Digital Device Security
As a user of a mobile computing device – such as a laptop, tablet, or smart phone – you are probably aware of some of the unique security responsibilities you have as an owner and user of such a device. With the mobility of these devices, they are often operated outside the office environment and exposed to new and potentially damaging vulnerabilities. The following short article discusses these challenges and provides some best practices for the operation of mobile devices.
In particular, please read the section Be Aware of Thieves, which discusses laptop encryption. The District Office Information Technology Department offers this software and installation service and recommends that all laptop owners use it. It is a very easy way to protect the data in your laptop should it ‘fall into the wrong hands’. Please contact the Help Desk to request the installation of encryption software on your laptop(s).
Public Wireless Networks Present a Raft of Dangers
Original article published on March 7, 2007: Public Wireless Networks Present a Raft of Dangers.
Most modern IT organizations have taken measures to fortify the corporate network against a variety of threats. Common setups often include ingress filters and network-segmenting firewalls, centralized monitoring of malware tools, an intrusion detection system and various other security infrastructure components. However, are end-users safe when they leave the friendly confines of such a protected network? In today's business environment, many employees travel to visit clients, participate in conferences and deliver presentations. Along the way, they travel through airports, stay in hotels, stop by coffee shops and visit a variety of other places that offer access to the Internet via public wireless networks. Those networks bring with them a set of threats that can make a CSO squirm.
Beware of the Bored
First, public wireless networks are crawling with individuals who have nothing better to do than attempt to access other computers on the network and browse their hard drives. If corporate systems aren't properly configured, they may be easy victims for these miscreants. Fortunately, this problem is easy to solve. Here are a few specific actions to take:
- Ensure firewalls are installed and configured to block all unsolicited inbound traffic.
- Verify that antivirus software is up-to-date and is automatically receiving signature updates, even when the systems being protected are outside of the corporate network.
- Configure the operating system to automatically download and install security patches.
- Protect all accounts on the system with strong passwords.
- These simple measures make corporate systems unattractive -- or even invisible! -- to those browsing public networks.
Beware of the Eavesdropper
Once corporate systems have been fortified against those attempting to gain direct access, shift the attention to eavesdroppers. Corporate wireless networks commonly use WPA or WEP encryption to prevent war drivers from intercepting confidential network traffic. Public wireless networks generally do not employ such protections, and users are often left to defend themselves against eavesdroppers. One option that travelers have is to apply encryption to individual services (HTTPS, SMTP over SSL, etc.). However, this is cumbersome, and it's easy to miss one or more data paths. The simplest solution to the eavesdropping problem is to use a virtual private network (VPN) to securely tunnel all traffic -- even that destined for the Internet -- back to the safe environment of your corporate network.
Beware of the Thieves
Even if the public wireless networks and the systems themselves have been protected against hackers and eavesdroppers, don't forget about a more traditional risk: thieves. Thousands of laptops are lost or stolen in airports, parking lots, hotels and other locations each year, and we've all seen the headlines about the high-profile data losses that resulted. Recent incidents made headlines for Aetna, MCI, Boeing and the U.S Department of Veterans Affairs, among others. The easy fix? Encrypt all of the laptops used by your organization. This won't prevent a thief from stealing the device, but it will ensure that all they get is a couple thousand dollars' worth of hardware, rather than millions of dollars' worth of data. The proliferation of mobile computing, the widespread distribution of data throughout all levels of organizations and the growing risk of public wireless networks should give us all pause. However, there is no need to avoid mobile computing completely. With the help of a few preventative controls, mobile computing can be safe and productive for businesses.
About the Author
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. Visit Mike Chapple's website to learn more.