Authors: David Melnick, Mark Dinman and Alexander Muratov
Publisher: McGraw-Hill Professional
For some of us personal digital assistants are a piece of equipment without which we cannot lead a normal business life. Since the first old monochromatic Palm I had, I saw the major benefits that handheld computers provide to its owners.
Nowadays, as handhelds overcame their basic disadvantages such as networking and peripheral usage, these little machines became a normal thing within most of the households and organizations. With all the features handhelds offer and their increased usage comes a great responsibility for keeping the data secure.
A number of wireless security publications reference PDA related security topics, but this is one of the rare publications that concentrates solely on security issues surrounding the everyday PDA user.
About the authors
David Melnick is currently holding a position of President od PDA Defense, the leading Enterprise PDA Security offering. He helped to pioneer Internet based financial transactional systems and security from the mid 90s publishing multiple books on the topic and consulting a wide range of companies on the execution of electronic commerce systems.
Mark Dinman has over 17 years of experience in software systems development and IT project management. He is a product manager of PDA Defense since its inception.
Bob Elfanbaum is co-founder and President of Asynchrony Software, a technology firm with products and services focused on security, collaboration and systems integration.
Inside the book
The book is divided into four thematical sections, each dealing with its own subset of information. The first section, “Introduction to PDA Security in the Enterprise”, should in my opinion get a new title, as it mostly contains info and facts on handhelds in general. Of course, the section hosts an introduction piece on the major aspects of PDA security, but on the other hand it provides a wealth of information on handhelds in general. The topics that should be especially mentioned include: an overview on Operating Systems, core applications list and product tables for Palm, PocketPC, Sony and RIM devices. The product tables include images and technical specifics on a number of products that are available in these thematic categories. The coverage of RIM devices is a nice addition, as they are quite media darlings lately and a number of non US readers aren’t so familiar with their functionalities.
From the security perspective, this section provides some good facts and phrases that can be used for proving your upper management that handhelds must be taken seriously, as they can be used as an access point into any corporate network.
Assessing your corporate risk profile is must when handhelds become Information Technology’s problem. With this fact the authors go deeper in actual security issues surrounding personal handhelds in a corporate environment. This section doesn’t cover the actual technical problems, but rather guides the reader through the process of risk assessment. The coverage of this topic clearly shows the in-depth experience the authors have in this area. As a direct result, the contents of this section will be of a significant help in the process of deploying a well planned and secure handheld-able infrastructure.
Besides defining the possible risks, authors consult the readers on using and writing a good policy management strategy.
As we go further into the book, the third section builds upon the previous book parts and leads into some more technical topics. These topics consist of the six key elements of PDA security: device access authentication, network connection security, data encryption, intruder penetration resistance, cryptography and accessing the device storage bypassing the operating system. All of these elements receive a fair bit of written text, but a special note is given to the last element. For that curious person inside you, the authors take care of all the previously mentioned devices with comments on their strengths and weaknesses.
The section is concluded with a self-descriptive chapter on whitehat hacking threats and mitigations. This chapter hosts a bit historic, but especially entertaining topic, of using HyperTerminal and a utility contained in handheld’s firmware as a backdoor to the locked IPAQ.
A couple of brief chapters, comprised in the fourth and final section of “PDA Security”, provide the authors’ overview of the things to come and the major risks organizations should be aware of.
I am an everyday handheld user and since the RSA Conference 2003, my HP Ipaq 5550 totally replaced my notebook, as with the addition of the foldable keyboard it offers all the major notebook functionalities. As you can see from a number of new publications, electronic and paper, handheld computers are one of the IT emerging topics. As there are not so many exclusive PDA/handheld oriented security publications, this book’s approach is surely a nice refreshment.
As all the “PDA Security” authors come from the same company that does business in the PDA security area, I expected a number of references to their services and products. Unfortunately, the book has about 55 pages devoted to their “PDA Defense” product and as this is in fact 1/7 of the book, it kind of bothered me. I should note that the authors explained that the product was used as an example of what you can expect in the Enterprise PDA security solution, but the coverage is obviously too extensive.
Nevertheless, the book will suit a number of readers interested in the field of PDA security in general. The authors managed to cover a broad range of topics surrounding the most popular handhelds and delivered a useful guide through corporate aspects of PDA security.