Corporate information technology users are increasingly relying on personal data assistants (PDAs) to check e-mail, surf the Web, and a variety of other tasks.

When you use PDAs for online tasks they become just as vulnerable as desktop systems to viruses, mobile code exploits, and a variety of other threats.

What should organizations do to make keep their PDA users safe from the threats of the Internet?

PDA Security Issues

With PDAs becoming ubiquitous, the same threats that affect desktop users are starting to affect PDAs. The biggest threats that PDA users need to be concerned typically fall into one of these six categories:

• Password theft
• Viruses and data corruption
• Data theft through line sniffing
• Theft of the PDA itself
• Mobile code vulnerabilities
• Wireless vulnerabilities

The biggest security risk to PDAs is likely theft of the device itself, and for that reason securing the data on the device in standalone mode is probably the best type of precaution users can take.

The second biggest security risk to PDAs is viruses. Mobile code vulnerabilities (Java and ActiveX exploits) are also a threat, but only affect PDAs that do Web surfing.

Wireless vulnerabilities only affect PDAs that use wireless services or have their wireless port enabled.

Encryption solutions exist for PDAs to secure both the data, and links used to communicate with remote systems and networks.

The encryption solutions that exist for PDAs typically are one of two types: products to secure the data as the PDA sits in standalone mode or products to secure the link as the data moves back and forth to and from infrastructure devices (such as the desktop unit that it uses for hot-syncing).

Using an encryption product to secure either the link to the desktop hot-sync system, or for wireless surfing, means that you basically need to wrap up your PDA traffic in a VPN.

Unless you have extremely sensitive data (e.g. government classified data), using a VPN on your PDA may not be worth the performance hits you will suffer.

The best way to protect your PDA from wireless vulnerabilities is to install a VPN client on your PDA. When you protect wireless transmissions, you are protecting the data in transit.

If you install a VPN client on your PDA, you will likely notice performance degradations and unless you have reason to believe that someone is “sniffing” your wireless traffic, or you have sensitive information to protect, installing a VPN client on your PDA is probably not worth it.

However, if you are dialing into a classified network on your PDA, the security policies of the organization may require that you use a VPN whether you want to or not.

VPNs operate using a client-server architecture, therefore PDAs using VPN clients need to connect to a VPN gateway server residing on the destination network.

It is not possible to establish a VPN tunnel with the VPN client by itself. Therefore, unless you have a VPN gateway server on the destination network that your PDA client will connect to, there is no point in trying to configure a VPN client. For stronger VPN security, you’ll want to use X.509 digital certificates for authentication.

Security Policies For PDAs

Organizations can also create security policies to help protect sensitive data that resides on PDAs.

For example, a policy that requires the wireless port be disabled will reduce the risk of sensitive data being transmitted to unauthorized individuals.

You can create an end-user behavior policy that stipulates that PDAs not be used for receipt or sending of e-mails with private and sensitive information.

By creating end-user behavior security policies organizations can hold the end-users accountable for security violations.

If you feel that your network is at risk for PDA viruses, and you have not deployed enterprise anti-virus software for PDAs, you can create a policy that requires the synchronization capability (hotsync) to be turned off.

Keep in mind that end-users typically are resistant to security policies, and your best bet for gaining end-user acceptance is by illustrating the risks to executive managers who may help with championing and supporting PDA security policies.

PDA Security Products

There are a wide variety of PDA security products on the market to protect PDAs from becoming susceptible to vulnerabilities and threats.

The leading PDA security products available today are typically made for the PalmOS and WindowsCE platforms.

PalmOS is bundled on PDAs made by both Palm and Handspring. WindowsCE is Microsoft’s PDA operating system and comes bundled on PDAs that are marketed as PocketPCs.

PocketPCs are made by a wide variety of vendors including Compaq, HP, Sony, Toshiba, and Dell.

Except for PDA security products related to hotsync functions, most of the PDA security products on the market are similar to security products for desktop systems.

There are authentication products, encryption products, anti-virus products, and password products that work in similar ways as products of this type made for desktop and laptop systems.

One product that stands out as very unique to PDAs is an electronic shielding bag made by MobileCloak. PDAs typically operate in “always on” mode.

If you remove the battery, you actually lose your data. (This is why end-users should hotsync their PDA regularly.)

Therefore, in one sense, PDAs are never completely turned off. To ensure that wireless transmissions are protected and not leaking into wireless access points that you may not know about, you can put your PDA into an electromagnetic shielding bag while carrying it around with you.

On PDAs that have highly sensitive information that could, for example, compromise national security, you can install bit wiping packages.

Bit wiping occurs when the entire memory is over-written, basically wiping out all of the data completely so that it can’t be recovered even by a PDA forensics tool.

Bit wiping is just a terminology for reformatting or completely erasing the stored memory.

Typically, you would set-up bit wiping to kick in if the PDA was not synchronized within a certain timeframe, or if there were too many bad password attempts.

However, bit wiping is not for the average everyday user. If not used correctly, bit wiping can destroy your valuable data so that even the data owner cannot recover it.

If you allow PDAs on your enterprise network, you should at the very least set up a password enforcement product that will require all your PDA end-users to supply a password for authentication.

The best way to deploy a PDA password enforcement solution is to set-up a backend system to automatically install password enforcement software on the enterprise PDAs when they hotsync to their desktop hosts.

PDA Security Vendors

There are a wide variety of PDA security vendors that have products to secure your PDA. PDA vendors that seem to have particularly useful products are listed below.

A Word To The Wise

The CERT Coordination Center at Carnegie Mellon University (www.cert.org) has been publishing advisories on information technology security threats and trends since 1988.

For at least a year, CERT has been publishing information about vulnerabilities and threats that affect PDAs.

With the debut of PDA-based cell phones, security vulnerabilities to PDAs and their associated hotsync hosts will only increase over time.

Not securing PDAs from viruses and all the other threats that exist increases the possibility of data corruption on the PDA itself, and on the devices to which they pass traffic.

If you allow PDAs on your network infrastructure, then you need security controls and policies to keep these devices from damaging your valuable data and infrastructure.

If no security controls or policies are in place for PDAs, it is best to keep them off your network infrastructure until policies and security controls can be implemented.

Keep in mind that if you leave your PDA in a taxi or a restaurant, a person finding it will likely be more interested in the device itself than in the data on the device.

If you have a password enforcement package that prevents access to the device making it unusable to an unauthorized user, it is possible that a finder might be motivated to give it back.

Therefore, a simple suggestion is to label your PDA with an address or phone number so that it can be returned to you in case it is recovered by an honest finder.