here is what you should tell them: Some handhelds are simple cell phones that pose few risks to your network. Smartphones, PDAs, and cell phones with Bluetooth, on the other hand, expose your network to the same types of risks as desktop computers. There are viruses, worms, Trojans, denial of service attacks, session hi-jacking, IP spoofing, and password sniffing. Like desktop and laptop systems, handhelds are most likely to propagate viruses through e-mail. Today's PDAs and handhelds can send and receive e-mail through either a direct connection (via dial-up or VPN) or through Web browsers. The more ways the mobile handset or PDA can connect to the online world, the more vulnerable they are. Many of the latest handhelds connect to the online world via multiple conduits such as:
All of these conduits are potential paths and openings for viruses, Trojans, and password sniffers. By following your corporate security policies, not only will end-users help protect your expensive corporate infrastructure, they will also help protect their expensive mobile device. Whether handhelds are purchased by end-users out of their own pocket, or by your corporation or federal agency, you need to ensure that the end-users abide by rules and regulations to keep your enterprise networks safe. If you are a federal agency and are striving to get good scores on your FISMA Cyber Security Report Card, you'll need end-user Rules of Behavior that include handhelds.
Policies for End-Users Acknowledgement can be obtained either online through some automated mechanism, a simple e-mail, or a signed piece of paper. These are the types of behaviors you want your end-users to agree to, and they are written as though they were written for end-users to read:
Remind your users is that though these steps may appear restrictive, taking these precautions will help ensure that their expensive handheld device does not get sabotaged by viruses, Trojans, and unauthorized users.
Policies for Administrators Not only that, policies set standards. So administrators should not have to wonder what rules they are supposed to follow when setting up an account. Having policies for systems administrators also ensures that all of the accounts are being set up the same way. The policies should be clearly spelled out so that the administrators understand exactly what it is that they are supposed to do. To be sure, you should include the systems and security administrator in helping you define both the end-user policies and administrator policies. Administrators should advise end-users on how to configure their handheld firewall. HotSync uses TCP and UDP ports and ActiveSync uses TCP ports to synchronize. End-users need to know whether these ports can be enabled or not. When TCP and UDP ports are open hackers may attempt to connect to these ports during this time. While policies will vary from organization to organization depending on your infrastructure and requirements, below are some examples of sample policies for handhelds that would be appropriate for system administrators:
Hopefully reviewing these fictitious policies will help you understand the types of security policies that are needed on enterprise networks. Administrators should become familiar with which ports ActiveSync (Windows Mobile) and HotSync (Palm) use so that handheld firewalls can be properly configured. Table 1. indicates which TCP and UDP ports ActiveSync and HotSync use.
Table 1. TCP and UDP Ports Used by ActiveSync and HotSync
The Upshot So like desktop computers, handhelds are susceptible to port scanning, denial of service attacks, session hi-jacking, spoofing, theft of information, and theft of the device itself. In addition, many end-users store passwords, credit card information, and sensitive company information in personal databases on their PDAs, smartphones, and cell phones. As a result, when you allow workers to connect their handhelds to the corporate network you are putting the enterprise at risk. That's why precautions are so important. Ensuring that both end-users and administrators use specified security policies is one way to mitigate risks. The security policies should be reviewed on an annual basis and refined and updated as needed. And the company security officer should be held accountable for ensuring that the security policies are enforced. Related Links:
| |||||||||||||||||||||||||||||
|
|
|
Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia
Legal Notices, Licensing, Reprints, Permissions, Privacy Policy.
Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
