I recently acquired a Windows mobile-based Samsung BlackJack smartphone. I absolutely love it but I feel it's quite the liability hanging off my pocket. I can't imagine being responsible for dozens, if not thousands, of these types of systems in larger enterprises. But this is the case for many people – people that are used to only having to secure Windows workstations and servers.
Mobile systems are a glaring weakness within enterprise security and not enough people are concerned about or have the right resources to address this. There's often no direct accountability in managing and securing mobile systems, and they often fall outside the scope of security assessments and audits. Interestingly, there's not a ton of vendor-based solutions to lock down these devices either. The ones that do exist focus on the older versions of PocketPC.
Lack of visibility and limited security solutions aside, the odds are that you have a whole lot of untamed Windows Mobile-based devices floating around your environment. The security risks associated with Windows Mobile systems are really no different than those commonly tied to laptop computers. They include:
The big difference is that you can't really test Windows Mobile systems using traditional security testing tools. It's just the nature of the beast.
These weaknesses not only expose sensitive files and email to whoever comes into contact with the mobile devices, but they also facilitate data leakage and sensitive information exposure by employees who aren't on the up and up. Windows mobile-based systems are that much more vulnerable because they have a greater propensity than the typical laptop to be lost and sprout legs, never to be seen again.
Ensuring that your Windows Mobile systems are properly locked down and are protecting sensitive business assets all starts with policies. I know policie
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
s aren't sexy, but regardless of how boring and repetitive they seem, it's an absolute must to make sure your mobile systems fall within the scope of all your other computer systems.
Your mileage will vary but you should at least make sure the following Windows Mobile concerns are addressed in your existing security policies, standards and plans:
Beyond policies, here are the essential security must-haves for all Windows Mobile systems in your organization:
In addition to those lock-down practices, be sure to check out Microsoft's Security Model for Windows Mobile 5.0 and Windows Mobile 6 and Security Considerations for Windows Mobile Messaging in the Enterprise.
Locking down smartphones and PDAs is one of those darker places of security, and it's gone unexplored for too long. Whether these systems are business-owned or not, if employees are using them for business email, office applications and file storage, then those systems need to fall under your control. There's no time to drag your feet. Mobile device business risks are bound to rear their ugly heads if they haven't already. Address these issues now. As Windows Mobile usage becomes more widespread in the coming years, you'll appreciate the effort you put forth today for getting things under control.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com.
