The rapid growth of wireless, remote and mobile computing is creating a significant increase in the risks that organisations face. All the indications are that this growth will continue, and indeed accelerate. It is clearly time to review what actions are required to manage access risks from these forms of computing. Fortunately, there are some quick fixes that are available.

In an ideal world, the starting point would be risk assessment and management. This is a fundamental component of any wireless and mobile deployment. It will ensure that security is factored in at the beginning of a project and that everyone involved is aware of the risks. All security policies should be reviewed to make sure that they reflect current realities.

However, in many cases, the move from inside to outside the computer network perimeter has not been accompanied by either risk assessment and management, or by the education of the management, staff and users involved.

In an environment with ongoing mobile computer access, attempting to “backfill” security is going to be difficult and subject to active or passive resistance from users – and much more expensive than getting it right in the first place. A bite at a time is the best approach in this situation, and there are some quick fixes that will make it an easier case to sell to all involved.

Passwords and authentication

Static passwords are woefully inadequate for remote and mobile computer users, with huge identity theft risks (particularly for wireless). The answer is to deploy strong two- factor authentication. Companies such as VASCO provide low-cost, token-based solutions that can be easily deployed for remote users.


SSL VPNs

Consider using encrypted secure sockets layer (SSL) VPNs, alongside or instead of IPsec VPNs, as SSL can provide lower cost, easier to manage connections for large numbers of remote users. This is a growing area and there are a wide range of solutions from WatchGuard, Citrix, AEP, etc.

Regular Updating

Make sure that users regularly update anti-virus and firewall software. Failure to do so, alongside password and unauthorised software related issues, makes up the majority of remote help desk problems for organisations.

Wireless

Ensure that all traffic is over VPNs and is encrypted. Don’t use Wired Equivalent Privacy (WEP) for encryption because it is poor, insecure and weak. Use WPA or WPA2 (also known as 802.11i) and ensure that users always operate with it switched on - the default is with it switched off.

If you have remote wireless LANs, ensure that the service set ID (SSID) is changed from the default and is secured. Don’t change it to something blindingly obvious like your company name (or “control tower”, as seen by startled laptop users at a US airport).