|
 |
|
General Information
|
Add To My Personal Library |
January 2, 2009
• Vol.31 Issue 1
Page(s) 1,10 in print issue
|
Protect Employees Who Use Outside Networks
Simple Steps To Keep Road Warriors Safe When Using Public Networks
|
THE FIRST THING most road warriors do when crashing in their hotel room is fire up the laptop and look for an available Internet connection, yet in most cases, rashly hopping online makes about as much sense as using a toothbrush you find left in the bathroom. Today’s mobile workforce, toting an assortment of wireless communications devices, relies on the virtually ubiquitous availability of some form of broadband Internet connection. While a few well-heeled, BlackBerry-addicted executives can subsist on a telco’s 3G data service, most nomadic users look for cheaper (and faster) public Wi-Fi connections common in most hotels, cafés, and other public spaces.
Wireless networking has undoubtedly been a boon for business travelers, but it’s accompanied by a number of risks. These include everything from data sniffing to attacks on exposed server processes such as file shares and network applications. Public networks vary widely in the attention their operators pay to security, so it’s incumbent upon users to understand the potential vulnerabilities and to take precautionary security measures.
 Threats To Users From Public Networks
According to a research report by the IT consultancies Core Competence (www.corecom.com) and the Farpoint Group (www.farpointgroup.com), in which they performed field testing of 27 public hotspots, “Overall, hotel broadband security varied quite a bit, from wide open to relatively tight.” They note, “Vulnerabilities associated with hospitality-provided broadband services run the gamut from common Internet pitfalls to more subtle exposures that put unsuspecting users at risk. Many hotspot visitors know about Wi-Fi eavesdropping, for example, and some protect their data using convenient SSL and other VPN tunnels.” They add that these measures, while helpful, are incomplete because PCs can still leak unencrypted LAN packets and expose server applications and file shares to other clients on the local network.
A recent study by Cornell’s School of Hotel Administration found that of the 147 properties surveyed, 20% still use hub-based wired networks, while the vast majority of those with wireless networks did not use encryption (www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html). Hub-based networks are inherently insecure because all traffic is broadcast to every node on the network. The authors also note, “Wireless networks can be thought of as hub-based networks, just without wires. Thus, a Wi-Fi system has the same vulnerability as the old hub-based networks.”
Public network users also have no idea what, if any, security precautions are being taken by the provider. For example, every respectable enterprise network includes a firewall between the public Internet and internal systems; however, many hotspots do not. According to the Core Competence/ Farpoint study, “[Users] really have no idea whether any firewall lies between their notebook and the Internet. Notebooks that do not firewall themselves or that use certain applications that open holes in firewalls could thus be exposed to intrusions from the far side of the Internet.”
Protective Measures
Users should always practice basic PC hygiene, particularly when using public networks; this includes anti-malware protection and a local firewall, ideally integrated into a single suite and centrally managed. Likewise, Info-Tech Senior Research Analyst James Alexander underscores the importance of encrypting sensitive data on all mobile devices. Yet when venturing beyond the friendly confines of the corporate intranet, additional precautions are required.
Paul DeBeasi, senior analyst at the Burton Group, says that tunneling all network traffic through a corporate VPN is the most important measure IT can take to both protect confidential data and to safeguard internal networks from unauthorized external access. Because most public Wi-Fi networks don’t use encryption (such as WPA), he says clients should always use a VPN, even when accessing public Web sites.
For small businesses or individuals without an internal VPN gateway, a number of public VPN services are available (HotSpotVPN [hotspotvpn.com] and PublicVPN [www.publicvpn.com] to name a couple). These let users establish an IPsec or PPTP session via the service provider, tunneling all traffic through an encrypted connection and thus foiling any attempts at data snooping. Because Windows and Mac OS X both include IPsec clients, setup involves nothing more than launching a connection wizard and entering some addresses and credentials.
It’s also imperative to use some common sense before connecting to a wireless access point. Alexander notes that wireless networks “provide no definitive proof of what you’re connecting to,” so both he and DeBeasi advise users never to join unknown or suspicious-sounding WLANs. Most hotels or restaurants will use SSIDs (Wi-Fi network names) that specifically identify them; however, if you see one called “free Wi-Fi” or “Starbucks2,” be careful, as it may be a rogue setup by a hacker attempting to steal information via a man-in-the-middle attack. Ad-hoc (PC-to-PC networks without an access point) wireless connections should also be avoided because, as DeBeasi notes, these are almost never legitimate public networks and are a favorite hacker tool. The simplest way to enforce these connection policies is by not allowing Windows to automatically connect to unknown, nonpreferred networks.
Users accessing highly confidential information, or who are merely ultra-paranoid, may want to avoid public networks entirely. One option is to subscribe to a trusted wireless network aggregator, while those with deep pockets should consider an unlimited 3G data plan from one of the major wireless telcos.
A common-sense, low-tech way to provide added protection is simply to disable the wireless NIC when not in use. Most laptops provide a button or toggle switch to activate the NIC, but on PCs lacking this feature, network interfaces can be disabled using the Windows Network Control Panel.
Understand & Avoid Risks
Broadband connections have become a necessity for business travelers and other digital nomads, but because they are often loosely managed with lax security, users must exercise greater prudence and caution before connecting. While many security measures can be centrally implemented by IT, users still need to understand the risks and ensure they are using requisite security tools and processes. In addition to implementing a set of best practices, IT departments with mobile users should also regularly check online resources such as the Wireless Vulnerabilities and Exploits site (wirelessve.org) for updated information on new threats.  by Kurt Marko
Work Securely From Hotspots
Here are a few tips to make working in public locations more secure.
• Choose secure connections. When you can, opt for wireless networks that require a network security key, use encryption, or have some other form of security, such as a certificate.
• Forgo free networks. Consider subscribing to a paid hotspot network for better security. Also, consider using a VPN service if your company doesn’t have its own VPN gateway.
• Activate your firewall. A firewall helps prevent unauthorized users from gaining access to your computer through the Internet or a network.
• Monitor access points. Don’t connect to unknown access points and prevent accidental connections by configuring your PC to let you approve access points before connecting.
• Turn off your radio. Always turn your Wi-Fi radio off when you are not using it. Hackers can set up peer-to-peer Wi-Fi connections with your computer and use them to access your personal information.
• Disable file and printer sharing. When using a hotspot, disable file and printer sharing. When enabled, it leaves your computer vulnerable to hackers.
• Make folders private. When your folders are private, it’s more difficult for hackers to access files. You can protect your files further by encrypting them, which requires a password to open or modify them.
• Consider removing sensitive data from your notebook. If you're working with extremely sensitive data, it might be worth taking it off your notebook altogether.
SOURCE: ADAPTED FROM MICROSOFT’S “7 TIPS FOR WORKING SECURELY FROM WIRELESS HOTSPOTS” AND SPAM LAWS.
|
|
|
