Wisen up to handheld security

Smart phones and BlackBerries need more security care

When Joe Hagin arrived at the White House in 2001 as deputy chief of staff for operations, nobody at 1600 Pennsylvania Avenue had an official BlackBerry.

Handheld security tips

Experts recommend that organizations use the same multilayer approach for securing handheld devices as they do for desktop and laptop computers.

For the user:

  • Require users to enable the password protection feature for access to their handheld devices.
  • Train users about risks of visiting unfamiliar Web sites or downloading unfamiliar applications or message attachments.

For the device:

  • Install good antivirus and anti-spyware software on the devices. Also consider software that encrypts data stored on it.

For the network:

  • Deploy security software that screens all traffic to and from devices for malware at the network gateway.
  • Consider using software that allows administrators to remotely erase, back up, or locate lost or stolen devices.

At the time, the handheld messaging devices were widely used on Capitol Hill, but security agencies were opposed to White House officials using them. Then came the Sept. 11 terrorist attacks, and suddenly the value of the devices snapped into sharp focus: White House officials, using standard cell phones, had substantial communications problems that day. Those working on Capitol Hill were in far better shape with their BlackBerries.

“We had to make a cost/benefit decision of the security risks of using BlackBerries but at the same time being able to communicate in an emergency,” Hagin said. “We obviously decided it was worth it.”

But just as the use of handheld devices in government has vastly expanded during the past eight years, so have the security risks, many experts say.

Malware, spyware and viruses, long the scourge of PCs and office servers, now also target handhelds. And they are on the rise, according to experts. Federal agencies need to know the risks and take steps to protect sensitive data and communications.

In Hagin’s seven and a half years with the Bush administration, security measures for BlackBerries were often primitive. On foreign trips, White House staff members’ BlackBerries were disabled and collected on board Air Force One for the duration of overseas visits, he said.

“I look at this as being kind of equivalent to where PCs were in the mid-to-late '90s,” Hagin said. “Today you wouldn’t dream of having a PC or laptop without security software on it. Now we are carrying around computers on our belts that are relatively naked.”

Security officials now have more options. For example, officials at the state-run Technical College System of Georgia use a service to keep tabs on the dozens of BlackBerries that employees use, said Steven Ferguson, a senior network engineer at the college system.

A state mandate requires that gambling and pornography be blocked on any state-owned device that can access the Internet. Meeting the mandate for mobile devices is more difficult than for a traditional office computer, Ferguson said, because handhelds usually are connected to a public network, not a hardened, controlled private network.

So the college system uses a software-as-a-service tool from Purewire that acts like a proxy gateway, allowing officials to enforce policies and filter all the traffic going in and out of handheld devices.

Agencies should apply the same rules for standard computers to handheld devices, said Randy Siegel, a Microsoft enterprise mobile strategist who works on federal government projects.

For example, Customs and Border Protection and the Transportation Security Administration require handheld devices and software to adhere to cryptographic standards such as Federal Information Processing Standard 140-2. Handhelds can also be subject to mandates such as Homeland Security Presidential Directive 12, which, among other things, calls for two-factor identification — such as using a smart card and password — to log on to government computer systems.

The Air Force Communications Agency, meanwhile, requires that mobile users access the devices with Common Access Cards. The solution involves installing a Bluetooth wireless card reader on all mobile devices. The connection established between users' handheld devices and smart cards allows them to digitally sign or encrypt e-mail messages and log on to secure Web sites.

The threat associated with handheld devices is growing largely because agencies are starting to use more applications on them, such as Google Maps and mobile office applications that provide access to Word and spreadsheet documents.

“We are seeing people use these the exact way they use PCs and laptops,” said Dan Hoffman, chief technology officer at SMobile Systems. Which is why they also need to be secured the same way.

About the Author

Doug Beizer is a staff writer for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group