Airport Wi-Fi Security Pre-Flight
According to Amit Sinha, fellow and chief technologist for Motorola AirDefense who recently helped write the new wireless security guidelines for the Payment Card Industrys Security Standards Council, mobile wireless devices are often the weakest link in the enterprise security infrastructure.
While this is an old, familiar refrain there are new challenging wrinkles. Tech-savvy employees often circumvent security measures. Employees are increasingly using their private devices rather than enterprise owned-devices. Hotspots are extending the edge of the network on an increasing scale; and, pervasive wireless networks such as municipal Wi-Fi are invading the enterprise perimeter.
The older security protections and policies, then, need regular review and updating plus constant scrutiny and scouring to keep pace with new threats. While CIOs work to do exactly that, staffers and company VIPs are logging onto hotspots in airports―largely considered the biggest security bugaboo of them all. This complicates the problem considerably for CIOs who cannot even count on their own team to join in the fight.
All Together Now
Indeed, staffers and IT can find themselves very much at odds over mobile priorities. In the one corner is IT, focused on security and regulatory compliance. In the other corner is the rest of the team who is focused on speed, agility, revenues and quotas. Rather than duke it out (no matter who delivers the knockout punch the company loses) the better strategy is to plan security around real world use.
Companies should certainly explain the very real dangers to the company from just one person using an airport hotspot, said Rene Poot, international systems engineer at NCP Secure Communications but they need to also understand that locking down remote employees and imposing very stringent access restrictions will only frustrate end-users, which in turn may lead them to attempt to circumvent the policies.
This does not mean that traveling employees can hold IT hostage for watered down mobile security policies, however. Poot said enterprises can take a number of proactive steps including implementing security "pat-downs," or endpoint security compliance tests. By doing so companies can ensure traveling employees are connecting to known, friendly environments and the corporate security rules can then be applied. These pat-downs can be enforced centrally where different security components can be tested to see whether they're active or up-to-date prior to permitting full remote network access.
Moving beyond pre-connect measures, companies are advised to automate policies rather than depend solely on manual implementation by users. According to Douglas Brush, owner of The Digital Forensic Group, if a user views a security measure as something that they have to implement themselves they will almost always look for a way to circumvent it. Further, he said, if the measure fails to balance security with computer and network performance and the user's work flow is interrupted they will again look to get around it.Motorola's Sinha offers these best practices for securing Wi-Fi in airports and other hotspots:
Use hotspots only for Internet surfing. Enter passwords only into websites that include an SSL key on the bottom right. Disable/remove the wireless card if you are not actively using a hotspot. Ensure that a laptop is updated with the latest security patches. Avoid hotspots where it is difficult to tell whos connected (hotels, airport clubs, conferences, large facilities). If the hotspot is not working properly, assume your password has been compromised, report to hotspot service provider and change your password at the next immediate opportunity. Read all pop-up windows in their entirety. Do not use insecure applications such as non-encrypted email or instant messaging while at hotspots.
Virtual private networks (VPN) remain the best defense to date for connecting to the Internet from hotspots. A VPN forces a computer to connect to the corporate network first and from there to the Internet. This way the data is completely encrypted. According to Itzik Kotler, security researcher for Radware, this is the best and most secure way to avoid data leaks while on the road.
That is not to say, however, that VPNs are invulnerable. Sinha warns that firewalls and VPNs provide only limited protection to wireless devices from the rising threat of Layer 2 attacks.
Encryption, Encryption, Encryption
Another often overlooked security problem is the lack of encryption of hard disks and flash drives on mobile employee laptops and removable devices. Brush recommends free programs such as TrueCrypt that can easily be deployed and preserve sensitive information and meet regulatory (SarbOx, HIPPA, etc.) concerns.
Remember mobile device use is not limited to road travel. Be sure to extend your wireless security policies to employees that remain on the premises, as well. CIOs must remain vigilant against intruding Wi-Fi that employees can accidentally connect to from their desks.
Explicitly disable municipal Wi-Fi access from within the enterprise, he said. And enforce regular password change-ups.
A prolific and versatile writer, Pam Baker's published credits include numerous cover stories for international, national and regional media from women's and general interest to finance, business and technology magazines, online content and newspapers; analytical studies on technology; and, six books. She is a member National Press Club and Avant Guild/Mediabistro.com. She was 2004 nominee for the Templeton Cambridge Journalism Fellowship in Science and Relgion (UK) and wrote and produced an award-winning documentary on paper-making.