Part 2/4: The Value of Security for Mobile/Wireless

  • Article

I was interviewed on the topic of Mobile, Wireless, and Security several times this year however only a portion typically makes it to print so I'm blogging about it.

I encourage you to share your experiences here or send me an e-mail at sibaraki@cips.ca, Thank you from Stephen Ibaraki, I.S.P., DF/NPA, CNP
_________________________________

This is a four-part blog series:

Part 1/4: The Major Move to Mobile and Wireless: are you prepared?
Part 2/4: The Value of Security for Mobile/Wireless
Part 3/4: Managing Mobile and Wireless Security Effectively
Part 4/4: 5 Essential Tips for Mobile and Wireless Computing

A study by Symantec (https://www.digital-lifestyles.info/display_page.asp?section=cm&id=2960) puts the average value of the "intellectual property or commercially sensitive information" on laptops at nearly 1 million USD. Only 42% of companies backup the e-mail on laptops where the much of this sensitive information is located. "It's alarming that executives have mobile devices containing data of such financial value and that very little is being done to protect the information on them. The research shows that only a few organizations have measures in place to retrieve this information if their laptop is lost or stolen, which is very worrying," said Lindsey Armstrong, senior vice president EMEA at Symantec.

Let's examine more closely what these security concerns can be.

If you provide mobile wireless connectivity within the office then the business needs to be concerned by public access to sensitive information available from the internal wireless network: business information, employee data, customer information, pricing data, credit card numbers, ...

Also, the business must manage:
(a) Who gets access? Are you looking for and preventing rogue systems [unauthorized computers] from accessing your business network? Do you have policies [rules or guidelines automatically enforced] in place for wireless usage of your network?

(b) What kind of access are employees granted? Do they have full read and write access to all data, or just the ability to read the information? Do they have access only to data that pertains to them or all business data? What policies do you have in place to control access to data and the kinds of data employees can access? These issues are more pronounced when you have mobile wireless computing since without controls employees can access any kind of information, at anytime, from anywhere. There in lies the danger!

(c) Should everyone have wireless access? Should the vehicle drivers, front desk assistant, a business associate have access? Who gets access and for what reasons? What kinds of information are more sensitive than others to general employee access or public access?

(d) What kind of devices are allowed access? What kind of wireless access points [physical devices that allow wireless communications] are allowed access and are there rogue [unauthorized] access points? Without security measures, any employee could plug in their own wireless router or hub and create their own wireless network. What devices can connect to the wireless network? For example, I would recommend only authorized business systems can receive access but not personal devices [a personal computer or device brought in by an employee]. And clear guidelines must be in place to detect rogue devices, rogue wireless access points and procedures to deny them access.

(e) What are the distance limits or boundaries to this wireless access? Can your competitor across the street access your unsecured wireless signal? Can a driver on the street "sniff" into your wireless network? Can someone else steal your services or ride on the back of our wireless network?

(f) What sort of authentication system will be used? For example, 802.11i offers EAP [Extensible Authentication Protocol) authentication and encryption using WPA [Wi-Fi Protected Access] and TKIP [temporal key interchange/integrity protocol] but this doesn't work for all devices. So the hardware/software/clients have to support the kinds of wireless protocols you are using. This means you need to plan ahead of time to ensure compatibility.

(g) What sort of encryption will be used? WEP [Wired Equivalent Privacy] as one example has challenges since keys are shared by everyone on the network and are manually changed. WPA [Wi-Fi Protected Access] has dynamically rotating pre-shared keys but they still need to be deployed manually. AES [Advanced Encryption Standard] supported by 802.11i is a good one to use but likely requires a hardware upgrade, new policies for deployment, and changes to security procedures. The 802.11i Wi-Fi [Wireless Fidelity] standard provides enhanced security, superior encryption, and uses Extensible Authentication Protocol (EAP), and measures such as using VPN and 802.1x authentications processes for end-users so if you are not using 802.1x now, it makes it harder to implement. Are you considering these factors?

(h) Should you be installing Virtual Machine software on the mobile computers to ensure a perfectly managed environment and prevent un-managed systems from entering your network. Un-managed systems are the greatest risk to create open doors for hackers to enter the business network. A user sits a home or at a hotel, browsing the internet and opening up attachments receiving hacker-generated programs along the way. These programs now reside on the un-managed computer waiting for access to other systems. The user logs into the business network and now the hacker has an back-door [open-door] to gain access to the business network stealing, not only information on the un-managed computer, but systems within the business network.

(i) If you have employees carrying around this sensitive information such as private business data or client data on their mobile computers and connecting to wireless networks outside the office, they again need to be concerned about public access to sensitive information on their mobile computer hard disks. "Evil twin" or "Wireless Phishing" are wireless networks specifically designed to steal information from you. For example, your employees are on the road and in a hotel and looking for available wireless networks (hotspots) to do their e-mail. They find an innocent looking wireless network that is free and sounds legitimate. However, this network is designed to steal information from the employee.

(j) Also, businesses need to protect against theft of the mobile computer since the sensitive data on the hard disks can be breached. Encryption, passwords, locked devices, virtual machine software, remote deletion, can be means to provide safeguards.

(k) If employees are operating from home and they have added computers at home, even a VPN [Virtual Private Network secure access] doesn't provide the necessary security. The internal business network can be exposed to anything the employee downloads at home. These employee downloads can contain spyware, viruses, trojans, and other dangerous applications that can breach the internal business network through the VPN. Policies about usage or Virtual Machine software can be used to provide protection.