By Warwick Ashford
Network security controls and practices are among the most mature, but can businesses be sure that some network traffic is not sneaking past traditional controls, especially with the recent proliferation of new mobile wireless and other IP-enabled devices?
With the rise of mobile enterprise applications and related trends such as the consumerisation of IT and bring-your-own-device (BYOD), an increasing number of enterprise employees are looking to access corporate networks through wi-fi hotspots, both internally and externally.
Whether or not these wi-fi hotspots increase the potential of data leakage depends mainly on an organisation’s strategy for network security.
If organisations continue to rely on network security as a key control in the protection of their data, wi-fi is a potential avenue for data leakage, according to Matthew Lord, chief information security officer at IT-enabled business services firm Steria UK.
“An attacker could just sit in an organisation’s car park and try to force their way into the network by trying a combination of user IDs and passwords until they gain access,” he said.
If enterprises want to use wi-fi hotspots safely, they must follow two data leakage prevention strategies: set them up as an internet hotspot with no access to internal systems, and use a stronger form of authentication such as client-side certificate authentication.
Internal wi-fi hotspots – where there are separate corporate and guest networks, and the corporate network has tight controls, including device authentication – are therefore generally not an issue for network traffic slipping past controls.
However, corporate users could be tempted to switch to the guest network where there are fewer or no controls, and that is where leakage could occur. Best practice would be to set up a guest network that requires temporary credentials to enable connections.
Public wi-fi hotspots, such as those commonly provided by coffee shops, are typically unencrypted, which means any wireless sniffer or rogue wireless access point can get all the traffic because all the data packets are open. Therefore, data leakage prevention depends on how the mobile device accessing the network is protected and configured.
Best practice would be for public hotspots to move to WPA2 to encrypt each session and for businesses to allow access to internal networks only through a virtual private network (VPN) client, which means all a traffic sniffer would see is a stream of encrypted data packets. This also prevents traffic redirection and man-in-the middle attacks associated with web access over https.
Small and medium enterprises (SMEs) are typically at highest risk of data leakage through public wi-fi hotspots because they do not commonly use VPNs.
“SMEs often just open connections on the firewall to the mail server, maybe even the remote desktop protocol (RDP) server, requiring only a username and password, and they don’t really check the consistency of the computer. SMEs are a real problem – they need to be educated and shown how easy in many cases it is to secure remote access,” said Vladimir Jirasek, security professional and member of Cloud Security Alliance, UK chapter.
Although kits do exist for setting up rogue base stations capable of intercepting 3G traffic, rogue wi-fi hotspots are a much more likely target, according to William Beer, director of information and cyber security at consultancy PricewaterhouseCoopers (PwC).
While there are vulnerabilities in wireless mobile communication channels, wi-fi is easier to target because of all the built-in safeguards in 3G, which require more specific expertise and advanced hardware to intercept, representing a lower return on investment for hackers, he said.
To discuss this and other articles please visit The Business Technology Forum group on LinkedIn.