Protect your organization from mobile security threats

Many organizations don't take the necessary steps to secure mobile computing devices and the corporate data they access. Mike Mullins recommends some additional security measures you can take to protect these mobile devices.

Even though the IT industry buzzes with talk of the wonders of wireless, mobile computing isn't going to replace the corporate desktop anytime soon. However, that doesn't mean your organization shouldn't start preparing to embrace elements of wireless technology.

For example, personal digital assistants (PDAs) are among the hottest and most requested services among busy executives. While these devices do help boost productivity, they also introduce a significant--but manageable--risk to the security of any network.

The most common PDAs run Palm OS, Microsoft Windows CE, and Java-compatible platforms. But unlike earlier PDAs, these devices do more than just take notes; they also provide wireless links to office e-mail and file servers, making your corporate data all the more vulnerable.

Unfortunately, many organizations overlook this growing vulnerability. It's important to be aware that attackers have written and deployed several hacks and viruses to take advantage of the general lack of security measures implemented during the deployment of these devices. Let's look at how your organization can lock down its mobile devices against would-be attackers.

When it comes to mobile security, perhaps the most important security measure you can apply is common business sense. Start by asking this question: "Is there a business justification tied to the deployment of these PDAs?"

If no one can present a true business justification, then there should be no IT support for such devices. You should then treat these PDAs as unauthorized devices and take steps to prevent users from installing these rogue devices on the network.

Of course, there may be a strong business justification for allowing PDAs on your network. If so, your next step is to implement additional security measures to help protect these mobile devices. Let's look at some of your best bets.

Embrace encryption and passwords
If the PDA supports encryption, then, by all means, use it. PDAs are accessing your company's information, and you need to make sure to safeguard it. If the device doesn't support passwords, it doesn't belong on your network.

Preach e-mail protection
Educate PDA users about security best practices, and urge them to be vigilant about e-mail and attachments. While they should know better than to open unexpected e-mail from an unknown source; you must enforce this rule particularly when it comes to mobile computing platforms.

Install antivirus software
If the mobile device is capable of e-mail, then it needs to be capable of loading some type of antivirus client software. You don't allow workstations or laptops to operate without antivirus software--don't make an exception for PDAs.

Implement workstation firewalls
Because PDAs are wireless-capable and spend time connected to internal networks, treat them as DMZ devices by implementing a workstation firewall. When a user connects to your organization's LAN using a PDA, a workstation firewall helps ensure that they can't spread any infection to their workstations and the rest of the network.

Beware of unsigned mobile code
The most dangerous hacks and viruses for PDAs use unsigned executable code. All reputable software vendors use licensed versions of software developer's kits (SDKs) and sign their code with a public key and information about the author.

You can defeat most of the malware targeted at your PDA users by disabling unsigned code through a policy and training users not to click through warnings about unsigned code.

Final thoughts
Mobile computing devices have earned their place on the corporate network. However, organizations can't allow users to treat PDAs as toys. They are powerful computing platforms that demand the same protection as any machine that spends time on a public network and returns to the corporate network.

Treat PDAs like laptops, and use policy and software to protect your network from potential problems they might introduce whenever possible. And, as always, train users on how they can minimize security risks when using these devices.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.