Personal Digital Assistant

Audit Checklist

Version 2.2

June 2009

Page 1 of 7
 Personal Digital Assistant (PDA) Audit Checklist

Prepared by Stephen Northcutt

Introduction

This document provides a Personal Digital Assistant (PDA) Audit Checklist and list
of vendor security products developed to protect PDAs against known, evolving, and
new security threats. A PDA is a handheld computer that stores, processes, and
transfers information to other PDAs, personal computers (PCs), and networks using
serial, universal serial bus (USB), infrared (IR), Bluetooth, Wireless Fidelity (Wi-Fi),
or cellular technology. Traditional or standalone PDAs have no cell phone capability,
unlike newer PDAs, including Smartphones. Handheld features often include personal
information management (PIM) software, office and multimedia applications, email
and Internet capability, and a global positioning system (GPS) option. Touch screens
support user interactions through a stylus pen and onscreen keyboard or mini- or full-
sized keyboard, or by hand.

Currently, PDAs do not incorporate internal hard drives. They use random-access
memory (RAM), read-only memory (ROM), and external memory, such as removable
flash cards. If power is lost, some devices have an internal backup battery operating
for up to thirty minutes, until primary batteries are changed or recharged. PDAs are
used in various industries, including government, financial, retail, medical, education,
manufacturing, and travel.

Traditional PDA sales have significantly declined, as more users turn to Smartphones
that allow multimedia interactivity, global networking, and fulltime telecommuting
similar to desktops and laptops. According to IDC, the global mobile worker
population will exceed 850 million in 2009 – representing more than one-quarter of
the worldwide workforce.1 Palm (Palm operating system) and HP (Windows Mobile
operating system) lead Traditional PDA sales.

A March 2009 Gartner report shows worldwide Smartphone sales to end users by
operating system, in 2008.2

1. Symbian 52.4%
2. Research In Motion 16.6%
3. Microsoft Windows Mobile 11.8%
4. MAC OS X 8.2%
5. Linux 8.1%
6. Palm OS 1.8%
7. Other Operating Systems 1.1%

Security Threats

PDA security threats are on the rise and include phone fraud, malware, and denial of
service (DoS) attacks. In turn, an organization’s enterprise network security is
impacted, especially when compromised handheld devices make behind-the-firewall
wired or wireless connections. Several technologies used by PDAs come with
inherent vulnerabilities and encounter ongoing security attacks. Email is subject to

Page 2 of 7
malware, phishing, and spam attacks. Instant messaging is subject to malware,
smishing, and flooding attacks. Wireless networks experience eavesdropping, man-in-
the-middle, and jamming attacks. The Internet experiences malware, web browsing,
and web application attacks. Some third party applications contain exploitable
vulnerabilities, as a result of insecure software coding practices, undetected bugs, and
flawed patches and upgrades.

Sensitive, propriety, and/or classified data loss occurs when a lost, stolen, or damaged
PDA is not regularly synchronized with an organizational computer or network. Data
synching over a network, without encrypted sessions, could lead to sniffing and
spoofing attacks. Data loss also occurs when attackers gain physical or logical access
to PDAs and perform unauthorized modifications or inject arbitrary code. If such
attacks go unnoticed for any length of time, forensics data could prove invalid and
security controls ineffective.

Profit-oriented and sophisticated attacks against handheld devices increase each year.
According to McAfee, manufacturers have reported increases against all threat
categories:3

 Network or service capacity issues

 Virus/spyware infections
 Voice or text spam attacks
 Third party application/content problems
 Loss of user data from devices
 Phishing attacks in any form
 Privacy and regulatory issues
 Denial of service attacks

PDA Security Audit

An organization must protect its handheld devices from various security threats,
throughout their life cycle. PDAs operate inside the network perimeter and could
become part of a botnet executing fraudulent activities or launching distributed denial
of service (DDoS) attacks. Regular PDA security audits should be performed. A
security audit ensures the confidentiality, integrity, and availability of PDA and
network assets, by verifying policy compliance, discovering weak or non-existent
security controls, and detecting security events. First, an organization should conduct
a PDA vulnerability assessment to identify known vulnerabilities and existing and
potential risks. Then, a clear and concise handheld device security policy should be
written and enforced by management. The PDA Audit Checklist, included below,
helps an organization establish, monitor, and maintain security.4

Page 3 of 7
 PDA Security Audit Checklist

No. Security Description

Control
Administrative Controls
1 Security Policy Organization has a clear and concise handheld device
security policy. This policy covers:
 Organization goals and objectives for devices.
 Applicable laws and regulations for device security.
 Approved Modes of Operation: wired and wireless.
 Types of information that can and cannot be stored,
processed, and transferred on devices.
 Types of applications permitted or prohibited on devices:
in-house, commercial, shareware, and freeware.
 Listing of security software permitted to protect devices.
 Whether personally-owned devices are permitted.
 Whether users are permitted administrator rights to
organizational computer used for data synchronization.
 Penalties for unauthorized use or lost devices.
 Return of all organization-owned devices, during
personnel termination processes.
 Disconnection of all personally-owned devices, during
personnel termination processes.
2 Acceptable Use Organization has a handheld device acceptable use policy
Policy (AUP). This policy covers:
 Organization-owned device users sign AUP agreement.
 Personally-owned device users sign AUP agreement.
 Device is not used to store, process, or transfer sensitive,
proprietary, or classified data, unless encryption is used.
 No simultaneous connection while device is connected to
organizational computer or network.
 Device is not left unattended when attached to a computer.
 Device uses password protection when not in use.
 No unapproved software is installed on device.
 User takes steps to prevent device lost, theft, or damage.
 User regularly synchronizes device with organizational
computer or network, for backup purposes.
3 Insurance Organization insures handheld devices against loss, theft, or
Policy damage.
4 Security Organization includes handheld device security in its security
Awareness awareness training. This training covers:
Training  Handheld device security policy.
 Handheld device acceptable use policy.
 Non-use of public or untrusted network access points.
 Protective measures to prevent lost, stolen, or damaged
devices, including against dust, heat, humidity, and drops.
 Protective measures to prevent lost, stolen, or damaged
removable memory cards.

Page 4 of 7
No. Security Description
Control
 Reporting procedures for lost, stolen, or damaged devices.
 Protective measures against social engineering and other
security attacks.
 Reporting procedures for compromised devices.
 Protective measures for unused or unattended devices.
Technical Controls
1 Configuration Organization maintains a secured inventory of all handheld
Management devices. This registry includes:
 Device serial number.
 Device make and model.
 Full name of person issued or owning a device.
 Checkbox for each person having read and understood
handheld device security and acceptable use policies.
 Checkbox for each person having received security
awareness training for handheld device security.
 Each device has proper operational settings.
 Each device has proper security software and settings.
 Each device is loaded with authorized software.
 Each device has a permanent tag or marking.
 Each device has a return address label.
2 Access Control Organization implements handheld device access control. It
includes:
 All devices use power-on authentication.
 All devices use re-authentication, after pre-defined idle
time.
 All devices use a password to synchronize to an
organizational computer or network.
 Device-to-computer or –network synchronization occurs
locally or via a secure connection.
 Authentication mechanism is one of the following:
- Minimum password length (8 to 16 characters, mixed
letters, numbers, and special characters).
- Smart card with a PIN or password.
- Biometrics with a PIN or password.
 Account lockout after pre-defined number of unsuccessful
login attempts.
 Lockout duration for pre-defined time length.
 Password expiration after pre-defined time length.
 Password history restriction.
 Password not stored “in clear” on device or on
organizational computer or network.
3 Anti-Virus Organization implements antivirus software on each
Software handheld device.
 Antivirus software scans files as they are opened.
 Updated signatures are installed on devices each time they
synchronize to an organizational computer or at regular

Page 5 of 7
No. Security Description
Control
intervals via a secure network connection.
4 Data Encryption Organization implements encryption to protect information
on handheld devices.
 AES or Triple DES used.
5 Firewall Organization implements a firewall on handheld devices.
 Device firewall configured to allow or deny connections.
6 Virtual Private  Organization implements VPN software for handheld
Network devices, for remote network connections.
 VPN software uses IPSEC or SSL.
7 Device Integrity Organizational implements handheld device integrity.
 Information stored on expansion slot media meets integrity
and encryption requirements.
 Device alarms if system files or registry settings are
modified.
 Integrity methods prevent security incidents from
spreading to other devices and into the network.
8 Centralized Organization implements a centralized management system
Management for handheld devices.
 Default settings and passwords removed.
 Manufacturer debugging features disabled or secured.
 Unapproved software and applications removed.
 All devices have an approved operating system.
 All devices have latest patches and upgrades.
 Unneeded network connections disabled or secured.
 Unneeded applications and services disabled or removed.
 All devices monitored for unauthorized activities.
 Device is locked or its password changes if lost or stolen.
 Device data is deleted, after pre-defined number of failed
logon attempts.
 Device data is deleted, if not synchronized to
organizational computer or network within pre-defined
time length.
 Device data is wiped when device no longer used.
9 Device Backup Organization implements a backup mechanism for handheld
device information.
 Regular data backups for all devices.
 Backed up data stored in secured location.
Physical Security
1 Physical  Device monitored when connected to an organizational
Security computer or network.
 Device and memory cards protected in storage.
 Device protected by assigned individual, at all times.

PDA Security Products

Page 6 of 7
The table below lists current vendor security products for PDA security.5

Security Function Vendor

Anti-Spam Symantec, Smobile
Anti-Spyware F-Secure, Symantec, Smobile
Anti-Theft Protection Kaspersky, Credant Technologies, Smobile
Anti-Virus Airscanner, Avira, BullGuard, Avast!, F-Secure,
Kaspersky, McAfee, Symantec, ESET, Trend Micro,
Smobile, Computer Associates
Authentication Credant, RSA, Trend Micro, DeveloperOne
Data Backup Blue Nomad
Data Encryption Airscanner, Kaspersky, Check Point, PGP, Credant
Technologies, Trend Micro, Aiko, Blue Nomad,
DeveloperOne, Trust Digital, Tealpoint
Data Forensics Paraben, Cellebrite, Oxygen
Data Sanitization Aiko, Sprite Software
Device Enterprise Management Symantec, McAfee, Trust Digital
Firewall Airscanner, F-Secure, Symantec, Trend Micro,
ProtectStar, Smobile
Virtual Private Network SonicWall, NetMotion Wireless, Check Point
NOTE: This list neither constitutes recommendations by the SANS Institute nor covers every
single vendor. Instead, this list provides a starting point from which to find and evaluate
solutions for mitigating PDA security audit results.

References

1. http://us.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/mobilesec
urity/wp05_tmms_080211us.pdf
2. http://www.gartner.com/it/page.jsp?id=910112
3. http://www.mcafee.com/us/local_content/reports/mobile_security_report_2009.pd
f
4. http://www.palmblvd.com/articles/2004/8/2004-8-23-Understand-Handheld-
Security-p2.html;
http://www.infosecwriters.com/text_resources/pdf/PDA_TOlzak.pdf;
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf;
http://www.securitydocs.com/library/3188;
http://www.informit.com/guides/content.aspx?g=security&seqNum=252
5. http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf;
http://www.firewallguide.com/pda.htm

Page 7 of 7