Home > Handheld devices audit checklist
Personal
Digital Assistant (PDA) Audit Checklist
Prepared
by Stephen Northcutt
Introduction
This document provides a Personal
Digital Assistant (PDA) Audit Checklist and list of vendor security
products developed to protect PDAs against known, evolving, and new
security threats. A PDA is a handheld computer that stores, processes,
and transfers information to other PDAs, personal computers (PCs), and
networks using serial, universal serial bus (USB), infrared (IR), Bluetooth,
Wireless Fidelity (Wi-Fi), or cellular technology. Traditional or standalone
PDAs have no cell phone capability, unlike newer PDAs, including Smartphones.
Handheld features often include personal information management (PIM)
software, office and multimedia applications, email and Internet capability,
and a global positioning system (GPS) option. Touch screens support
user interactions through a stylus pen and onscreen keyboard or mini-
or full-sized keyboard, or by hand.
Currently, PDAs do not incorporate
internal hard drives. They use random-access memory (RAM), read-only
memory (ROM), and external memory, such as removable flash cards. If
power is lost, some devices have an internal backup battery operating
for up to thirty minutes, until primary batteries are changed or recharged.
PDAs are used in various industries, including government, financial,
retail, medical, education, manufacturing, and travel.
Traditional PDA sales have
significantly declined, as more users turn to Smartphones that allow
multimedia interactivity, global networking, and fulltime telecommuting
similar to desktops and laptops. According to IDC, the global mobile
worker population will exceed 850 million in 2009 – representing more
than one-quarter of the worldwide workforce.1 Palm (Palm
operating system) and HP (Windows Mobile operating system) lead Traditional
PDA sales.
A March 2009 Gartner report
shows worldwide Smartphone sales to end users by operating system, in
2008.2
Security Threats
PDA security threats are on
the rise and include phone fraud, malware, and denial of service (DoS)
attacks. In turn, an organization’s enterprise network security is
impacted, especially when compromised handheld devices make behind-the-firewall
wired or wireless connections. Several technologies used by PDAs come
with inherent vulnerabilities and encounter ongoing security attacks.
Email is subject to malware, phishing, and spam attacks. Instant messaging
is subject to malware, smishing, and flooding attacks. Wireless networks
experience eavesdropping, man-in-the-middle, and jamming attacks. The
Internet experiences malware, web browsing, and web application attacks.
Some third party applications contain exploitable vulnerabilities, as
a result of insecure software coding practices, undetected bugs, and
flawed patches and upgrades.
Sensitive, propriety, and/or
classified data loss occurs when a lost, stolen, or damaged PDA is not
regularly synchronized with an organizational computer or network. Data
synching over a network, without encrypted sessions, could lead to sniffing
and spoofing attacks. Data loss also occurs when attackers gain physical
or logical access to PDAs and perform unauthorized modifications or
inject arbitrary code. If such attacks go unnoticed for any length of
time, forensics data could prove invalid and security controls ineffective.
Profit-oriented and sophisticated
attacks against handheld devices increase each year. According to McAfee,
manufacturers have reported increases against all threat categories:3
PDA Security Audit
An organization must protect
its handheld devices from various security threats, throughout their
life cycle. PDAs operate inside the network perimeter and could become
part of a botnet executing fraudulent activities or launching distributed
denial of service (DDoS) attacks. Regular PDA security audits should
be performed. A security audit ensures the confidentiality, integrity,
and availability of PDA and network assets, by verifying policy compliance,
discovering weak or non-existent security controls, and detecting security
events. First, an organization should conduct a PDA vulnerability assessment
to identify known vulnerabilities and existing and potential risks.
Then, a clear and concise handheld device security policy should be
written and enforced by management. The PDA Audit Checklist, included
below, helps an organization establish, monitor, and maintain security.4
PDA Security Audit Checklist
No. | Security Control | Description | |
Administrative Controls | |||
1 | Security Policy | Organization has a clear and concise handheld device security policy. This policy covers: | ☐ |
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
2 | Acceptable Use Policy | Organization has a handheld device acceptable use policy (AUP). This policy covers: | ☐ |
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
3 | Insurance Policy | Organization insures handheld devices against loss, theft, or damage. | ☐ |
4 | Security Awareness Training | Organization includes handheld device security in its security awareness training. This training covers: | ☐ |
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
Technical Controls | |||
1 | Configuration Management | Organization maintains a secured inventory of all handheld devices. This registry includes: | ☐ |
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
|||
|
☐ | ||
|
☐ | ||
|
☐ | ||
2 | Access Control | Organization implements handheld device access control. It includes: | ☐ |
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
3 | Anti-Virus Software | Organization implements antivirus software on each handheld device. | ☐ |
|
☐ | ||
|
☐ | ||
4 | Data Encryption | Organization implements encryption to protect information on handheld devices. | ☐ |
|
☐ | ||
5 | Firewall | Organization implements a firewall on handheld devices. | ☐ |
|
☐ | ||
6 | Virtual Private Network |
|
☐ |
|
☐ | ||
7 | Device Integrity | Organizational implements handheld device integrity. | ☐ |
|
☐ | ||
|
|||
|
☐ | ||
8 | Centralized Management | Organization implements a centralized management system for handheld devices. | ☐ |
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
|
☐ | ||
9 | Device Backup | Organization implements a backup mechanism for handheld device information. | ☐ |
|
☐ | ||
|
☐ | ||
Physical Security | |||
1 | Physical Security |
|
☐ |
|
☐ | ||
|
☐ |
PDA Security Products
The table below lists current
vendor security products for PDA security.5
Security Function | Vendor |
Anti-Spam | Symantec, Smobile |
Anti-Spyware | F-Secure, Symantec, Smobile |
Anti-Theft Protection | Kaspersky, Credant Technologies, Smobile |
Anti-Virus | Airscanner, Avira, BullGuard, Avast!, F-Secure, Kaspersky, McAfee, Symantec, ESET, Trend Micro, Smobile, Computer Associates |
Authentication | Credant, RSA, Trend Micro, DeveloperOne |
Data Backup | Blue Nomad |
Data Encryption | Airscanner, Kaspersky, Check Point, PGP, Credant Technologies, Trend Micro, Aiko, Blue Nomad, DeveloperOne, Trust Digital, Tealpoint |
Data Forensics | Paraben, Cellebrite, Oxygen |
Data Sanitization | Aiko, Sprite Software |
Device Enterprise Management | Symantec, McAfee, Trust Digital |
Firewall | Airscanner, F-Secure, Symantec, Trend Micro, ProtectStar, Smobile |
Virtual Private Network | SonicWall, NetMotion Wireless, Check Point |
NOTE: This list neither constitutes
recommendations by the SANS Institute nor covers every single vendor.
Instead, this list provides a starting point from which to find and
evaluate solutions for mitigating PDA security audit results.
References
All Rights Reserved Powered by Free Document Search and Download
Copyright © 2011