Getting a Secure Grip on Handheld Devices

Companies today do not have a firm grasp of the security vulnerabilities associated with their handheld devices. Personal Electronic Devices (PEDs), Personal Digital Assistants (PDAs), email and paging devices (such as the Blackberry), and other hybrid handheld communication devices are found in the hands of most every business manager these days but their inherent vulnerabilities are largely overlooked.

Perhaps this is because of their size, mobility or relatively inexpensive costs. Either way, these devices do not register on the radar of most systems administrators and are wrongly perceived as not as vulnerable as end user terminals connecting via hardwire to a LAN, WAN or the Internet. The popularity, proliferation and rapidly evolving technology associated with the devices make them extremely susceptible to security vulnerabilities.

There are several general classes of hand held device operating systems: the Palm Operating System (OS) (Palm Pilots, Handspring Visor, etc.); Apple IPhone OS; Symbian; and those running Windows CE and Pocket PC (Compaq, HP Jornada, Casio, etc.). Hand held devices are equipped with a wide variety of accessories from cameras, modems and synchronization cables to Bluetooth and wireless connections and flash memory storage. All of the operating systems have software libraries with applications, widgets and plugins developed and distributed throughout both the commercial and freeware shareware channels and as with any software developed by non-trusted sources, freeware programs may possibly contain hidden code - be it adware or malware.

Given their size and portability, the primary security concern associated with hand held devices is their ability to store large amounts of information. Add to this the breadth of communication options available and you have a device that introduces formidable risks. Since the devices are relatively inexpensive, users buy their own or receive them as gifts and they tend to come into use in an organization regardless of whether they are approved or not. As such, companies have little or no control over data leaving the organization.

A wide variety of vulnerabilities exist when these devices are attached to PCs or other network-connected automated information systems (AIS): Trojan horse and malware programs can easily be installed thus creating a backdoor on host networks to permit exploitation since antivirus products for hand held devices are not as evolved as PC antivirus software and operating systems currently do not limit malicious codes from modifying system files. Wireless device connections can be intercepted and data captured without the knowledge or permission of the user as recently demonstrated in well-publicised incidents of drive-by hacking, blue snarfing and blue jacking. Hand held devices using infrared data transport technology might also be intercepted as well. Finally, hand held devices by their very nature are small and therefore easily stolen or lost resulting in sensitive information being disclosed to unauthorized individuals.

The first and best step to getting a grip on hand held devices, is to ensure that your company includes them in their written security policies. Companies must issue clear and concise guideline on what devices may and MAY NOT be used and for what specific purposes.

How the devices are used and the type of information that is allowed to be stored on the devices will directly impact the overall risk to the organization. Good policies will specify the approved configuration of the devices and modes of operation including whether wireless radio frequency and/or infrared transmission is permitted and whether the user is allowed System Administrator rights to the base PC with which the device synchronizes. Clearly define the purpose and acceptable use conditions of the devices. Corporate provided devices should be used only for work related activities. Users should sign an agreement to abide by the acceptable use policy. Devices should not be used to enter or store passwords, safe/door combinations, personal identification numbers, or classified, sensitive or proprietary information.

Effective policies should delineate approved connectivity requirements, prohibiting up and downloads via wireless or infrared while connected to desktop PCs and stating approved methods for infrared data transfers. Users should be given precise instructions regarding requirements to sync their devices to receive patches, fixes and updates. It's imperative that your policies spell out device-specific build and configuration requirements to include: firewall, VPN, encryption, biometric, authentication and anti-virus software needs.

Physical security requirements should be simple and achievable but at a minimum should state that devices shall not be left unattended when attached to a computer, secured with password protection when not in use and reported immediately if lost or stolen and insured against theft, loss or breakage.

Your organization should have a mechanism to manage the policies for hand held devices from a central location and establish a registry of all devices in use. This registry should include: serial number, configuration, make and model and to whom the device has been issued. Each device owned by the organization should be marked as such with an asset tag or other permanent marking.

While handheld devices may currently be a lesser target than networks, end user terminals or laptops for virus and hacker attacks, that won't always be the case. The applications and functionality we see on PDAs today is what we saw on a laptops five years ago. What we'll find on PDAs five years from now is what we find on laptops today. The increased power and flexibility in the operating systems will bring greater security risk. The sooner you get a grip on this risk the better.

Last but not least: don't forget that handheld devices are subject to PCI requirements too!

Richard Hollis is Chief Executive Officer of Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face.

Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats addressing issues including data leakage, sabotage and fraud; External Threats (http://www.orthus.com/dr_overview.htm) including penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges including Payment Card Industry (PCI) Data Security Standard (DSS).

Website Privacy Seals - Do They Work?

It is already been proven, time and time again, that website privacy seals work effectively and always produce concrete results. As opposed to a website with no displayed seal on their website, companies who do use website seals generally do get a dramatic increase in their email signups or sales (unless there is something very wrong with their website) simply because a third party has "approved" their website and allowed them to display certified seal.

How and why do website privacy seals work to improve your general conversions? It really is quite simple. It offers a solution to the undying problem that crops up for businesses that sell goods or services online - cautious customers. A useful purpose for privacy seals is adding them to a page where you want users to sign up to your newsletter, or hand over private information. A Privacy seal immediately tells them you aren't out to scam them and do not intend on ever handing over their information to anyone. In other words - instant credibility.

In the online world, customers find it harder to spend their money on a transaction than when in a physical shop. Why? They don't see the business proprietor, or even just a smiling and assuring cashier manning the store. What they see is a very impersonal and unresponsive webpage chockfull of sales pitches. It can even be oppressive and discouraging for some to read. Whenever you try and direct visitors to an order page or a page where they need to enter in private details, there's always that fear that their money or information is going somewhere where they can't see and might be spread around the Internet or lost forever. They fear that the website they are dealing with might be nothing more than a fraudulent website that won't keep their end of the deal. And with loads of scammers out and about online, buyer cannot really be too sure about their own online buying security.

Statistically, many businesses lose their customers right before they are about to sell something. It's that blank email field or order button that invites them to hand over their information which strikes a bad chord. Customers are inputting very sensitive information after all, and on an order page for example, that key "I want to buy" decision can change even at the last minute. This problem of security and privacy is certainly a big cause of concern for online shoppers.

The solution to get these buyers on your team is to build up buyer confidence in your website. If they believe that you will keep your end of your deal and that you will not give their personal information to other corporations or agencies, then there will be a bigger chance that they will do business with you or hand over their information. That is the simple solution offered by companies that award web privacy and security seals.

But how do you go about it getting one?

Firstly, you have to apply for certification. Now caution is required here. There are only a few good certified seal providers - the rest are ignored by knowledgeable customers and can even have a detrimental affect on your sales or signups because it can look like you using a cheap knock off that does no certification but is "good enough" for your customers. Once you find a good certified seal provider (one provided below), they'll test your site for any kinks or holes in security if you are applying for security seal, or for any indiscretions in how you handle user data, if applying for a privacy seal. A good, reputable web seal company will do a thorough scan of your website and award you with the seal you applied for generally within two days.

People generally want feedback from others who have tried a product they themselves are considering to buy in order to know if it's worth their money. Testimonials exist for this reason, but web certification seals are a step above from commonly faked testimonials - which buyers have caught onto. Website seals come from neutral third-party companies that have the sole goal of providing web users assurances of which web site they should trust and buy from. Your business, in turn, benefits from their credibility boosting endorsement as they don't offer it to anyone, hence it builds trust and will help make your website become a success!

Want the best website seal on the Market for your website? Proven to boost sales? Start your 14 day FREE Website Seal trial today!