Insecurity slows wireless jump

October 2002

Handheld computers and personal digital assistants have shed their early geek status and are increasingly seen as valuable tools that can help government workers do their jobs better. As wireless capabilities are added to the devices, enabling such tools as "e-mail on the run," their usefulness only increases.

However, wireless handhelds and smart, data-enabled mobile phones pose particular problems for security managers, problems that will expand as high-speed, next-generation wireless services are introduced in the next few years. With the new services, the portable devices will be able to download and store increasing amounts of sensitive data, but this "always-on" connectivity also opens them up to the same cyberthreats that now plague their desktop cousins.

The good news is that the security industry has recognized current and future threats and is working on solutions. But there are still gaping holes, and many government agencies remain unconvinced that the security gaps can be plugged.

For example, the military's U.S. Transportation Command (Transcom), with its global reach and highly mobile workforce, should be a prime candidate for the use of wireless handheld devices. But those tools are not even on the command's radar.

That's because security concerns far outweigh the potential benefits of these devices, according to Martin Mullican, chief of Transcom's C4 Operations and Security Division. Encryption must comply with Federal Information Processing Standard 140, for example, and such technology is hard to come by.

But that's the easy part, he said. A lot more work needs to be done on authentication solutions to ensure that users on the handheld end of wireless communications are actually who they say they are.

And there is always the fear that handheld devices, which are lost or misplaced far more frequently than any other kind of computing device, could be used to gain access to an agency's network.

"We look at these devices very skeptically, and we don't allow them to be used on an enterprise basis yet," Mullican said. "This soup is a long way from being served."

However, developing handheld-specific security solutions may be putting the cart before the horse, because many users don't understand the need for good security practices. Gartner Inc., for example, has calculated that some 75 percent of all PDAs are carried around with even their minimal security features disabled.

And agency managers, who are more aware of the need for security, want a solid understanding of the overall requirements before they will entertain the use of handheld wireless devices. Transcom's Mullican, for one, believes this is an area where technology developments have outpaced policies and practices.

Help may be on the way. The National Institute of Standards and Technology published draft guidelines in July for deploying wireless technologies in agencies, one section of which focuses on handheld devices. The intention is for agencies to use the guidelines to help them incorporate wireless devices into their enterprise plans.

"People have a very inchoate sense of what security is needed with these devices," said Tom Karygiannis, a principal researcher at NIST and one of the authors of the draft guidelines.

"They are operated in a very insecure way currently, and even that security brought to the table by the device vendors is not used adequately," he said. "And these are not very complicated things."

Source...

 

With Dionach you get:

• An efficient, friendly and flexible service
• To talk directly to the experts
• Straightforward assessment reports that get to the point
• Complete confidentiality and utmost discretion