IT-related security is the one area where we are never, ever "done." Sure, you can plan a new network, source the equipment, do the pilot, install everything, get it configured just so, and get your ongoing management act together, but with respect to security, you're likely to be rethinking your solution continually. The research I've been doing lately with both IT managers and equipment suppliers bears this out - eternal vigilance is the price of being able to sleep at night.
There are many forms of security, but let's start with the one that's continuing to make the headlines. As I write this, there's word of yet another loss, this time, of more than 1,000 computers at the U.S. Commerce Department. We are told that the files that might contain sensitive information were protected by passwords; as if that's going to stop a dedicated information thief from gaining access to your Social Security number.
The really astonishing fact in this case is that the IT managers involved don't seem to know exactly what data was on the missing/stolen/whatever notebooks. I'm beginning to think that being stupid with respect to other people's information should indeed be a crime. Let's send these bozos to the big house, and there educate them on both common sense and how to secure mobile information.
Are hotspots secure? Speaking of that, at least with respect to the information that you manage, a question was posed to me a few months back: How secure are public-access wireless LANs? Many people now use hot-spot and hospitality-based WLAN services, such as hotels and coffee shops, on a regular basis and without much thought. The convenience of these is undeniable, and I'm on record as saying that the global deployment of metro-scale Wi-Fi services is all but assured. And this, of course, begs the question: What should we be doing to remain secure when using these networks?
To find out, my colleague Lisa Phifer of Core Competence and I devised a series of exercises that we implemented on a number of road trips in Washington, Philadelphia and New York. We wanted to know if information stored on computers connecting to public-access Wi-Fi networks is vulnerable to eavesdropping, both over the air and over the Internet, and under a variety of circumstances
We went to 24 hotels in those three cities and set up a small test configuration on their networks. We did not, I must stress, do any "hacking." It was not our goal to be malicious, attempt to obtain data from computers that were not ours, or to be arrested. We worked only with our equipment and, otherwise, I don't think anyone even knew we were there.
What we found was a high degree of variability in the quality of security implementations on these systems. Only one in four of the hotels tested blocked eavesdropping and unauthorised access. All of the top-performing locations were operated by iBahn or T-Mobile. Those sites at the other end of the spectrum left users largely on their own, with significant vulnerabilities noted from potential threats located even on wired networks.
This is key - a workable mobile security strategy isn't just about wireless security, but rather making sure that the resources on one's notebook are secure regardless of the access or connectivity used. Assuming a public-access network is just like an enterprise LAN just because they both do pretty much the same things can be a critical error in judgment and operations.
Why no WPA security? I'm personally surprised that more Wi-Fi services aren't using WPA security. This is quick, easy, built-in, and would also assist in countering the "evil twin" problem, where a hacker impersonates a wireless network's SSID (service set identification). Of course, the only really good solution to the mobile security problem is for users to take control of the situation.
Some of the suggestions we make in this area are obvious: Turn off file and printer sharing, use a good firewall (unfortunately still a third-party or add-on requirement on Windows XP), encrypt files (this is very, very important!); use VPN-based access to remote networks, and consider some form of intrusion detection and prevention agent on your mobile computer. Picking a network that's more secure is also a good idea, and ditto for developing policies for wireless remote access.
There's so much to consider here that Lisa and I published the results in a joint Core Competence/Farpoint Group Technical Note. And, like I said above, with respect to security, you're never done, so expect more on this subject from me in the future.
Craig J. Mathias is a principal with Farpoint Group, an advisory firm specialising in wireless networking and mobile computing.