Although there are numerous security threats associated with PDAs, the two biggest issues are viruses and the theft of sensitive data. At first, the thought of losing sensitive data or contracting a virus because of a PDA may seem ridiculous. However, both threats are very real, and I'll explain why. I'll also give you a few tips on constructing an effective PDA policy for your users.
Viral infections
Before you send me an e-mail message, let me explain I'm well aware that there has never been a documented case of a virus attacking a PDA. This may be because the Windows CE operating system is so simple. When Windows CE was initially designed several years ago, the engineers at Microsoft stripped down the Windows 95 operating system to its core, added a few simple applets, and the finished product became Windows CE.
There's a basic rule in computing that says that the more lines of code an application has, the greater the chance the application may be exploited. Because Windows CE was such a simplified operating system, many of the weaknesses that viruses could exploit in other operating systems simply didn't exist. As the years went on, the Windows CE operating system got a little more bloated, but it still lacks most of the features found in elaborate operating systems such as Windows XP. Because of this, virus attacks have never been an issue.
Although viruses are not known to attack PDAs, a PDA can act as a carrier for a virus. For example, imagine that a user employs a PDA to check e-mail. Now suppose an e-mail message contains an attachment that's infected with a virus.
If the user were to open the attachment, the virus would probably not infect the PDA. However, if the user were later to synchronise the file to a desktop PC and then open the file on the PC, an infection would occur. In this situation, the virus didn't harm the PDA, but the PDA was able to act as a carrier that allowed the virus to be put onto the network.
Everyone in your organisation who uses a PDA should be running antivirus software, just as they would on a laptop or desktop computer. There are two ways that this antivirus software works. One type of antivirus software stores an auto-protection file and a virus-definition file on the PDA so that virus scanning occurs automatically each time a file is accessed.
Another breed of software stores the virus definitions on a network server. Because virus-definition files take up a lot of space that many PDA users simply don't have, storing them on a network server ensures that the definitions can be updated regularly. Any time the PDA user attaches to the network, the antivirus software automatically connects to the virus definition files and scans the PDA before any infections can occur.
Compromised data
Whenever a PDA is lost or stolen, there's a risk that the data stored on the device could fall into the wrong hands. When I speak to IT managers about the data that could be compromised if a PDA were stolen, they almost always tell me that the PDAs don't need any real protection because there is no sensitive data on them. However, I feel there's actually quite a bit of sensitive data on the typical PDA.
For example, suppose a VP at your company lost a PDA. Fortunately, this particular VP used the PDA as little more than an electronic organiser. So there's no sensitive information on the PDA, right? First of all, the executive probably has an appointment book or a calendar stored on the PDA. And how much sensitive information is stored within the calendar? If you're not sure, ask yourself what your competitor could learn by sneaking a look at the calendar, contact list, etc.
Let's say that the executive in question never kept juicy information about top-secret meetings or customer contact information in his PDA. In fact, let's pretend that the PDA was brand new and for all practical purposes was empty. There is still useful information that could be gathered from the PDA.
If your company uses a wireless network, someone could steal your company's SSID, channel, and WEP pass phrase from a PDA. Depending on the configuration, someone might even be able to obtain usernames, IP addresses, domain names, or even passwords. Most, if not all, of the information that someone would need to break into your company's network could be stored on the PDA, either in the form of data or as configuration information. I say it could be stored as data, potentially, because an alarming number of people store passwords and PINs on their PDAs. According to one statistic, one in four PDA users store PINs and passwords on their PDAâ€"but don't protect the PDA itself with a password.
Personal PDAs versus company-issued PDAs
So the real question now is what to do about all of the security threats that face your PDA users. The first thing that I recommend doing is supporting company-issued PDAs only. Although I like giving users as much personal freedom as possible, I strongly recommend banning privately owned PDAs. If employees really want to use their own personal PDAs, my philosophy is that you can't (and probably shouldn't) stop them from using themâ€"but you can prevent them from connecting them to your network.
I'm opposed to privately owned PDAs being attached to the network because it's difficult for a company to control what it doesn't own. If a user owns a PDA, you really have no way of verifying that the user is running the appropriate antivirus software. Likewise, there's no way to really tell if an application installed by a user is legal or pirated.
For your users who have company-issued PDAs, you should create a security policy that is fully documented so there are no questions of what will be expected from them. The policy will likely be very similar to the policy for your laptop users. For example, it should address things such as how often passwords should be changed, what applications are allowed, and what types of data may be stored on the PDA. In the following sections, I've outlined more detailed security recommendations that you might consider including as a part of your PDA security policy.
2%
4%
Gosh, what muddle-headed thinking.
"...there has never been a documented case of a virus attacking a PDA. This may be because the Windows CE operating system is so simple."
May I point out that not only are Windows CE PDAs significantly outnumbered by Palm PDAs, Palm OS has been around significanlty longer. It is often touted that the reason Windows is so often attacked by viruses, worms, trojans, etc. is because of its popularity. Yet how come if Palm OS is so popular on PDAs, we don't see any viruses?
How come when the most popular PDA OS shows no sign of being hacked it is because of some features of a different OS?
I think what Brien means is the reason <b>Windows</b> viruses have not migrated to Windows CE is because the most common vulnerabilities in Windows desktop do not exist in the PDA version. Not because of clever Microsoft programming or high security, but simply that the features exploited by most viruses, trojans, worms etc. are not present in Windows CE, or require different programs.
The reason Palm OS has not been attacked, in my opinion, is because it is quite difficult to get users to download and run a virus. It is even harder to get it to propigate - tasks that are much simpler with desktop OS's, and laughably simple with most versions Windows.
The fact that Windows CE is on perhaps 30% of PDAs <b>and</b> the because of the difficulty of installing and propigating viruses on PDAs is why there are no PDA viruses.
This bit I really like;
"basic rule in computing that says that the more lines of code an application has, the greater the chance the application may be exploited."
Windows XP has over 50 million lines of code, Windows 95 would have perhaps half that. Yet I think Microsoft would be seriously miffed if you said 95 was the more secure OS.