Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, March 26, 2007

How to safely dispose of old mobile devices

The lifespan of notebook PCs, PDAs and smartphones is falling as the pace of technology marches ever onwards.  But for every new mobile device purchased by organisations of all sizes there is usually a piece of legacy hardware that gets sold, passed on to a colleague, friend or relative, or simply thrown away in the office rubbish.  Deleting data on your portable device rarely means that the data goes away forever.  There are commercially available utilities that can un-delete `deleted’ data in seconds.  Many organisations allow staff to access the company network using a wireless notebook, PDA or smartphone, with network based security software.  It’s worth noting that the latest exploits can use connection hijacking to give hackers access to the company network using the mobile device as a stepping stone, which poses a danger when the unit is passed on or falls into the wrong hands.

The increasing use of portable devices and WiFi access to company IT resources means that truly personal control of data is a thing of the past.  As a result, data on PCs, laptops, PDAs and smartphones - as well as back-up data on the network - needs to be encrypted.  It’s now possible to install encryption solutions on most mobile devices.

You can also use authentication technology - tokens, biometrics and smartcards - to create a security system that is stronger than the sum of its parts.

Using a factory reset on your portable device may seem to be the easiest precaution before disposing of the unit, but factory resets are far from permanent, since they only delete the header information to your data.  That way, even if a hacker manages to un-delete your portable device’s files, it stays secure, since it is encrypted.  Even deleting the data files on the back-up system is not full deletion, as network/PC restore functions can regenerate the back-up files.

The optimum approach to mobile device security is to conduct a risk analysis and, from the results, formulate a best practice set of policies relating to the use of mobile devices across the entire organisation.

Don’t forget the cellular network backups.  A growing number of cellular networks now support network-based data back-ups. 

Although designed to assist users in the event of a mobile phone loss or theft, the back-up poses a security risk if a third party obtains your network logon details, or if your old mobile number is re-assigned (as most are).

Many mobiles automatically back-up data from the SIM card to the phone, so moving your SIM card can leave contact data behind on the old handset.

Care should be taken when downloading or installing company data on a mobile device - even a mobile phone - as that information could easily fall into the wrong hands.

Posted on 03/26