Too many of us have witnessed or unluckily experienced first-hand the panic of losing a mobile device, typically from theft or distraction. The personal inconvenience of a taxi driving off with your Blackberry or a commuter train pulling out of the station with your laptop is obvious and certainly warrants that sinking feeling of loss. What may be less upper mind at that moment is the immediate exposure of company information and your firm’s possible vulnerability to unauthorized access by the new handler of that mobile device.
Besides loss, there are many other threats to data on mobile devices. “When you send a defective PDA to the manufacturer for tech support, they usually give you a new one and then resell the old one,” says John Girard, vice-president and research director at Gartner Inc. “Buying dead machines is an ideal method of pursuing identity theft.”Buying dead machines is an ideal method of pursuing identity theft.John Girard>Text Wireless eavesdropping is another concern. How wise is it for your staff to plug into a conference centre’s high-speed network to e-mail a colleague the action plan from a corporate strategic meeting? Or even check e-mail at an airport wireless hotspot? Gartner estimates that 90 per cent of mobile devices lack the protection necessary to ward off hackers. “Most devices have IrDA (Infrared Data Association), Bluetooth, and wireless connections, and many of them aren’t set up properly,” says Girard. “You can just walk around with a connected device of your own and see what you can find.”
As well as the device itself having sensitive data stored on it — such as passwords, account names, personal data and even customer information — there’s the concern about a hacker intercepting messages being transmitted or received. There’s also the risk of deliberate data theft or malware infections by disloyal employees. Here are five suggestions to stop data leaking from out of your enterprise through mobile devices.
1. Control access points
Detecting and controlling access points is critical to maintaining the security and viability of your LAN or WAN. Rogue access points — so-called because the IT department is unaware of them — are vulnerable to eavesdropping. With the right antennae, some of the radio frequency (RF) signal may actually be picked up or intercepted even several miles away.
The concern is that uncontrolled access points provide an entryway into the network to plant zombies, worms, Trojans and any other malware to manipulate parts of the network and use it as a jumping off point for attacking other networks.
Creating an access point is typically as easy as plugging in a device — which is becoming more common as the cost of the devices continues to fall. That lower cost means many individuals do not need authorization to buy a handheld or add a network interface card (NIC) to a laptop purchase. When the device is used to access the corporate network, the investment the company has spent on firewalls, VPNs and so on is rendered meaningless.
The best advice seems to be:
• treat all devices as a remote access to your network and put them outside the firewall with additional authentication methods. In addition to getting into the wireless network, they then have to authenticate into your network or intranet.
• even if you have a policy against deploying any wireless devices run regular audits of RF spectrum to make sure that someone has not created a rogue access point on their own.
Here’s an example of a company where PDAs of any type were not formally supported because of their potential for compromising network security and exposing intellectual property in the event that they are lost or stolen. In a CIO Canada: Frankly Speaking Breakfast Series presentation, Brad Boston, senior vice-president and CIO of Cisco Systems, reported that a tool from Altiris Inc. of Lindon, Utah, was used to inventory Cisco software, laptops, all PCs and used to push updates. The inventory revealed that in spite of the non-support, a remarkable 11,000 Cisco employees had bought either a Palm or Windows-based PDA!
The company responded by pushing out to all PCs on the network a new silent client that basically said ‘if you want to play, you have to play by our rules and we have a way to enforce that.’ The tool sits quietly until an employee tries to install any of the software associated with one of these devices. Then it will instruct the user to register the device at a specific Web site. When registering it, Cisco activates certain features of the device, downloads some basic security items and sets up the mobile mail the way the company wants it to be. An employee not complying is quarantined with the Cisco Network Admission Control. Cisco tracks the device and refreshes the configuration the next time the employee docks it. If the battery runs out, Cisco will track the asset, track the configuration and test to see if it needs to be updated. Also, if it is lost, Cisco can radio the device and basically clean it to ensure no proprietary data gets exposed.
Wireless devices are “the easiest way for stuff to walk out of the company other than the old memory stick that you plug into the PC,” Boston stressed.
2. Establish and enforce policies
Mobility strategies are a hit-and-miss affair, with most organizations practicing mobility but without policies to govern the use of a multitude of different devices, an exclusive Computerworld Australia poll has revealed. Only one in five organizations surveyed had introduced usage policies, which means users in many companies can literally walk out the door with the company’s crown jewels.
“It becomes a support nightmare if you let all different personal devices come in,” revealed one poll participant whose com-pany covered mobile phones but not Blackberry devices….treat all devices as a remote access to your network and put them outside the firewall with additional authentication methods.Text IT director David Leong at Australian law firm Arnold Bloch Leibler has had a central policy on remote access and securing data since mobile devices were adopted to increase staff productivity and improve customer service. His strategy is to have central control of the device so that the information can be deleted remotely if it is lost. E-mail replication has been replaced with a Citrix environment so employees are no longer downloading information to public access points. “Also, we use multifactor authentication, so if a notebook is lost you would need a token and password to access corporate systems,” Leong reported. “And we can kill a token.”
Create a policy and make people aware of it. Ensure staff understands that using wireless devices and installing access points in their homes and in their businesses provide ready access to anybody that comes along.
3. Use encryption and end user device validation
For several years, enterprises have been rightfully concerned about user authentication to secure the first line of defence against unauthorized wireless access. Because the signal is transmitted over radio waves and others can listen in to any transmissions, the authentication mechanisms are also visible.
The original IEEE 802.11 wireless standard included an encryption method called WEP (wired equivalency privacy) that used static encryption keys and a weak encryption method that has since been replaced with the improved 802.11i standard. Since the standard’s release in summer 2004, most new wireless network and client hardware has come with it. And most other wireless hardware released since 2003 can be upgraded to support it, often with free firmware downloads.
Second-generation devices basically have added all of the feature