Public wireless networks present a raft of dangers

In today's business environment, many employees travel to visit clients, participate in conferences and deliver presentations. Along the way, they travel through airports, stay in hotels, stop by coffee shops and visit a variety of other places that offer access to the Internet via public wireless networks. Those networks bring with them a set of threats that can make a CSO squirm.

Beware of the bored
First, public wireless networks are crawling with individuals who have nothing better to do than attempt to access other computers on the network and browse their hard drives. If corporate systems aren't properly configured, they may be easy victims for these miscreants. Fortunately, this problem is easy to solve. Here are a few specific actions to take:

• Ensure firewalls are installed and configured to block all unsolicited inbound traffic.
• Verify that antivirus software is up-to-date and is automatically receiving signature updates, even when the systems being protected are outside of the corporate network.
• Configure the operating system to automatically download and install security patches.
• Protect all accounts on the system with strong passwords.

Learn more about life outside of your corporate network Review your wireless encryption options. Laptop encryption alone won't solve the data theft problem. Find out why in this tip.  In this Messaging Security School lesson, learn the essential practices for securing mobile devices.

Beware of the eavesdroppers
Once corporate systems have been fortified against those attempting to gain direct access, shift the attention to eavesdroppers. Corporate wireless networks commonly use WPA or WEP encryption to prevent war drivers from intercepting confidential network traffic. Public wireless networks generally do not employ such protections, and users are often left to defend themselves against eavesdroppers. One option that travelers have is to apply encryption to individual services (HTTPS, SMTP over SSL, etc.). However, this is cumbersome, and it's easy to miss one or more data paths. The simplest solution to the eavesdropping problem is to use a virtual private network (VPN) to securely tunnel all traffic -- even that destined for the Internet -- back to the safe environment of your corporate network.

Beware of the thieves
Even if the public wireless networks and the systems themselves have been protected against hackers and eavesdroppers, don't forget about a more traditional risk: thieves. Thousands of laptops are lost or stolen in airports, parking lots, hotels and other locations each year, and we've all seen the headlines about the high-profile data losses that resulted. Recent incidents made headlines for Aetna, MCI, Boeing and the U.S Department of Veterans Affairs, among others. The easy fix? Encrypt all of the laptops used by your organization. This won't prevent a thief from stealing the device, but it will ensure that all they get is a couple thousand dollars' worth of hardware, rather than millions of dollars' worth of data.

The proliferation of mobile computing, the widespread distribution of data throughout all levels of organizations and the growing risk of public wireless networks should give us all pause. However, there is no need to avoid mobile computing completely. With the help of a few preventative controls, mobile computing can be safe and productive for businesses.

About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Screencast: An introduction to the Open Source Security Testing Methodology Manual (OSSTMM) Understanding multifactor authentication features in IAM suites Network intrusion prevention systems: Should enterprises deploy now? Webmail security: Best practices for data protection Wireless LAN Architecture How to build security into a virtualized server environment Is it possible to identify a fake wireless access point? How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses Wi-Fi simplicity edging out Wi-Fi security Cisco issues warning for wireless LAN controller flaws Will securing a wireless LAN make the data link layer vulnerable? Aruba bolsters mobile suite with security acquisition VeriSign, AirMagnet team up for wireless IPS Check Point promises more VoIP security, fewer slowdowns TJX breach tied to Wi-Fi exploits Wireless LAN Architecture Research Identity Theft and Data Security Breaches Security data lapses hamper researchers Data breaches caused by employee errors, process failures Data breach laws have no effect on prevention, researchers say Walter Reed admits breach of patient information Address Authentication and Transaction Validation Protocols to Stem Identity Theft Stolen data ending up in Google cache, say researchers Security breach management: Planning and preparation Societe Generale bolsters internal controls, discovers second insider Companies still monitoring email manually, survey finds NSS Labs to focus research on PCI technologies RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.