Wireless Insecurity
In the third of a new weekly series for Cambridge Network members, IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at Wireless Networking on the Road.
The Threat
Wireless networking is the fastest growing, most flexible, most user-orientated technology of the last few years. And a wireless-enabled laptop is, out of the box, one of the least secure business tools you could ever hope to have. Log on to a wireless HotSpot (in a coffee shop, hotel, airport or client’s offices) and you’re immediately exposed to:
· The ‘evil twin’ – the HotSpot that’s really a wireless criminal who’s intercepting your transmissions;
· Interception of your e-mails and other confidential (financial) data:
· Theft of confidential corporate information or legally protected personal data (including personal passwords, account numbers), and
· Your corporate network is immediately vulnerable and exposed to hackers.
How does this happen?
Wireless devices ship with NO security settings enabled, in order to make deployment as speedy and as easy as possible. This means that both wireless laptops and Access Points (or, AP) tend to have little or no security; hackers know exactly how to get into an AP and, from there, get onto the laptops of everyone who is accessing the Internet through that AP. That means that they can access all the files and folders, read all the incoming and outgoing e-mail traffic, and track what you’re doing on Websites. You’ll never know they were there – until it’s far too late. And the fact that you’re paying for use of the AP doesn’t make it any more secure.
What effects does it have?
Unsecured wireless laptops allow viruses, worms, Trojans and other malware onto corporate networks. Confidential corporate information can be copied, changed or destroyed and data (customer lists, staff lists, etc) that is subject to data protection, human rights and privacy legislation can be stolen. Identity theft is also easy if a villain can access all the sensitive personal data in your laptop folders. Worst of all, a hacker can use your unsecured machine to penetrate the corporate perimeter and do all the damage he desires.
What do we do about it?
Wireless is too useful to even consider trying to do without it. Even if you change the default settings on your laptops to the reasonably secure WPA (WiFi Protected Access, the most secure version of the 802.11b/g standard currently available), you still have to dumb down to the security settings of your chosen HotSpot. Firstly, corporations should set up VPN connections for their road warriors: whenever they log on to the corporate network, it should be over a secure VPN. These are straightforward, but do have to be configured by the corporate sysadmin team. Then you have to do the basics: install a laptop level firewall, anti-malware software and encrypt (through the options button in Outlook, if that’s the corporate default) any e-mail. Turn off file and printer sharing, and ensure that all confidential folders are protected by strong passwords.
What else?
You can’t really tackle WiFi on a person-by-person basis. It’s far too important for that. What you need is a structured combination of technology, policy and training that deals effectively with all the issues. Policy guidelines should be written into every user agreement. User training and awareness is clearly essential.
Next week: PDA Hell
Alan Calder’s company provides businesses with consultancy support and advice on governance and business security. Visit www.itgovernance.co.uk/page.service, e-mail alan@itgovernance.co.uk or telephone + 44 845 070 1750