Problem solve Get help with specific problems with your technologies, process and projects.

Public wireless networks present a raft of dangers

A company's end-users don't always have the luxury of a protected network, as many often leave the comfort of their guarded corporate environment and access the Internet from coffee shops, hotels, airports and other public areas. In this tip, Mike Chapple explains the dangers of public wireless networks and reveals why travelers must be wary of data thieves looking to steal sensitive information.

Most modern IT organizations have taken measures to fortify the corporate network against a variety of threats. Common setups often include ingress filters and network-segmenting firewalls, centralized monitoring of malware tools, an intrusion detection system and various other security infrastructure components. However, are end-users safe when they leave the friendly confines of such a protected network?

In today's business environment, many employees travel to visit clients, participate in conferences and deliver presentations. Along the way, they travel through airports, stay in hotels, stop by coffee shops and visit a variety of other places that offer access to the Internet via public wireless networks. Those networks bring with them a set of threats that can make a CSO squirm.

Beware of the bored
First, public wireless networks are crawling with individuals who have nothing better to do than attempt to access other computers on the network and browse their hard drives. If corporate systems aren't properly configured, they may be easy victims for these miscreants. Fortunately, this problem is easy to solve. Here are a few specific actions to take:

  • Ensure firewalls are installed and configured to block all unsolicited inbound traffic.
  • Verify that antivirus software is up-to-date and is automatically receiving signature updates, even when the systems being protected are outside of the corporate network.
  • Configure the operating system to automatically download and install security patches.
  • Protect all accounts on the system with strong passwords.
These simple measures make corporate systems unattractive -- or even invisible! -- to those browsing public networks.

Learn more about life outside of your corporate network

Review your wireless encryption options.

Laptop encryption alone won't solve the data theft problem. Find out why in this tip. 

In this Messaging Security School lesson, learn the essential practices for securing mobile devices.
Beware of the eavesdroppers
Once corporate systems have been fortified against those attempting to gain direct access, shift the attention to eavesdroppers. Corporate wireless networks commonly use WPA or WEP encryption to prevent war drivers from intercepting confidential network traffic. Public wireless networks generally do not employ such protections, and users are often left to defend themselves against eavesdroppers. One option that travelers have is to apply encryption to individual services (HTTPS, SMTP over SSL, etc.). However, this is cumbersome, and it's easy to miss one or more data paths. The simplest solution to the eavesdropping problem is to use a virtual private network (VPN) to securely tunnel all traffic -- even that destined for the Internet -- back to the safe environment of your corporate network.

Beware of the thieves
Even if the public wireless networks and the systems themselves have been protected against hackers and eavesdroppers, don't forget about a more traditional risk: thieves. Thousands of laptops are lost or stolen in airports, parking lots, hotels and other locations each year, and we've all seen the headlines about the high-profile data losses that resulted. Recent incidents made headlines for Aetna, MCI, Boeing and the U.S Department of Veterans Affairs, among others. The easy fix? Encrypt all of the laptops used by your organization. This won't prevent a thief from stealing the device, but it will ensure that all they get is a couple thousand dollars' worth of hardware, rather than millions of dollars' worth of data.

The proliferation of mobile computing, the widespread distribution of data throughout all levels of organizations and the growing risk of public wireless networks should give us all pause. However, there is no need to avoid mobile computing completely. With the help of a few preventative controls, mobile computing can be safe and productive for businesses.

About the author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was last published in March 2007

Dig Deeper on Data security breaches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.