Protection in Public

With more mobile users accessing the corporate network from more public locations, ensuring information security has grown more complicated than ever before. Without taking the proper precautions, on-the-go professionals expose their own and corporate information assets to a variety of threats when they use public Internet terminals and “hot spots” such as wired hotel networks or wireless networks in coffee shops.

The consequences of failing to sufficiently protect sensitive information assets can be dire. With new and pending legislation in the United States, loss or unauthorized disclosure of vital information could lead to personal, as well as corporate legal liability. As a result, every single individual within an organization -- not just the Information Technology (IT) staff -- must accept responsibility for information security.

What can on-the-go users do to simultaneously stay in touch with colleagues and customers and protect their organizations and themselves? There are best practices that your organization’s mobile users can follow depending on the way they access the network.

Public Internet Terminals
Using public Internet terminals at cyber cafes, libraries, airports and other establishments presents formidable security risks for the traveler since the user typically does not have control over what security measures are available at these public terminals.

Consider the 2003 case involving an employee for a chain of copy centers offering public Internet terminals. The employee had deployed keystroke-logging software on machines at more than a dozen of the company’s branches. (Encrypting e-mail, Web sessions or using VPN technology does nothing to combat keystroke loggers.) The employee captured more than 450 user names and passwords, which he eventually used to access and open bank accounts online.

Data cookies also contribute to the risk of identity theft on public terminals. Cookies are files that help Web sites remember a user’s identity so that the user does not have to keep logging on to a site. But unless the user remembers to log out of a site, these files could allow the next person using the terminal to surf the Web under the previous user’s identity. Furthermore, browsers typically record recent Web sites visited so that users will not have to retype addresses, and such addresses often have user names and other sensitive information embedded.

Here are some best practices that business travelers should consider:

1. Assume public Internet terminals are insecure. Do not share credit-card numbers, bank-account information or sensitive company data when using these devices.
2. Delete data cookies and Web site history after using public Internet terminals, even for leisure activities.
3. Differentiate the user names and passwords used at recreational Web sites from those involving more sensitive transactions, such as an online bank or the corporate intranet.

Public Network Hot Spots
Attackers with the ability to gain access to a wireless local area network (LAN) can also monitor other sessions taking place. In 2003, an attacker who sniffed a Boston-based CEO’s password using a wireless LAN subsequently broke into the executive’s corporate network. The attacker then connected to the company's email server and downloaded all the CEO's e-mail. Messages about current and pending business deals eventually ended up on a public Web site.

Such eavesdropping is even more of a problem for people using wireless hot spots like those popping up at coffee shops, conferences and many universities. By design, these hot spots do not use encryption. That means any traffic sent over the network by one laptop-toting customer can be eavesdropped by another.

Sniffable passwords and e-mail messages aren't the only security problems to be found on wireless networks. Many users at public hot spots may have a directory or an entire hard drive of their laptop openly shared with the network while others may be completely protected.

Whether using a hotel’s broadband connection or public wireless LAN, users can go a long way in protecting themselves and their companies with some simple best practices:

1. Use a virtual private network (VPN) client, an essential element in protection from network eavesdropping, Internet worms and various other network-based attacks. VPNs employ cryptographic techniques to protect IP information as it passes from one location to the next, whether on a wired or wireless network. Data inside the VPN “tunnel” – the encapsulation of one protocol packet inside another – is encrypted and isolated from other network traffic, providing the user secure network sessions across public network infrastructures.

2. Turn off any open file shares. In general, a user should not have any drives, directories or file shares openly available to other users on the network. Open file shares are a popular infection vector for most of today’s Internet worms and viruses. If users need to share files with other users, they should utilize a corporate supported server where standard security features can be properly established and administered.

Protecting Your Computer
Resources on wired or wireless public networks have a higher risk of attack since they generally do not have the same degree of protection as corporate internal resources. With this in mind, it is imperative that security-related software be installed and appropriately configured to protect company information assets. At a minimum, personal firewalls and anti-virus software should be deployed on all mobile computers.

Personal firewalls are software- or hardware-based solutions that reside on or in front of a client's machine and are managed either centrally or by clients. Centrally managed solutions allow support organizations to modify client firewalls to protect against the latest known vulnerabilities and to maintain a consistent security policy for all remote users. Software patches and updates can be deployed on a regular schedule, not on an emergency basis.

There are more than 67,000 known viruses, and another 300 or so are discovered every month. So, standard anti-virus software should be installed on mobile users’ computers and updated on a regular basis. Users should never open any files or macros or email attachments from unknown, suspicious or untrustworthy sources.

Some organizations are additionally deploying the capability to identify the security posture of a device connecting to their network prior to granting network access. Devices not meeting a minimal security posture are quarantined and not granted access until they have the appropriate software patches.

Conclusion
Successfully ensuring information security cannot be the responsibility solely of the IT staff. This era of increasingly sophisticated threats demands a multi-faceted strategy and the committed effort of every individual in an organization. Traveling professionals must be armed with the best practices and tools they need to defend themselves.

<< Previous Page