Most modern IT organizations have taken measures to fortify the corporate network against a variety of threats. Common setups often include ingress filters and network-segmenting firewalls, centralized monitoring of malware tools, an intrusion detection system and various other security infrastructure components. However, are end-users safe when they leave the friendly confines of such a protected network?
In today's business environment, many employees travel to visit clients, participate in conferences and deliver presentations. Along the way, they travel through airports, stay in hotels, stop by coffee shops and visit a variety of other places that offer access to the Internet via public wireless networks. Those networks bring with them a set of threats that can make a CSO squirm.
Beware of the bored
First, public wireless networks are crawling with individuals who have nothing better to do than attempt to access other computers on the network and browse their hard drives. If corporate systems aren't properly configured, they may be easy victims for these miscreants. Fortunately, this problem is easy to solve. Here are a few specific actions to take:
- Ensure firewalls are installed and configured to block all unsolicited inbound traffic.
- Verify that antivirus software is up-to-date and is automatically receiving signature updates, even when the systems being protected are outside of the corporate network.
- Configure the operating system to automatically download and install security patches.
- Protect all accounts on the system with strong passwords.
Once corporate systems have been fortified against those attempting to gain direct access, shift the attention to eavesdroppers. Corporate wireless networks commonly use WPA or WEP encryption to prevent war drivers from intercepting confidential network traffic. Public wireless networks generally do not employ such protections, and users are often left to defend themselves against eavesdroppers. One option that travelers have is to apply encryption to individual services (HTTPS, SMTP over SSL, etc.). However, this is cumbersome, and it's easy to miss one or more data paths. The simplest solution to the eavesdropping problem is to use a virtual private network (VPN) to securely tunnel all traffic -- even that destined for the Internet -- back to the safe environment of your corporate network.
Beware of the thieves
Even if the public wireless networks and the systems themselves have been protected against hackers and eavesdroppers, don't forget about a more traditional risk: thieves. Thousands of laptops are lost or stolen in airports, parking lots, hotels and other locations each year, and we've all seen the headlines about the high-profile data losses that resulted. Recent incidents made headlines for Aetna, MCI, Boeing and the U.S Department of Veterans Affairs, among others. The easy fix? Encrypt all of the laptops used by your organization. This won't prevent a thief from stealing the device, but it will ensure that all they get is a couple thousand dollars' worth of hardware, rather than millions of dollars' worth of data.
The proliferation of mobile computing, the widespread distribution of data throughout all levels of organizations and the growing risk of public wireless networks should give us all pause. However, there is no need to avoid mobile computing completely. With the help of a few preventative controls, mobile computing can be safe and productive for businesses.
About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.