Cell Phone and PDA Security:
NIST SP800-124
by M. E. Kabay, PhD, CISSP-ISSMP
Associate Professor of Information Assurance
School of Business & Management
Norwich University, Northfield VT
Cell phones and personal digital assistants (PDAs) have fused. Take the Nokia N810<
http://www.nokiausa.com/link?cid=PLAIN_TEXT_607318# > as an example: it has a full
keyboard, a high-resolution (800 x 480 pixel, 64K colors) screen, 400 MHz processor running
Linux. They include applications for e-mail, calendar, music, Web browsing, maps, and imagehandling. Their networking capabilities include IEEE 802.11b/g, Bluetooth, and USB
connectivity.
According to PC World’s Jr Raphael, researchers at the Georgia Tech Information Security
Center< http://www.gtisc.gatech.edu/ > warned in October 2008<
http://www.gtiscsecuritysummit.com/pdf/CyberThreatsReport2009.pdf > that “As Internet
telephony and mobile computing handle more and more data, they will become more frequent
targets of cyber crime.”
Computer scientists Wayne Jansen< http://csrc.nist.gov/staff/rolodex/jansen_wayne.html > and
Karen Scarfone < http://csrc.nist.gov/staff/rolodex/scarfone_karen.html > of the Computer
Security Division < http://csrc.nist.gov/ > of the Information Technology Laboratory (ITL)<
http://www.itl.nist.gov/ > at the National Institute of Standards and Technology (NIST)<
http://nist.gov/ > have written a new (October 2008) Special Publication (SP) entitled
“Guidelines on Cell Phone and PDA Security” (NIST SP800-124)<
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf > which summarizes the
security issues and provides recommendations for protecting sensitive information carried on
these devices. http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf
The Executive Summary presents a succinct overview including a list of vulnerabilities leading
to risks for corporate security from cell phones and PDAs:






The devices are easily lost or stolen and few have effective access controls or encryption;
They’re susceptible to infection by malware;
They can receive spam;
Wireless communications can be intercepted, remote activation of microphones can
eavesdrop on meetings, and spyware can channel confidential information out of the
organization;
Location-tracking systems allow for inference;
E-mail kept on servers as a convenience for cell-phone/PDA users may be vulnerable to
server vulnerabilities.
The key recommendations, which are discussed at length in this 51-page document, include the
following (quoting from the list on page ES-2 through ES-4):
1. Organizations should plan and address the security aspects of organization-issued
cell phones and PDAs.
Organizations should employ appropriate security management practices and controls over
handheld devices.
a. Organization-wide security policy for mobile handheld devices
b. Risk assessment and management
c. Security awareness and training
d. Configuration control and management
e. Certification and accreditation.
3. Organizations should ensure that handheld devices are deployed, configured, and managed
to meet the organizations’ security requirements and objectives.
a. Apply available critical patches and upgrades to the operating system
b. Eliminate or disable unnecessary services and applications
c. Install and configure additional applications that are needed
d. Configure user authentication and access controls
e. Configure resource controls
f. Install and configure additional security controls that are required, including content
encryption, remote content erasure, firewall, antivirus, intrusion detection, antispam, and
virtual private network (VPN) software
g. Perform security testing.
4. Organizations should ensure an ongoing process of maintaining the security of handheld
devices throughout their lifecycle.
a. Instruct users about procedures to follow and precautions to take, including the following
items:
 Maintaining physical control of the device
 Reducing exposure of sensitive data
 Backing up data frequently
 Employing user authentication, content encryption, and other available security
facilities
 Enabling non-cellular wireless interfaces only when needed
 Recognizing and avoiding actions that are questionable
 Reporting and deactivating compromised devices
 Minimizing functionality
 Employing additional software to prevent and detect attacks. Enable, obtain, and
analyze device log files for compliance
b. Establish and follow procedures for recovering from compromise
c. Test and apply critical patches and updates in a timely manner
d. Evaluate device security periodically.
2.
After reading this document, it is clear to me that organizations should consider the benefits of issuing
centrally-selected and –controlled devices to their employees rather than allowing employees to download
potentially sensitive information to a wide variety of uncontrolled mobile targets for industrial espionage.
NIST SP800-124 will provide a useful framework for discussions and planning of reasonable security
programs to prevent serious losses from unsecured cell phones and PDAs.
***
M. E. Kabay, PhD, CISSP-ISSMP < mailto:mekabay@gmail.com > specializes in security and
operations management consulting services. CV online.< http://www.mekabay.com/cv/ >
Copyright  2009 M. E. Kabay. All rights reserved.
Permission is hereby granted to Network World to distribute this article at will, to post it without
limit on any Web site, and to republish it in any way they see fit.