Cellular Security? Yeah. Right.
Posted: 10.04 - By Dennis S. Lee

When organizations plan for wireless security today, the focus is primarily on wireless local area networks (WLANs). There are, however, other wireless security issues that may be just as serious but don’t involve wireless LANs at all—and don’t receive nearly the same attention. In fact, digital cellular phones and other devices that use cellular networks can introduce major security breaches and should be treated as such.

For example, it’s common to hear concerns voiced about rogue wireless access points—people hooking up unauthorized wireless equipment to your wired networks and, consequently, leaking your secret data to the world outside. Rogue access points are banned from most organizations. Digital cellular phones, on the other hand, can pose similar risks, but who would ever think of banning cell phones from the premises? Cell phones have become such a popular personal commodity that they are seldom recognized as devices that can threaten the security of your data assets.

The point of this article is not to promote banning the use of cellular devices within organizations. Depending upon the nature of your assets,
that is generally not practical. The point is to raise awareness of the security risks these devices can pose and to offer some recommendations for minimizing them. Consider the following few points.

•Theft of cell phones, PDAs and their data
There is a range of wireless devices that can now utilize digital cellular networks for Internet access, including cell phones, PDAs with cellular network cards or notebook computers where a cell phone connection for Internet access can be added.

Some of these cellular devices may contain confidential information such as sensitive phone numbers, passwords, login credentials, private messages and proprietary company data, which may not be encrypted on the device. Theft of such devices can be as significant in its repercussions as someone stealing the keys to your vault. The data contained in the device is worth far more than the hardware itself.

Encryption tools can be used to lock up the data on these devices in case they are stolen, misplaced or lost.

•Theft using cell phone- or PDA-based cameras, e-mail or Flash storage media
Many of the latest cell phones and PDAs have tiny built-in cameras, or cameras that can be added as an attachment. These devices can pose a serious risk if unauthorized photos of confidential material are taken inside your facilities and then sent out over a cellular network without your knowledge. Confidential projects can include prototypes of new products before they are released, data from proprietary internal documents or snapshots of sensitive information displayed on computer screens.

An additional concern is the possibility of data being copied onto very small, removable Flash storage media such as SmartMedia, CompactFlash, Memory Stick or Secure Digital cards. An intruder can steal files, store them on one of these Flash cards, put the card into a smartphone or PDA and then send the data out on a cellular network as an e-mail attachment. This can be done so discreetly that it is very difficult to detect.

Theft of this nature is fairly easy for intruders to accomplish but difficult for organizations to resolve. The solution includes foresight and advance planning. If the value of your information assets justifies the need, you should create a policy and have security guards collect these devices before people enter certain facilities. Encrypting your data will also help. Raising the awareness of your employees to these issues is also vital, so they know to better protect their information.

•Bypassing firewalls
If your users bemoan the fact that your firewalls are too restrictive and are stopping them from accessing certain Internet services, they may seek other ways to reach the Internet around your firewalls. A notebook user connected to your wired network, for example, may decide to access the Internet using her cell phone and a notebook adapter, bypassing all your firewalls, your intrusion detection systems and other screening devices.

The risks here are at least twofold. First of all, it will be much more difficult for you to detect what information workers are accessing or block what data files they can open since they have created an alternate path to the Internet. Secondly, by creating this alternate path, viruses and worms can infiltrate your network through the unsecured channel, unhindered by screening programs.

Proper policies and their enforcement against this type of Internet access may be one of the best solutions to prevent the problem. Installing personal firewalls and anti-virus programs on every user’s computer provides an additional safeguard as well.

•Malicious downloadable code or content
As we’ve discussed, access to the Internet is as portable as the cell phone. Users with smartphones and cellular-access PDAs can browse the Internet, download files and even retrieve and send their e-mail from almost anywhere. These same devices can become infected with “malware” and become latent carriers of viruses contaminating your network once your users reconnect.

Deploying anti-virus programs on your PDAs and smartphones can help alleviate this problem. Notebook computers and desktops that are used to transfer files to and from these devices should also be armed with strong anti-virus programs.

•Wireless encryption does not mean data is
protected end-to-end
Wireless encryption for cell phones does not guarantee that your data is protected as it travels the entire path from source to destination. Though the wireless portion of your data transmission can be encrypted from your cell phone to the provider’s transmission tower, it’s very possible the wired portion of your transmission (for example, over the Internet itself) can travel in the clear. If that’s the case, it’s possible that snoopers on the Internet can read your data as it’s being transmitted.

Choosing the right kind of encryption service is an important part of the solution. Wireless encryption alone may not be enough if the data needs to travel across wired networks. Virtual private networks (VPNs) that offer end-to-end encryption help alleviate this problem.

These five points offer merely a glimpse of some of the security issues relating to sending data over cellular networks. As with any technology that offers ultimate convenience, there is a downside if security is ignored. The key to using cellular technology wisely is to recognize the risks involved, define appropriate policies for the proper use of wireless devices and then follow that with proper enforcement and training.
Without foresight and planning, there is no security.•

Dennis S. Lee, CISSP, is an instructor for the International Information Systems Security Certification Consortium and is president of Digital Solutions and Video.


Leisure Publications