Public wireless networks present a raft of dangers

Most modern IT organizations have taken measures to fortify the corporate network against a variety of threats. Common setups often include ingress filters and network-segmenting firewalls, centralized monitoring of malware tools, an intrusion detection system and various other security infrastructure components. However, are end-users safe when they leave the friendly confines of such a protected network?

In today's business environment, many employees travel to visit clients, participate in conferences and deliver presentations. Along the way, they travel through airports, stay in hotels, stop by coffee shops and visit a variety of other places that offer access to the Internet via public wireless networks. Those networks bring with them a set of threats that can make a CSO squirm.

Beware of the bored
First, public wireless networks are crawling with individuals who have nothing better to do than attempt to access other computers on the network and browse their hard drives. If corporate systems aren't properly configured, they may be easy victims for these miscreants. Fortunately, this problem is easy to solve. Here are a few specific actions to take:

  • Ensure firewalls are installed and configured to block all unsolicited inbound traffic.
  • Verify that antivirus software is up-to-date and is automatically receiving signature updates, even when the systems being protected are outside of the corporate network.
  • Configure the operating

    Requires Free Membership to View

  • system to automatically download and install security patches.
  • Protect all accounts on the system with strong passwords.
These simple measures make corporate systems unattractive -- or even invisible! -- to those browsing public networks.

Learn more about life outside of your corporate network

Review your wireless encryption options.

Laptop encryption alone won't solve the data theft problem. Find out why in this tip. 

In this Messaging Security School lesson, learn the essential practices for securing mobile devices.
Beware of the eavesdroppers
Once corporate systems have been fortified against those attempting to gain direct access, shift the attention to eavesdroppers. Corporate wireless networks commonly use WPA or WEP encryption to prevent war drivers from intercepting confidential network traffic. Public wireless networks generally do not employ such protections, and users are often left to defend themselves against eavesdroppers. One option that travelers have is to apply encryption to individual services (HTTPS, SMTP over SSL, etc.). However, this is cumbersome, and it's easy to miss one or more data paths. The simplest solution to the eavesdropping problem is to use a virtual private network (VPN) to securely tunnel all traffic -- even that destined for the Internet -- back to the safe environment of your corporate network.

Beware of the thieves
Even if the public wireless networks and the systems themselves have been protected against hackers and eavesdroppers, don't forget about a more traditional risk: thieves. Thousands of laptops are lost or stolen in airports, parking lots, hotels and other locations each year, and we've all seen the headlines about the high-profile data losses that resulted. Recent incidents made headlines for Aetna, MCI, Boeing and the U.S Department of Veterans Affairs, among others. The easy fix? Encrypt all of the laptops used by your organization. This won't prevent a thief from stealing the device, but it will ensure that all they get is a couple thousand dollars' worth of hardware, rather than millions of dollars' worth of data.

The proliferation of mobile computing, the widespread distribution of data throughout all levels of organizations and the growing risk of public wireless networks should give us all pause. However, there is no need to avoid mobile computing completely. With the help of a few preventative controls, mobile computing can be safe and productive for businesses.

About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was first published in March 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.