In an ideal world, the starting point would be risk assessment and management. This is a fundamental component of any wireless and mobile deployment. It will ensure that security is factored in at the beginning of a project and that everyone involved is aware of the risks. All security policies should be reviewed to make sure that they reflect current realities.
However, in many cases, the move from inside to outside the computer network perimeter has not been accompanied by either risk assessment and management, or by the education of the management, staff and users involved.
In an environment with ongoing mobile computer access, attempting to “backfill” security is going to be difficult and subject to active or passive resistance from users – and much more expensive than getting it right in the first place. A bite at a time is the best approach in this situation, and there are some quick fixes that will make it an easier case to sell to all involved.
Passwords and authentication
Static passwords are woefully inadequate for remote and mobile computer users, with huge identity theft risks (particularly for wireless). The answer is to deploy strong two- factor authentication. Companies such as VASCO provide low-cost, token-based solutions that can be easily deployed for remote users.
Consider using encrypted secure sockets layer (SSL) VPNs, alongside or instead of IPsec VPNs, as SSL can provide lower cost, easier to manage connections for large numbers of remote users. This is a growing area and there are a wide range of solutions from WatchGuard, Citrix, AEP, etc.
Make sure that users regularly update anti-virus and firewall software. Failure to do so, alongside password and unauthorised software related issues, makes up the majority of remote help desk problems for organisations.
Ensure that all traffic is over VPNs and is encrypted. Don’t use Wired Equivalent Privacy (WEP) for encryption because it is poor, insecure and weak. Use WPA or WPA2 (also known as 802.11i) and ensure that users always operate with it switched on - the default is with it switched off.
If you have remote wireless LANs, ensure that the service set ID (SSID) is changed from the default and is secured. Don’t change it to something blindingly obvious like your company name (or “control tower”, as seen by startled laptop users at a US airport).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.