Mobile technologies have ushered in sweeping productivity gains at enterprises across the globe. In many cases, they have been central to the creation of the so-called “real-time enterprise.”
These same technologies, however, have also increased enterprises´ exposure to security risks that are frequently underestimated or misunderstood. How significant is the problem? According to the U.S. Census Bureau, within three years, 40 per cent of all workers will perform a significant part of their job outside of the office.
Research firm IDC shows a similar trend and estimates that two-thirds of the U.S. workforce will be considered mobile by 2006. For today´s mobilized, real-time enterprise, it´s time to get to work to secure all laptops, handhelds, and wireless devices.
Locking down laptops
According to the latest edition of the Symantec Internet Security Threat Report, more complex worms and viruses — known in the security industry as “blended threats” — are becoming the attack of choice among Internet vandals. Such threats are more sophisticated and often exploit several different flaws to increase the chance of infecting a computer system. The number of attacks that could be classified as a blended threat in the first half of 2003 was 20 percent higher than in the previous six months, according to the report.
That´s especially disturbing news for employees and partners that regularly travel outside the perimeter firewall and connect to the network. Why? Because blended threats such as Nimda, Code Red, and Slammer specifically target laptops outside the firewall in order to gain unauthorized enterprise network access during an internet connection. (Laptop users can also become unwitting victims of Distributed Denial of Service, or DDoS, attacks.)
Relying on antivirus software alone to protect client devices is no longer sufficient. Similarly, relying on one firewall at the perimeter is no longer sufficient to keep the client devices protected. Because clients exist both inside and outside of the enterprise firewall, they are as vulnerable as any other part of the network and require specific protection.
An effective client security solution must go beyond antivirus to include firewall, encryption, privacy control capabilities and intrusion detection. The smaller the client device, the more likely that device will be lost or stolen. This increases the need to have sensitive information encrypted, and ideally the ability to “wipe-out” that sensitive data if the device is no longer in the owner’s possession. To protect against incoming threats, a client security solution must include the ability to examine the packets of data entering a computer in order to identify and stop attacks. The client firewall technology needs to communicate with the antivirus software to scan files and applications as it encounters incoming and outgoing traffic. If a virus is found, the antivirus technology should communicate with the firewall to increase the protection level and block the file from entering or exiting the client.
Only by integrating antivirus, firewall, and intrusion detection technologies can enterprises properly reduce the risks posed by laptop-enabled remote users.
Getting a handle on handhelds
According to Gartner Inc., more than 20 million handheld computers (or PDAs) have been sold during the past five years. Many of these devices are used to connect with both enterprise systems both inside and outside the office and for personal activities such as to surf the Internet and connect with other compatible devices. Industry experts estimate that virus protection is installed on only 1 percent of these devices, meaning that the remaining 99 percent are unprotected.
Unmanaged, personally owned handheld devices used as corporate tools pose an obvious security challenge. Their very ubiquity makes them an increasingly attractive target for attack. But as Gartner has also observed, an enterprise that doesn´t manage a device can´t know what that device is doing. Therefore it is essential that enterprises identify all client devices and protect them against theft, loss, viruses, worms, and other malicious code.
In many cases client devices have no protection, and antivirus should be an initial step in protecting those devices – along with encryption. The antivirus software that is chosen should:
- Provide real-time and on-demand scanning
- Enable users with a wireless Internet connection to download virus definitions and product updates directly to their device via the Web
- Have a small footprint that fits in resource-constrained handheld devices and be easy to install
- Run real-time scans continuously and unobtrusively in the background
- Scan for viruses when files are downloaded and when email attachments are received
- Run when a malicious program tries to execute
- Run automatic scans after PC-handheld synchronizations as well as after expansion cards are inserted into the handheld device
- Run on-demand scans at the user´s discretion
The software should also help ensure that users have up-to-date protection against new threats. It should automatically download virus definition updates to the desktop and then transfer the updates to the handheld during the next synchronization. Logs should keep users updated on the status of their protection and on their antivirus product configuration.
Deploying a secure wireless LAN
The boom in wireless networking comes as no surprise to today´s enterprises. That´s because the productivity increases that wireless technologies enable are hard to ignore. In one recent study, Gartner found that employees with notebook PCs see anywhere from one-half to three hours of increased productivity per week compared to their desktop counterparts. When wireless connectivity is added to those notebooks, the figure increases to as much as 11 hours of additional productivity each week.
But wireless networking comes with some significant drawbacks, and security is perhaps foremost among them. Various research has shown that security is one of the top three concerns of IT managers regarding wireless networking and mobile computing — and frequently it´s number one.
The most common security concerns about wireless include:
- Interception of a wireless transmission as it travels through the air
- Loss of a mobile computing device, with the data on the device being compromised
- “Trusted relationships” when wireless devices are considered for use in commerce (i.e., entering orders or making purchases)
Many CSOs (Chief Security Officers) that I have spoken with indicate that they view wireless as an extention of their enterprise and that wireless devices should fall under the same security policies. However, the implementation and procedures need to be modified. To address those concerns, companies need to outline very specific procedures for the use of wireless devices, including what the devices can and cannot be used for, what can and cannot be stored on them, and what security technology should be on the devices to protect data from being compromised if it is stolen.
Defining procedures and standards for wireless is paramount. For example, whenever a wireless LAN is enabled, VPN (virtual private network) technology must be implemented, and notebooks with wireless capabilities need to have antivirus and firewall protection installed and up-to-date.
But security doesn´t end there. A wireless network can broadcast far outside a building, allowing anyone sitting (or even driving) by an installation to eavesdrop on data. All it takes is a powerful antenna and some widely available hacking software. For that reason, companies going wireless should follow these additional precautions to keep their information locked up tight:
Enable WPA encryption. WEP (Wired Equivalent Privacy) encrypts wireless data streams between clients and servers, helping prevent unauthorized users from reading traffic while it´s in transit. The bad news: WEP doesn´t offer end-to-end security and can be broken easily. The good news: a new – and much stronger — security enhancement called WPA (Wi-Fi Protected Access) is now available. The Wi-Fi Alliance began certifying products for WPA interoperability in April. In addition, all new products submitted for certification after August must have WPA capability. (Note: If you already own wireless networking hardware, upgrading may not be possible. Check the Web sites of your hardware makers for WPA upgrades.)
Control the broadcast area and lock each access point. Many wireless access points let you adjust the signal strength. Place your access points as far away as possible from exterior walls and windows. Test the signal strength so you can barely get a connection at these locations. Next, make sure to change the default password on all access points. Use a strong password to protect each access point.
Use SSID (Service Set Identifier) intelligently. Buy access points that let you disable SSID broadcasting. This prevents access points from broadcasting the network name and associating with clients that aren´t configured with your SSID.
Use MAC (Media Access Control) address authentication. If you have a manageable number of wireless users (less than 50) and just a few access points, MAC addressing lets you restrict connections to your access points by specifying the unique hardware address of each authorized device in an access control list — and allowing only those specific devices to connect to your wireless network.
Secure the wireless LAN with IPsec VPN technology or clientless VPN technology. This is the most secure way to provide user authentication, data integrity, and data confidentiality services on a WLAN. Additional VPN technology is not dependent upon the access point or the wireless LAN card; therefore, additional hardware costs are not incurred as wireless security standards continue to evolve.
Real-time enterprises know there´s no turning back the clock on mobile computing. It has had too profound an impact on business processes. Plus, the hard numbers argue persuasively in its favor, both in terms of productivity gains and ROI (Return on Investment). But enterprises also are learning that the risks accompanying the deployment of laptops, handheld devices, and wireless networks must be identified and managed. By applying proper security precautions at the outset, enterprises are more likely to derive lasting value from these enabling technologies.