Personal Digital Assistant Audit Checklist June 2009: Page 1 of 7
Personal Digital Assistant Audit Checklist June 2009: Page 1 of 7
Personal Digital Assistant Audit Checklist June 2009: Page 1 of 7
Audit Checklist
Version 2.2
June 2009
Page 1 of 7
Personal Digital Assistant (PDA) Audit Checklist
Introduction
This document provides a Personal Digital Assistant (PDA) Audit Checklist and list
of vendor security products developed to protect PDAs against known, evolving, and
new security threats. A PDA is a handheld computer that stores, processes, and
transfers information to other PDAs, personal computers (PCs), and networks using
serial, universal serial bus (USB), infrared (IR), Bluetooth, Wireless Fidelity (Wi-Fi),
or cellular technology. Traditional or standalone PDAs have no cell phone capability,
unlike newer PDAs, including Smartphones. Handheld features often include personal
information management (PIM) software, office and multimedia applications, email
and Internet capability, and a global positioning system (GPS) option. Touch screens
support user interactions through a stylus pen and onscreen keyboard or mini- or full-
sized keyboard, or by hand.
Currently, PDAs do not incorporate internal hard drives. They use random-access
memory (RAM), read-only memory (ROM), and external memory, such as removable
flash cards. If power is lost, some devices have an internal backup battery operating
for up to thirty minutes, until primary batteries are changed or recharged. PDAs are
used in various industries, including government, financial, retail, medical, education,
manufacturing, and travel.
Traditional PDA sales have significantly declined, as more users turn to Smartphones
that allow multimedia interactivity, global networking, and fulltime telecommuting
similar to desktops and laptops. According to IDC, the global mobile worker
population will exceed 850 million in 2009 – representing more than one-quarter of
the worldwide workforce.1 Palm (Palm operating system) and HP (Windows Mobile
operating system) lead Traditional PDA sales.
A March 2009 Gartner report shows worldwide Smartphone sales to end users by
operating system, in 2008.2
1. Symbian 52.4%
2. Research In Motion 16.6%
3. Microsoft Windows Mobile 11.8%
4. MAC OS X 8.2%
5. Linux 8.1%
6. Palm OS 1.8%
7. Other Operating Systems 1.1%
Security Threats
PDA security threats are on the rise and include phone fraud, malware, and denial of
service (DoS) attacks. In turn, an organization’s enterprise network security is
impacted, especially when compromised handheld devices make behind-the-firewall
wired or wireless connections. Several technologies used by PDAs come with
inherent vulnerabilities and encounter ongoing security attacks. Email is subject to
Page 2 of 7
malware, phishing, and spam attacks. Instant messaging is subject to malware,
smishing, and flooding attacks. Wireless networks experience eavesdropping, man-in-
the-middle, and jamming attacks. The Internet experiences malware, web browsing,
and web application attacks. Some third party applications contain exploitable
vulnerabilities, as a result of insecure software coding practices, undetected bugs, and
flawed patches and upgrades.
Sensitive, propriety, and/or classified data loss occurs when a lost, stolen, or damaged
PDA is not regularly synchronized with an organizational computer or network. Data
synching over a network, without encrypted sessions, could lead to sniffing and
spoofing attacks. Data loss also occurs when attackers gain physical or logical access
to PDAs and perform unauthorized modifications or inject arbitrary code. If such
attacks go unnoticed for any length of time, forensics data could prove invalid and
security controls ineffective.
Profit-oriented and sophisticated attacks against handheld devices increase each year.
According to McAfee, manufacturers have reported increases against all threat
categories:3
An organization must protect its handheld devices from various security threats,
throughout their life cycle. PDAs operate inside the network perimeter and could
become part of a botnet executing fraudulent activities or launching distributed denial
of service (DDoS) attacks. Regular PDA security audits should be performed. A
security audit ensures the confidentiality, integrity, and availability of PDA and
network assets, by verifying policy compliance, discovering weak or non-existent
security controls, and detecting security events. First, an organization should conduct
a PDA vulnerability assessment to identify known vulnerabilities and existing and
potential risks. Then, a clear and concise handheld device security policy should be
written and enforced by management. The PDA Audit Checklist, included below,
helps an organization establish, monitor, and maintain security.4
Page 3 of 7
PDA Security Audit Checklist
Page 4 of 7
No. Security Description
Control
Reporting procedures for lost, stolen, or damaged devices.
Protective measures against social engineering and other
security attacks.
Reporting procedures for compromised devices.
Protective measures for unused or unattended devices.
Technical Controls
1 Configuration Organization maintains a secured inventory of all handheld
Management devices. This registry includes:
Device serial number.
Device make and model.
Full name of person issued or owning a device.
Checkbox for each person having read and understood
handheld device security and acceptable use policies.
Checkbox for each person having received security
awareness training for handheld device security.
Each device has proper operational settings.
Each device has proper security software and settings.
Each device is loaded with authorized software.
Each device has a permanent tag or marking.
Each device has a return address label.
2 Access Control Organization implements handheld device access control. It
includes:
All devices use power-on authentication.
All devices use re-authentication, after pre-defined idle
time.
All devices use a password to synchronize to an
organizational computer or network.
Device-to-computer or –network synchronization occurs
locally or via a secure connection.
Authentication mechanism is one of the following:
- Minimum password length (8 to 16 characters, mixed
letters, numbers, and special characters).
- Smart card with a PIN or password.
- Biometrics with a PIN or password.
Account lockout after pre-defined number of unsuccessful
login attempts.
Lockout duration for pre-defined time length.
Password expiration after pre-defined time length.
Password history restriction.
Password not stored “in clear” on device or on
organizational computer or network.
3 Anti-Virus Organization implements antivirus software on each
Software handheld device.
Antivirus software scans files as they are opened.
Updated signatures are installed on devices each time they
synchronize to an organizational computer or at regular
Page 5 of 7
No. Security Description
Control
intervals via a secure network connection.
4 Data Encryption Organization implements encryption to protect information
on handheld devices.
AES or Triple DES used.
5 Firewall Organization implements a firewall on handheld devices.
Device firewall configured to allow or deny connections.
6 Virtual Private Organization implements VPN software for handheld
Network devices, for remote network connections.
VPN software uses IPSEC or SSL.
7 Device Integrity Organizational implements handheld device integrity.
Information stored on expansion slot media meets integrity
and encryption requirements.
Device alarms if system files or registry settings are
modified.
Integrity methods prevent security incidents from
spreading to other devices and into the network.
8 Centralized Organization implements a centralized management system
Management for handheld devices.
Default settings and passwords removed.
Manufacturer debugging features disabled or secured.
Unapproved software and applications removed.
All devices have an approved operating system.
All devices have latest patches and upgrades.
Unneeded network connections disabled or secured.
Unneeded applications and services disabled or removed.
All devices monitored for unauthorized activities.
Device is locked or its password changes if lost or stolen.
Device data is deleted, after pre-defined number of failed
logon attempts.
Device data is deleted, if not synchronized to
organizational computer or network within pre-defined
time length.
Device data is wiped when device no longer used.
9 Device Backup Organization implements a backup mechanism for handheld
device information.
Regular data backups for all devices.
Backed up data stored in secured location.
Physical Security
1 Physical Device monitored when connected to an organizational
Security computer or network.
Device and memory cards protected in storage.
Device protected by assigned individual, at all times.
Page 6 of 7
The table below lists current vendor security products for PDA security.5
References
1. http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/mobilesec
urity/wp05_tmms_080211us.pdf
2. http://www.gartner.com/it/page.jsp?id=910112
3. http://www.mcafee.com/us/local_content/reports/mobile_security_report_2009.pd
f
4. http://www.palmblvd.com/articles/2004/8/2004-8-23-Understand-Handheld-
Security-p2.html;
http://www.infosecwriters.com/text_resources/pdf/PDA_TOlzak.pdf;
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf;
http://www.securitydocs.com/library/3188;
http://www.informit.com/guides/content.aspx?g=security&seqNum=252
5. http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf;
http://www.firewallguide.com/pda.htm
Page 7 of 7