Smartphones and tablets now account for about 25% of devices used for work in the US. Wireless, mobility and BYOD are all part of an unstoppable wave, based on widespread consumer and remote worker usage. With the new faster wireless standard, 802.11ac, due to be ratified this year, and with 4G continuing to grow, demand for fast wireless in the workplace will increase inexorably.
While this creates multiple opportunities, it also creates a great many challenges. If, for example, your existing wireless network is insecure, building on that base of sand is always going to fail.
Historically, for many organisations, both large and small, wireless was a tactical solution to a user-driven demand for laptop (and subsequently smartphone and tablet) mobility in the office. As demand and users have increased, organisations have typically added more access points. Today, access points are a significant element of user LANs. While they may not carry the highest amount of traffic, they typically will carry a disproportionate percentage of business confidential information.
The problem that this creates, particularly for smaller organisations, is that access points sitting inside the network, and connecting to it, are often perceived as being covered by many of the existing gateway security solutions. This can mean they are connected directly to the trusted network (internal LAN). Where this happens, it raises major security risks. There are also risks, even where wireless connectivity is managed through a separate virtual LAN (VLAN).
Wireless has crept up on many organisations. From a situation where it was provided as an additional service for certain specified staff and as a guest service to provide internet access for visitors (and staff), it has gradually increased in importance. Today, with the upcoming multi Gbps 802.11ac wireless standard, we can now foresee a fundamental shift from wired to wireless networks.
The main problem with this is that the risk assessment and security deployed around wireless haven’t kept up with the pace of change. While many of the actual threats of wireless use haven’t changed, the increasing pace of deployment has significantly increased the risks to organisations.
Companies are often unaware of the risks because they have multi-layered perimeter security in place and don’t realise that wireless access has subverted that security. In addition, a misplaced ‘shoal mentality’ still blinds users to the risks. They realise there are lots of hackers out there, but simply think that there are so many targets, it’s unlikely they will be the one who is attacked.
Misconfiguration – Every time a new access point is added, there is the risk it may be misconfigured. If that happens, the rules that were put in place to protect the network won’t be consistently applied
Man in the middle attack – This type of attack is where someone presents an SSID (network address) that pretends to be something it isn’t, e.g. your company wireless name. The attackers intercept the name and password of users who are logging in, and pass them through, so it isn’t obvious what they have done. By the way, this is the risk that everyone who logs in at internet cafes, hotel lobbies, etc. takes.
Connection by unauthorised users – Unauthorised users may connect to the network. It may be disgruntled ex-employees, it may be through identity theft or through ‘man-in-the-middle attacks’. Most organisations are vulnerable because most organisations have something valuable on the network, such as credit card data, online banking information, confidential payroll details, or information helpful to a competitor.
Insertion of malicious code or theft of code via a wireless connection – Access directly onto the trusted network creates a vulnerability for data stealing programs, as well as for data destruction programs – particularly by disgruntled individuals and ex staff.
Data-stealing apps on mobile devices – While Apple isn’t immune, the problem of malicious apps is particularly pernicious on Android devices.
Rogue access points – Well-meaning employees (and sometimes less well-meaning) can put up additional wireless access points to provide wider coverage, without management permission or awareness, creating security risks.
The TKMaxx fraud – And, of course, there is the never to be forgotten TKMaxx credit card fraud, where hackers accessed data on 45 million payment cards, through an unsecured wireless LAN.
With wireless and mobility becoming ever more ubiquitous, now is a good time to review the risks, security policies and protection that are in place. Most companies have policies for wireless and mobility that are out-of-date. Since it is the statement of and management of policies that drives employee behaviour, out-of-date and unsupervised policies will almost certainly lead to incorrect employee behaviour, when it comes to mobile security.
Reviewing policies, perhaps doing that with some power users who understand what’s happening with technology and apps, not only gives a clear message to the business that you are serious about mobile security, but can often be a very interesting and enlightening experience. It is also important for users to be aware that wireless security is not only considered essential, but will also be managed and reported on.
The wireless risk profile changes as usage increases and more users are enabled. Many of the threats have changed and migrated down from enterprises to smaller businesses.
However, many organisations have not reviewed their wireless and mobility risks in line with increasing wireless use. They are often rolling out increased access and access points without considering the security implications. For those with PCI or data security considerations, a security review is essential.
There are a whole range of things that organisations can do to secure their devices, and mobile networks – too many, in fact, for the scope of this feature. Everything starts with reviewing policies and appreciating some of the risks. At a practical level, there are some quick wins:
- Use your laptop, tablet or phone to scan for network connections and make sure that that all network addresses under your company name are yours. As additional security consider changing the SSID (Network ID) to something other than your company name.
- Make sure all connections are over a secure VPN
- Ensure that all connected devices have at least anti-virus security, including all tablets and smartphones. Suppliers such as Kaspersky and McAfee have solutions in this area.
- Use two-factor authentication to protect against ID theft. VASCO and SafeNet are just two of a number of solution suppliers in this area, many of which can use a mobile phone as the token.
- As an absolute minimum, require all users to have a PIN on their devices.
Much of the risk with wireless is around having unregulated (unsecured) devices inside the security perimeter, causing a breach of firewall/UTM (unified threat management) gateway protection.
One solution is to use a firewall/UTM which can integrate with wireless access points, creating multiple security benefits. Some, for example, are multi-function firewall appliances, which typically include a firewall, intrusion prevention, application control, web and spam blocking, spyware blocking, anti-virus, VPN and encryption. They allow for firewall/UTM and access point integration.
Firewall/UTM and access point integration means that:
- Firewall policies are also applied directly to and through all access point traffic, so you have one policy applied on the wired and wireless network
- One management console can be used for managing and reporting on access point traffic, as well as gateway traffic
- All wireless users can be required to use an encrypted VPN connection.
The continuing shift to wireless, and the increased need to secure against data leakage (DLP), is a trend that will accelerate. One of the quickest ways to improve security is by the direct integration of access points into perimeter firewall defences. However, this is an area where threats continue to change and therefore risks continually alter. Some of the above suggestions will give some quick wins, but a security review in conjunction with your IT supplier is essential, particularly as the threats created by mobile devices are significantly broader than just the wireless issues.