Personal Digital Assistant
Page 1 of 9
Personal Digital Assistant (PDA) Audit Checklist
Prepared by Eric Maiwald, Adam Robb, Jochen Bern, JB Bagby, Wayde York
The category “Personal Digital Assistant” (PDA) has historically included
handheld devices that process and store information and connect to other devices via InfraRed, Serial and Universal Serial Bus (USB). A recent expansion to this category includes devices called “Smart mobile devices.”
“Smart mobile devices” are wireless handhelds and smart phones
enhancements to PDAs. Advances in memory, both random access and permanent memory (hard drive), coupled with hi-speed Internet connectivity, has created a tool that rivals the capability of laptop computers, with a fraction of the size and weight. PDA’s offering permanent storage measured in
gigabytes, and industry-standard office applications to the consumer is a great advance for the on-the-go business user. Such a tool, however, also carries more risk than earlier devices, and a greater need for security policy and procedure to protect sensitive information.
This paper provides a basic checklist in performing an audit of an environment in which PDAs are used. This checklist provides information on types of application software that can be used to strengthen the security of the handheld devices.
PDA’s operate with four primary operating systems. The four primary operating systems and their Q1 2005 market share are:
1. Symbian 61%
2. Microsoft 18%
3. Palm 11%
4. RIM 7%
Other PDA operating systems include Danger (HipTop) and Linux.
All PDA operating systems have software libraries with applications being developed and distributed throughout both the commercial and freeware shareware channels. As with any software developed by non-trusted sources, however, there is the possibility that some programs may contain malicious code, such as trojan horses, virus and worms.
The threat from malicious software to the operating systems of PDAs has so far been concurrent with the OS’s market share. Accordingly, Symbian-centric
malicious software has been seen in the wild in numbers far greater than Palm or Microsoft Windows CE. One anti-virus vendor listed approximately 50 different malicious applications (some, variants of one another) for the Symbian operating system and less than five each for Palm and Microsoft.
This will not be the case forever. As PDAs continue to grow in personal and corporate use, malware authors will follow suit in their craft.
Page 2 of 9
Introduction of PDAs into an enterprise occurs either through
individual/personal purchase and use, or organizationally controlled purchase and use. The latter instance is much easier to manage and secure. The point at which the device connects either to the enterprise or the organizational computer, must be the point of control to protect against malicious code or unauthorized downloading of sensitive information.
PDAs do not come out of the box with any strong authentication, file and communications encryption or anti malware applications installed and ready to use. However, these devices do come with Bluetooth, 802.11 Wireless, infrared, USB, TCP/IP and serial communications.
Each of these communications capabilities are vectors through which the device and the enterprise may be attacked. While the threat from malicious code is minimal, today, the threat to an organization’s sensitive information and the user’s privacy-related information is high. The loss of a Smart Mobile Device, with the user’s credit card numbers, sensitive organizational information and address book is practically equal to the loss of an organization’s laptop computer.
These devices are part of the organizational enterprise landscape and their capabilities will continue to increase. Therefore, prior to performing the audit, the auditor needs to ascertain the circumstances in which devices are used by the users and whether they are issued by the organization. How the devices are used and the type of information that is stored on the devices will directly impact the overall risk to the organization.
It is almost impossible to attempt any audit of handhelds without a security policy item governing the use of the devices within the organization. If the organization has not implemented such a policy, this then should be the first step in reducing the overall security risk that these devices pose to the organization.
The following provides an audit checklist to determine the level of PDA security. After the audit checklist, a partial list of security product vendors is provided.
Page 3 of 9
PDA Security Checklist:
Security Policy – Determine if the organization has a defined policy 1.
for the use of handheld devices. This policy should cover:
; Information can and cannot be stored and processed that is
to be placed on the device
; Security configuration of the device including all software that
is to be used to protect the information
; Modes of operation, including whether wireless radio
frequency and/or infrared transmission is permitted.
; Whether the user is permitted System Administrator rights to
the company or government entity base PC with which the
Use Policy – Determine if the organization has included handheld 2.
devices in its acceptable use policy. This policy should cover:
; Prospective personally owned PDA users will sign an