• United States



New NIST Security Guidelines for Cell Phones and PDA Devices

Jul 18, 20082 mins
Data and Information Security

Are more and more of your workers becoming mobile and accessing the Internet via portable devices? Well security help has arrived. The National Institute of Standards (NIST) has released an excellent new publication entitled:“Guidelines on Cell Phone and PDA Security (Draft).”

This new guide (Special Publication 800-124) offers an excelent overview for all organizations, regardless of whether you are in government or not. Here’s an excerpt:

Because of their small size and use outside the office, handheld devices can be easier to misplace or to have stolen than a laptop or notebook computer. If they do fall into the wrong hands, gaining access to the information they store or are able to access remotely can be relatively easy.

Communications networks, desktop synchronization, and tainted storage media can be used to deliver malware to handheld devices. Once established, malware can initiate a wide range of attacks and can spread itself onto other devices. As with desktop computers, cell phones and PDAs are subject to spam.

Besides the inconvenience of deleting them, charges may apply for inbound activity. Spam can also be used for phishing attempts.

Electronic eavesdropping on phone calls, messages, and other wirelessly transmitted information is possible through various techniques. Installing spy software on a device to collect and forward information elsewhere is the perhaps the most direct means, but other components of a communications network, including the airwaves, are possible avenues for exploitation.

Location tracking services allow the whereabouts of registered cell phones to be known and monitored. While it can be done openly for legitimate purposes, it may also take place surreptitiously.

It is possible to create a clone of certain phones that can masquerade as the original. Once popular with analog phones, it is not as prevalent today with the rise of digital networks, but some early generation digital equipment has been shown to be vulnerable.

 Server-resident content, such as electronic mail maintained for a user by a network carrier as a convenience, may expose sensitive information through vulnerabilities that exist at the server.

While these devices provide productivity benefits, they also pose new risks to an organization’s security.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author