Security experts say that employees are increasingly exposing personal and professional information unknowingly as they log in at WiFi hot spots. Although these breaches haven't yet made big headlines, given corporate America's increasing reliance on smartphones, laptops and other portable devices, it's only a matter of time, experts say.
Ryan Crumb, director of information security for PricewaterhouseCoopers Advisory Services, has seen all sorts of information gleaned from hot spots - including Social Security numbers, corporate financial data and information about M&A deals - that was never meant for him to see. Sometimes Crumb deliberately looks to see what unprotected data is travelling over the network in public spaces.
"It's an inherent problem with being on a public space," he says.
Steps IT can take to protect data from hot-spot dangers
- Establish and enforce strong authentication policies for devices trying to access corporate networks.
- Require employees to use a corporate VPN (virtual private network) and encryption when making a connection and exchanging data; better still, set up employee computers so that devices automatically connect to the VPN and encrypt data after making sure the computer or device hasn't been lost or stolen.
- Make sure all devices and software applications are configured properly and have the latest patches.
- Ensure that corporate security policies prevent workers from transferring sensitive data to mobile devices or unauthorised computers.
- Use air cards, which require a service plan, instead of hot spots for wireless connections.
Crumb, who works with clients to find and fix security weaknesses, says it's not hard to find such data, as it's often heading in and out of hot spots via e-mail.
"Hot spots are great for the coffee shops, but people conducting business have to understand it's their responsibility to protect themselves. They might as well be putting it on a billboard and run down the street," says CISSP Marc Noble, director of government affairs at (ISC)2, a non-profit organisation that educates and certifies information security professionals.
Most employees 'uninformed'
While many techies are aware of the risks of these so-called black holes and what it takes to minimise them, security leaders say the average worker isn't as well informed, leaving valuable data vulnerable.
"It's a hard challenge to fix, because users want to be mobile. They want to use any device to get to their spreadsheets or their presentations at these hot spots," Crumb says. "But all it takes is one vulnerable laptop to tarnish a whole company. All it takes is one misconfigured machine."
Crumb, like others, says it's not any particular computing device that presents the problem. Rather, he says, it's a combination of factors that makes hot spots problematic for data protection.
One problem is the hot spot itself, and Crumb says it's not just the wireless ones but even wired Internet connections that can be danger zones.
"The danger is the public access point. The risk is being on someone's network that you don't control," he explains. "When you're on a public network, it's like being on the Internet without being protected. You don't know who your neighbour is."
Unencrypted information going over these public networks can be seen by those who know how to look, Crumb says. Moreover, he says, laptops, smartphones and PDAs can talk to one another at these hot spots, even when users aren't necessarily looking to do so.
"Anytime you share your network with someone else, your machines can share with each other, then you have this risk of being able to intercept anybody's information," Crumb says.
Man-in-the middle attacks
Users are also vulnerable to man-in-the-middle attacks, says John Pescatore, an analyst at Gartner. In these attacks, the hacker deliberately mimics a legitimate connection to intercept information.
In any of those hot spots, "someone could be sitting next to you pretending to be the hot spot and trick you" into connecting to him, Pescatore says. It doesn't happen frequently, but it does happen, he says. The hacker can then use that connection to snoop around your computer and pull out not just data but your user ID and password to gain access to your company's systems.
"If he's smart enough to get a user ID and password, then that person is smart enough to know how to use it," adds Bob Batie, CISSP-ISSEP, senior principal information assurance engineer at Raytheon Co.
The potential problems presented by hot spots aren't new to corporate IT security teams. But Brad Johnson, vice president of SystemExperts, a network security consulting firm based in Sudbury, Mass., says the proliferation of hot spots has pushed the issue higher on the list of concerns that they have to address.
"The reality is that proliferation of hot spots has changed the landscape. They used to be relatively sparse. Now you can find hot spots anywhere," he says.
Corporate policies need to keep pace
Yet corporate policies and practices have often failed to keep up, Johnson says.
"They don't look at it as a hot-spot issue, but how are our employees supposed to handle our data when they're not on our corporate premises?" he explains. So while policies might prohibit corporate information being transferred to home computers, for example, there may not be enough protection to ensure that a worker doesn't email unencrypted sensitive data back to the home office from a hotel's hot spot.
Even if the connection is secure, email isn't always automatically encrypted, and mobile devices aren't automatically set to connect to the company's VPN when at hot spots, Johnson says. In addition, mobile devices' security options aren't always configured properly, further increasing their vulnerability.
But even though IT can identify these problems with workers using hot spots, that doesn't mean there's an easy fix, Johnson and others say.
"There is this unstoppable demand for people to work from their own laptops or their own smartphones. It's what we call the consumerisation of IT," Pescatore says. And that consumerisation makes it more difficult for IT to enforce corporate policies and configurations on these privately owned devices.
Cost also plays a role, Batie says. Always using a VPN provides protection, but not all companies are big enough to afford a VPN. And in this economic environment, companies aren't eager to add costs - even for security reasons - to already strained budgets, he says.
Human factors count, too
Eric J. Sinrod, a partner in the San Francisco office of law firm Duane Morris LLP who has followed this topic, says many companies need to do more to get ahead of the potential for problems at hot spots.
"There are some companies that are fairly enlightened and try to be ahead of the curve, and there are others that are not," he says. "And this [issue] is sort of a brand-new area that's opening up, and we're probably just at the beginning of a wave. I don't know if this issue has percolated up to the surface in a major way yet, but if we start hearing more and more about incidents, it will have to be addressed."
Batie doesn't discount human folly when it comes to security at hot spots either.
"I think people might mistakenly think their information isn't so important, and the security training they're getting isn't registering very well," he says.
That brings us back to the data that Crumb has spied via hot spots. He says users have to take greater ownership of the potential for problems when they use hot spots, but IT has to make it as easy as possible for them to do so.
Why it matters
Companies often don't realise what data has been compromised via hot spots until well after the fact, says Gartner analyst John Pescatore. But there's no question that the cost of such mistakes is significant. Consider some highlights from "Cost of a Data Breach," a 2009 study of breaches at 45 organisations that was released in January by non-profit Ponemon Institute and the study's sponsor, PGP.
According to the results, the average organisational cost of a data breach was $6.75 million in 2009, up from $6.65 million the prior year. And the cost of a data breach per compromised record was $204, up only slightly from $202 in 2008.
Some 42% of the cases included in the 2009 study involved third-party mistakes; 36% of all cases involved lost or stolen devices, including laptops, while 24% of the cases involved a malicious or criminal attack resulting in the loss or theft of data.
Organisations deployed a range of tools to prevent future breaches, with 67% using training and awareness programs, 58% using additional manual procedures and controls, and 58% expanding their use of encryption.
However, in a Ponemon study released in March based on responses from 975 U.S. IT and business managers, analysts and executives, only 21% of organisations had an encryption strategy applied consistently across their organisations; 74% had some type of encryption strategy.
"It doesn't have to do with the device or provider. The role of the provider is to provide unfettered access to the Internet. And with that unfettered access comes danger," Crumb says. "So the consumer should really treat a public access point as dirty."
What IT can do
Companies can counter the dangers of a dirty hot spot with strong authentication, an automatic connection to a VPN and automatic encryption, Crumb says. They also need to be vigilant on patch management for all devices used for work, and institute policies and procedures that guarantee IT keeps all workers' devices properly configured.
Another possibility: Air cards, which are "just direct broadband connections," consultant Johnson explains. In other words, an air card is a USB card that makes a connection to your carrier. "So they are an alternative to a hot spot because you can use your air card anyplace your carrier offers service." They are also called mobile broadband cards.
If going this route, your carrier coverage area is a really important factor: It could be either an advantage or disadvantage based on where you normally work and live and the carrier's coverage area. Over time, though, "this is becoming less of an issue as the carriers are converging/merging so there are a smaller set but larger coverage," Johnson says.
Most broadband carriers have fixed-price packages, so this is an added cost over what is generally free Wi-Fi. It may be worth it, though; as Johnson says, "I would say a broadband air card would be more secure than a hot spot because it's under your control and you make direct connections to the carrier instead of [going] through the hot spot infrastructure."
Another tack is that IT groups "can take the proactive stance that whenever these devices are plugged into the network, that every time there's a touch point within the corporate network, that they can check to make sure it's configured properly," Johnson says.
Setting end-user machines and devices to be scanned each time they connect to the corporate network does cause a delay for employees who are hoping to get right to work, Johnson acknowledges, but says it is a delay of only "seconds" and adds that this is part of the education IT must engage in with users. Still, he adds, "it's the price that a company is willing to pay -- or have their employees pay -- to ensure a safer networked environment."
The key to guaranteeing that hot spots won't suck away crucial data and lead to the kind of breach that makes the nightly news is to automate security measures as much as possible, Crumb adds.
"It's like the telephone; security should just happen," he says. "So the more things IT can do to make sure it just happens, you're going to be more successful in the end."
Mary K. Pratt is a Computerworld contributing writer. You can contact her at [email protected]