Securing the Perimeter from Threats to Mobile Devices
BY Renee Oricchio
Many small and mid-size businesses have come to rely on laptops, PDAs, and e-mail-enabled cell phones for staff to do their jobs -- from wherever they are. But this increased mobility has become a bonanza to potential cyber attackers.
BlackBerrys, Sidekicks, cell phones, Palm Treos and now, of course, the iPhone: there are countless mobile devices out there that are relatively cheap and available to employees for logging into work.
And every one of those devices is potentially a new security hole in the company network.
It’s not just what devices they are using to access the network remotely. It’s also a question of which applications they are using that represent a potential weak link in security. “By far e-mail is the most popular use of the mobile Web at 40 percent,” says Sonal Gandhi, an analyst from Jupiter Research. Gandhi says coming in at second is single message service (SMS) or text messaging representing 29 percent of mobile Web use. Another 20 percent represents actual Web surfing from mobile devices. Each application is a unique pathway into the network presenting its own challenges for the IT department to maintain safely.
While staffers may not be accessing the company network directly through text messaging or e-mail, if they use the same device to do both than all it takes is an infected text message to infect the network once the user logs in. Text messaging is getting even riskier with the increasing popularity of multimedia messaging (MMS) or text messaging with multimedia attachments, such as pictures.
Wireless network is the greatest vulnerability
It wasn’t until recent years that the company network was literally a network of in-house computers and servers linked together by wires and then wired out to the Internet. With the advent of cheap, convenient wireless access, companies are casting a much wider net -- one that is virtual and porous.
In addition to the myriad of ways users are accessing in, it’s the wireless network itself that is perhaps the greatest vulnerability. “There’s a greater risk someone’s going to figure out how to exploit it, because with wireless you’re broadcasting your network,” says Scott Ellis, a computer forensics specialist with RGL Forensic Accountants & Consultants based in Chicago, Ill.
Ellis says setting up a wireless network with off-the-shelf solutions is relatively easy. It's securing it that is difficult. He offers the following tips to batten down the hatches, as you install and maintain your wireless gear:
Change the default passwords that come from the factory. Ellis says you’d be surprised how many companies never think to do this. Those default passwords are typically the same in every unit sold and a good hacker knows them.
Choose a “strong key” that has a minimum of 12 characters. The strong key is truly the key to the kingdom; it’s the password for the entire network. Not only should it be at least 12 characters, it should be a random mix of letters and numbers. “War drivers” -- hackers who literally drive around business neighborhoods to get in physical range of the network -- often use scanners that speed through thousands of combinations. Twelve random characters add up to more than 100 billion possible combinations. That’s a lot of scanning.
Get rid of wireless “b.” 802.11 is the industry standard in Wi-Fi protocols. It’s gone through a number of generations. There’s 802.11b (wireless “b”), 802.11g, and now 802.11n. Wireless "n" is available and much faster; however it has not yet been ratified as a standard and probably won’t be until 2008. Wireless “b” is older, slower, and less secure. Ellis recommends taking an inventory of your wireless gear and upgrading to wireless “g,” which is far more secure.
Keep your firmware updated. Firmware is the software that runs the hardware (i.e. that is your wireless appliances). If you don’t keep up with upgrades and patches, you’re asking for trouble.
As a final piece of advice, any small to mid-size business that offers wireless access and hasn’t already made the investment into a virtual private network (VPN) should do so. There are several different kinds of VPNs. A Secure Sockets Layer (SSL) VPN is likely the best bet for most businesses. It’s Web-based, and therefore requires no installation on the end user’s device. And in case any of those so-called “war drivers” pull into the company parking lot, it’s also encrypted so there won’t be much to hear.