Preparing for the perils of wireless access: wireless PDAs provide organizations with a huge productivity boost by giving mobile employees instant access to email and other corporate information sources. They also present a security threat that many organizations are not prepared for.

Computer viruses come and go, and thanks to the efforts of hard working network administrators, most of us have become pretty complacent. Normally, the first we hear about a virus is in an e-mail from network security that tells us how to protect ourselves and the company in the unlikely event that the attack makes it through the corporate firewall. However, there's a new virus out there that's likely to catch many security people off guard. Code-named "Brador," the virus in question is different because it attacks personal digital assistants (PDAs). This is just one example of a new virus trend.

[ILLUSTRATION OMITTED]

In the past, PDAs haven't been much of a target for hackers, but that appears to be changing. The use of PDAs is becoming much more pervasive; statistics show that they will soon overtake laptops in the number of units sold. The growth rate is expected to increase even more with the wide adoption of smart phones, which are effectively cell phones and PDAs in one. As PDA (Personal Digital Assistant) A handheld computer for managing contacts, appointments and tasks. It typically includes a name and address database, calendar, to-do list and note taker, which are the functions in a personal information manager (see PIM). use becomes mainstream, the information content of the typical PDA is increasingly likely to include confidential e-mails that could contain substantial sensitive data--about the financials of a company, a spreadsheet with sales forecasts, a customer list, or a host of other items. Hacker interest is likely to increase in proportion to the value of the content.

The content of the PDA itself, however, is just the tip of the iceberg tip of the iceberg
n. pl. tips of the iceberg
A small evident part or aspect of something largely hidden: afraid that these few reported cases of the disease might only be the tip of the iceberg. , according to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. Albert Caballero cab·al·le·ro
n. pl. cab·al·le·ros
1. A Spanish gentleman; a cavalier.

2. A man who is skilled in riding and managing horses; a horseman. , technical services manager for security software provider CrossTec Corporation. "The PDA can act as a gateway between your external and your corporate network," explains Caballero. "When you're mobile with your PDA, you connect it to any number of Internet service providers Internet service provider (ISP)

Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. or corporate providers. You really have no idea what's going on What's Going On is a record by American soul singer Marvin Gaye. Released on May 21, 1971 (see 1971 in music), What's Going On reflected the beginning of a new trend in soul music. on their networks. When you come back to your office, what's the first thing you do? You put your pocket PC into your screen, or you synchronize it with your corporate laptop, or your corporate desktop, for that matter. So in the latter case, that is completely bypassing any kind of network security that has been implemented by your administrators."

[ILLUSTRATION OMITTED]

That connection, Caballero points out, could easily transmit a virus to the corporate network. And the fact that many PDAs now use wireless to connect to their networks makes the gateway phenomenon even more dangerous. "Before, PDAs used to connect with a serial port," Caballero continues. "Now, there are more and more PDAs that connect with just a wireless card. That allows someone, if they can connect to your PDA via that wireless connection, to have access to your corporate LAN (Local Area Network) A communications network that serves users within a confined geographical area. The "clients" are the user's workstations typically running Windows, although Mac and Linux clients are also used. , which would otherwise only be hardwired, and they would really need physical access to the building. That's no longer the case if you have wireless PDAs."

To clarify, PDAs use two types of wireless connection. For receiving email and transferring data, the connection is made via a special protocol such as CDMA (Code Division Multiple Access) A method for transmitting simultaneous signals over a shared portion of the spectrum. The foremost application of CDMA is the digital cellular phone technology from QUALCOMM that operates in the 800 MHz band and 1.9 GHz PCS band. , which connects the device through a cellular service provider. Security is less of an issue here, as most carriers have extensive security infrastructures in place. The link that should cause concern is the 802.11 or Wi-Fi port, which is used to connect to wireless LAN A local area network that transmits over the air typically in the 2.4 GHz or 5 GHz unlicensed frequency band. It does not require line of sight between sender and receiver. Wireless base stations (access points) are wired to an Ethernet network and transmit a radio frequency over an area within a corporate facility. This can be done with off-the-shelf equipment that has no built-in security; securing the connection is up to the organization using it. Not taking the proper steps creates the potential for "eavesdropping Secretly gaining unauthorized access to confidential communications. Examples include listening to radio transmissions or using laser interferometers to reconstitute conversations by reflecting laser beams off windows that are vibrating in synchrony to the sound in the room. " by a hacker sitting in the corporate parking lot, to give one example.

What's particularly disturbing about the Brador virus is that it is what is termed a "backdoor See trapdoor. "; a program that allows an outside person, presumably pre·sum·a·ble
adj.
That can be presumed or taken for granted; reasonable as a supposition: presumable causes of the disaster. a hacker, to take control of the device. With the right (or wrong) turn of events, an external hacker could use the Wi-Fi connection to gain unrestricted access to a corporate network.

PDAs are obviously vulnerable because they are frequently used in public places, and because of their size, are frequently lost or stolen. But wireless networking See wireless network. use opens up a number of more subtle possibilities for hackers. Hot spots hot spots

acute moist dermatitis. , which are becoming much more popular, are a prime example. Located in coffee shops and other public places, these facilities provide Internet services through Wi-Fi technology. There's no way to control who could be in the facility with the intent of intercepting your communications. "It's a minefield out there," warns Caballero.

There are a plethora of off-the-shelf systems available to protect PDAs from a variety of threats. Virus protection software can screen e-mail attachments to prevent infection. Encryption software Encryption software is software whose main task is encryption and decryption of data, usually in the form of files on hard drives and removable media, email messages, or in the form of packets sent over computer networks. can make information on a PDA unreadable for hackers. Remote access Virtual Private Networks (VPNs) can ensure that the wireless connection made within the office is protected. And bit-wiping software can completely wipe out the contents of a PDA that somebody attempts to tamper To meddle, alter, or improperly interfere with something; to make changes or corrupt, as in tampering with the evidence. with.

The challenge with these tools is not acquiring them, but selecting them properly, and looking after them. Each device has to be configured properly, and patches have to be installed continually to make sure that protection is maintained as new threats arise. When your office PC is on the network, this is easy. PDAs are much more difficult for IT departments to keep track of, let alone gain consistent access to. Furthermore, it is common for employees to buy their own PDAs, and they might feel that these devices are their business.

Corporations, however, are legally obliged to secure sensitive data, regardless of who owns the device that hosts it. Therefore, corporate security controls need to be established over any device that connects to the corporate network, or, for that matter, contains proprietary company data. At a bare minimum, there should be a written policy, signed by PDA users, spelling out responsibilities and procedures. For organizations that handle sensitive financial information for clients, it might be necessary to only allow the use of company-issued (and maintained) PDAs with a number of security features installed.

A major challenge is providing a safety net that is comprehensive, while at the same time, not making undue demands on users. According to Roy Pereira, vice-president of marketing and product management for Certicom, a Toronto-based creator of security software for PDAs, "security has to be turned on by default. It has to be unobtrusive. I think a lot of times people forget that. It's nice to sit in an office and think about zero-risk types of scenarios. But it has to be usable. The leading cause of security breaches is basically an employee turning the darned darned
adj.
Damned.

Adj. 1. darned - expletives used informally as intensifiers; "he's a blasted idiot"; "it's a blamed shame"; "a blame cold winter"; "not a blessed dime"; "I'll be damned (or blessed or darned or thing off."

But the biggest challenge of all might be getting people to think ahead. "Security has always been thought of as something you add later, as soon as you're feeling uncomfortable or paranoid, or whatever," Pereira explains. "But really, in a wireless world you can't think of security that way. You really have to think of security as something that is a feature of the product you buy from day one."

Jacob Stoller is principal of StollerStrategies, a Toronto-based consultancy focused on technology issues.

COPYRIGHT 2004 Society of Management Accountants of Canada
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	information technology
Author:	Stoller, Jacob
Publication:	CMA Management
Geographic Code:	1CANA
Date:	Nov 1, 2004
Words:	1171
Previous Article:	Paring down the issues: a new book reminds readers that, to solve problems, it's always wise to simplify your parameters first.(The Power of the 2X2...
Next Article:	Northern business exposure: Aboriginal Business Canada's new Yellowknife office promises greater opportunities for aboriginal business.(government...
Topics:	Computer networks Safety and security measures Information networks Safety and security measures Internet Management Safety and security measures Internet security Management Personal digital assistants Safety and security measures

Related Articles
EDS AND VODAFONE DEBUT MANAGED MOBILITY SERVICE.
JP MOBILE PROVIDES PUSH EMAIL/PIM SOLUTION FOR SMARTPHONE.
When insiders go outside the lines: for all the money companies have spent to secure their networks' outside perimeters against hackers and viruses,...
GOODLINK SOFTWARE AND SERVICE AVAILABLE ON VERIZON WIRELESS.
CINGULAR WIRELESS CERTIFIES SYBASE MOBILE PRODUCTS.
SPRINT MULTIMEDIA DEVICES OFFER PCS BUSINESS CONNECTION.
Remote risk.
ORANGE SLOVAKIA SELECTS INTELLISYNC FOR WIRELESS EMAIL.
MICROSOFT WINDOWS MOBILE 5 PROLIFERATING GLOBALLY.
Dam data leakage at source: how unified encryption management (UEM) is changing the threat landscape.(SOFTWARE WORLD INTELLIGENCE)