Personal Digital Assistant
Page 1 of 9
Personal Digital Assistant (PDA) Audit Checklist
Prepared by Eric Maiwald, Adam Robb, Jochen Bern, JB Bagby, Wayde York
The category “Personal Digital Assistant” (PDA) has historically included
handheld devices that process and store information and connect to other devices via InfraRed, Serial and Universal Serial Bus (USB). A recent expansion to this category includes devices called “Smart mobile devices.”
“Smart mobile devices” are wireless handhelds and smart phones
enhancements to PDAs. Advances in memory, both random access and permanent memory (hard drive), coupled with hi-speed Internet connectivity, has created a tool that rivals the capability of laptop computers, with a fraction of the size and weight. PDA’s offering permanent storage measured in
gigabytes, and industry-standard office applications to the consumer is a great advance for the on-the-go business user. Such a tool, however, also carries more risk than earlier devices, and a greater need for security policy and procedure to protect sensitive information.
This paper provides a basic checklist in performing an audit of an environment in which PDAs are used. This checklist provides information on types of application software that can be used to strengthen the security of the handheld devices.
PDA’s operate with four primary operating systems. The four primary operating systems and their Q1 2005 market share are:
1. Symbian 61%
2. Microsoft 18%
3. Palm 11%
4. RIM 7%
Other PDA operating systems include Danger (HipTop) and Linux.
All PDA operating systems have software libraries with applications being developed and distributed throughout both the commercial and freeware shareware channels. As with any software developed by non-trusted sources, however, there is the possibility that some programs may contain malicious code, such as trojan horses, virus and worms.
The threat from malicious software to the operating systems of PDAs has so far been concurrent with the OS’s market share. Accordingly, Symbian-centric
malicious software has been seen in the wild in numbers far greater than Palm or Microsoft Windows CE. One anti-virus vendor listed approximately 50 different malicious applications (some, variants of one another) for the Symbian operating system and less than five each for Palm and Microsoft.
This will not be the case forever. As PDAs continue to grow in personal and corporate use, malware authors will follow suit in their craft.
Page 2 of 9
Introduction of PDAs into an enterprise occurs either through
individual/personal purchase and use, or organizationally controlled purchase and use. The latter instance is much easier to manage and secure. The point at which the device connects either to the enterprise or the organizational computer, must be the point of control to protect against malicious code or unauthorized downloading of sensitive information.
PDAs do not come out of the box with any strong authentication, file and communications encryption or anti malware applications installed and ready to use. However, these devices do come with Bluetooth, 802.11 Wireless, infrared, USB, TCP/IP and serial communications.
Each of these communications capabilities are vectors through which the device and the enterprise may be attacked. While the threat from malicious code is minimal, today, the threat to an organization’s sensitive information and the user’s privacy-related information is high. The loss of a Smart Mobile Device, with the user’s credit card numbers, sensitive organizational information and address book is practically equal to the loss of an organization’s laptop computer.
These devices are part of the organizational enterprise landscape and their capabilities will continue to increase. Therefore, prior to performing the audit, the auditor needs to ascertain the circumstances in which devices are used by the users and whether they are issued by the organization. How the devices are used and the type of information that is stored on the devices will directly impact the overall risk to the organization.
It is almost impossible to attempt any audit of handhelds without a security policy item governing the use of the devices within the organization. If the organization has not implemented such a policy, this then should be the first step in reducing the overall security risk that these devices pose to the organization.
The following provides an audit checklist to determine the level of PDA security. After the audit checklist, a partial list of security product vendors is provided.
Page 3 of 9
PDA Security Checklist:
Security Policy – Determine if the organization has a defined policy 1.
for the use of handheld devices. This policy should cover:
; Information can and cannot be stored and processed that is
to be placed on the device
; Security configuration of the device including all software that
is to be used to protect the information
; Modes of operation, including whether wireless radio
frequency and/or infrared transmission is permitted.
; Whether the user is permitted System Administrator rights to
the company or government entity base PC with which the
Use Policy – Determine if the organization has included handheld 2.
devices in its acceptable use policy. This policy should cover:
; Prospective personally owned PDA users will sign an
agreement defining permitted use policy.
; A PDA may not be used to enter or store passwords,
safe/door combinations, personal identification numbers, or
classified, sensitive or proprietary information, unless that
information is encrypted at rest on the device.
; No simultaneous connection, via wireless, infrared,
Bluetooth, etc. while connected to as organizational PC,
particularly a networked PC.
; PDAs will not be left unattended when attached to a
; PDAs will be secured with strong password protection when
not in use.
; Device ownership is established (this will depend on the
policy of the organization with regard to employee-owned
; Allowed network connectivity will be identified
; Only approved software will be loaded on the device
; The user must take responsible steps to prevent the loss or
theft of the device
; The user must regularly sync the device with its home
organizational PC or the network so that appropriate security
files (such as virus signatures and policy files) may be
Awareness Training – Determine if the organization includes 3.
information about the security of handheld devices in its security
awareness training. This training should cover:
; Physical security of the device
; The handheld security policy
; Information that may be stored on the device
; The procedure to follow if a device is lost or stolen
Device Registration – The organization should maintain a registry 4.
Page 4 of 9
of all devices in use. This registry should include:
; Serial number of the device
; Make and model of the device
; Employee to whom the device has been issued
Each device that is owned by the organization should be marked as such with an asset tag or other permanent marking.
Initial Checklist – Prior to the device being issued to an employee, 5.
the organization should follow a checklist to make sure that the
device is registered properly and that the employee has received a device that is properly configured. Items on the checklist should include:
; Device added to the registry
; Employee has read and understood the Use Policy and the
Security Policy associated with handheld devices
; Employee has received awareness training regarding the
security of the handheld
; The device has been properly configured regarding security
; All necessary security software has been loaded on the
Employee Termination Procedure – Determine if the return of 6.
handheld devices is included in the organization’s employee termination procedures.
Device Authentication – Determine if the device authentication 7.
meets the organization’s authentication policy. All devices should
require authentication at power up and at regular intervals of non-
use while active. The authentication mechanism should be one of the following:
; A strong password (preferably eight characters and a mixture
of letters, numbers, and special characters)
; A smart card in conjunction with a PIN or password
; Biometrics (such as a fingerprint) in conjunction with a PIN or
Note: authentication by handwriting is not recommended.
Software to enhance device authentication is available from Bluefire Security, Credant, and PDA Defense
Anti-Virus Software – Determine if AV software is loaded on each 8.
handheld device. This software should be configured to examine files as they are opened. Updated signatures should be installed on the device every time the device syncs to its home PC or at regular intervals via a network connection.
Theft Protection – Determine if sensitive information on the device 9.
is protected if the device is lost or stolen.
; All data should be deleted after a pre-specified number of
failed logon attempts. (5)
Page 5 of 9
; All data should be deleted from the device if the device is not
synchronized to the organizational PC or network within a
pre-specified time period. (48 hours)
Note: Blackberry devices already have this functionality.
File Encryption – Determine if sensitive information on the device 10.
is encrypted with a strong, recognized algorithm such as AES or Triple DES. The key to the file encryption may be tied either to a certificate on a smart card or to the user’s authentication information.
Note: The U.S. government requires the AES encryption algorithm
for U.S. government-approved encryption, in accordance with
National Institute of Standards and Technology (NIST) FIPS PUB 140-2.
Device Firewall – Determine if the device is protected by a device 11.
firewall. The firewall should be configurable to the organization’s security policy and protect all network connections.
Virtual Private Network Software – Determine if VPN software is 12.
used when the device connects to the organization over the
Internet. The VPN software should use IPSec or SSL and be tied into a strong authentication mechanism.
Device Integrity – Determine if the device has a mechanism to 13.
detect modifications to key system files or registry settings. The device should alarm if the key files or settings are modified and prevent damage from the device to spread into the organization.
Enterprise Device Management – Determine if there is a central 14.
management capability in the organization. Since these devices are not completely under the control of the organization and are by nature mobile, the organization should have a mechanism to manage the security policy of the device from a central location.
Network Connections – Determine if all device network 15.
connections are either disabled or protected. The network
connections to verify include:
Desktop Syncing – Determine if a password is required in order to 16.
sync the hand held device to the desktop.
Device Backup – Determine if the device uses a backup 17.
application that completely backups the contents. NOTE: Most device backup software included from the manufacturer does not rdbackup certain 3 party libraries and settings.
Insurance - Ensure that all handhelds are insured against theft, 18.
loss or breakage.
Page 6 of 9
Expansion Slots – Ensure that any information stored on 19.
expansion slot media meets integrity, encryption and information
wipe requirements listed above.
Page 7 of 9
PDA security product vendors, by function. (As of Summer 2005)
NOTE: This list does not constitute a recommendation by the SANS Institute, nor is it intended to cover
every single vendor. Instead, this list provides a starting point from which to find and evaluate solutions
for mitigation of post-audit findings.
Security Function Vendor User Authentication ; Bluefire Security
; PDA Defense Anti-Virus ; F-Secure
; Computer Associates
; McAfee Theft Protection ; Bluefire Security
; PDA Defense
; Trust Digital File Encryption ; F-Secure
; Bluefire Security
; PDA Defense
; Trust Digital Firewall ; Checkpoint
; Bluefire Security
; Airscanner Virtual Private Network ; Bluefire Security
; V-One Data Integrity ; Bluefire Security Device Enterprise Management ; Symantec
; PDA Defense
; Trust Digital
; Mc Afee
; iAnywhere Device Backup ; Blue Nomad
Page 8 of 9
1. David Melnick, PDA Security: Incorporating Handhelds Into The Enterprise,
2. Get a Grip on your Mobile Data, Mobile Business Advisor, By Louise Davey,
Business Practice Manager, Imagina Inc., and Martin Lauzon, Mobile-Wireless
Team Leader, Imagina Inc., 2002
3. NIST, Special Publication 800-48, Wireless Network Security for 802.11,
Bluetooth, and Handheld Devices. 2002
4. Palm Inc, Securing the Handheld Environment - An Enterprise Perspective. 5. Jansen et al, Assigning and Enforcing Security Policies on Handheld
Devices, NIST 2002.
6. Handheld Security: A layered approach, Nelson Beach, June 2001 7. PDAs – A security primer, Susan Guerrero, May 2001 st8. A whole new world for the 21 century, Darrin Lau, March 2001
9. PDAs and Policy, M Gregory St John, February 2001
10. PDA/Wireless Communications Pains, Scott Johnson, November 2000 11. Security in the palm of your handheld, John McCormick, March 2001,
12. Tips for keeping a leash on your PDAs data, Cameron Crouch, September
2001, PC World
13. Bolting down the secrets in your handheld, Dylan Tweney, June 2001, The
14. A virus in the palm of my hand, Allan Hollowell, September 2000 15. Security vulnerabilities in the Palm OS version 3.x, Laura Thomas, July
2001 st16. A whole new world for the 21 Century, Darrin Lau, March 2001
17. Global smart mobile device sales surge past 10 million in quarter,
Canalys.com, July 2005
Page 9 of 9