Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.1  Devices

Previous Topic/Section
3.1.12  Servers
Previous Page
Pages in Current Topic/Section
1
Next Page
3.2  Media
Next Topic/Section

3.1.13  Mobile Devices

Mobile Devices participating in your network include everything from Pocket PC and Palm Pilot handheld organizers, to notebook computers, to RF scanners used for managing inventory.

Security Issues with Mobile Devices

The key security vulnerabilities of mobile devices are that their portability can lead to easier theft or loss (thus loss of the data stored on the device) and that they usually communicate with the network via a wireless communication mechanism.

To guard against loss due to the disappearance of the device, you can take measures such as:

  • Ensure that data collected by the mobile device is uploaded to the network as quickly as possible, to minimize the amount of data lost if the device goes AWOL.

  • Password access to the device, if possible, to make it more difficult for an unauthorized person to view the data on it.

  • Install encryption software and make sure that any proprietary information stored on the device is encrypted.

Also, when using a mobile device over the airwaves, make sure that any sensitive communications are encrypted. If you’re communicating via 802.11 or other technologies that can be “broken” by curious attackers, you may want to employ an additional layer of encryption on the connection as well. We’ve already discussed VPN software for Windows and Linux platforms. VPN clients are also available for PocketPC 2002 (such as Checkpoint’s VPN-1 client) and Palm (such as Mergic’s PPTP client) based handhelds.

Mobile Device Security Tips

When using a mobile device, keep in mind these guidelines:

1. Always set a password on the device so that if lost, it will at least take a bit of effort to get to the data.

2. Encrypt information stored on the device.

3. Consider encrypted communications when using wireless network technology.

4. Do not store data only on the mobile device; if using the mobile device for data collection, upload it as soon as practical.


[spacer]Fun (or Trouble) with PocketPC ActiveSync

ActiveSync is the protocol used to synchronize the contents of a PocketPC based PDA with a desktop PC. Pocket PC synchronization can take place via direct serial connections or via network connections. It turns out that both types of connections are vulnerable to security issues that can compromise data on PocketPC devices or cause DoS situations.

ActiveSync serial connection authentication is controlled by a simple 4-digit PIN. If a hostile PC furnishes the correct PIN to the PDA, it can sync that PDA, possibly installing Trojan horses or viruses, and uploading data stored on the PDA. (Brute forcing a 4-digit PIN doesn’t take much time. Note that banks are aware of that, and an ATM would probably eat your ATM card after 5 or 10 incorrect tries to prevent compromise due to PIN-guessing.)

ActiveSync over TCP/IP uses port 5679. Anyone with access to port 5679 on a PC running ActiveSync (this includes internal users as well as Internet users) can stage a DoS attack on that ActiveSync server in several different ways.

We don’t intend here to single out Microsoft – it’s just that this is a handy illustration of the issues inherent in mobile devices, which people are only now beginning to think about. Mobile devices such as PocketPC’s (and the Windows CE OS on which they are based) have only recently begun to be widely deployed in real world scenarios. As a result, the real world security implications of such devices are still being discovered.



Previous Topic/Section
3.1.12  Servers
Previous Page
Pages in Current Topic/Section
1
Next Page
3.2  Media
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.