Security Still Reigns as Wireless 'Weakest Link'
Feb 17, 2004 7:39 AM PT
Although companies are tightening the security of Windows-based servers, they face some unknown risks when corporate data takes to the streets. After all, wireless Internet connectivity on notebook computers and PDAs carries all of the risks seen within corporate walls, but the dangers are magnified when security is lacking.
"Portable devices have become highly productive," said Amry Junaideen, a principal in the Deloitte & Touche Security Services division. "Several years ago, their functionality was basically calendars and addresses, but now they are production-strength devices that contain a number of corporate applications."
Protecting corporate assets is more difficult on laptop computers, PDAs and memory devices, such as portable USB drives. "Those become extremely susceptible," Junaideen told the E-Commerce Times. "If the data is not encrypted, the loss can be substantial.
"Portability and wireless access open the door to risks including device theft, interception of information, unauthorized access, even being sniffed by the guy sitting next to them in an airport lounge," he added.
Of course, corporations are not sitting idly aside while their data flows out the door.
The solution starts with a top-down policy that addresses why wireless is being used by a corporation, what the business objectives are, and what policy governs the entire company in this area, according to Junaideen.
"A policy should require strict adherence to standards and contain specific information on what people should do to protect their devices once wireless has been deployed," he said. "This might include safeguards against loss and notification to IT when a device is lost, with devices that store the most sensitive data receiving the highest protection. For critical data, if a PDA or memory stick is lost, the files clearly need to be encrypted."
Junaideen suggested the gamut of technology used to protect wireless devices can range from virtual private networks (VPN) to firewalls, quarantining devices, data wipe technology and file encryption. Encryption can be expensive but is essential. He added that a relatively old wireless encryption standard called Wired Equivalent Privacy (WEP) has been compromised and should not be used as a company's sole line of defense.
Corporations are not alone in their fight to secure data over wireless networks. Network Associates' McAfee Sniffer Technologies division is geared toward enterprises that need to lock down systems on mobile devices. Sydney Fisher, its director of product marketing, told the E-Commerce Times that many of the benefits of wireless also create risk.
"The flexibility of being virtually anywhere is the draw of wireless networks, but the back end of that is the need for security," Fisher said. "It's important to have appropriate security so data is stored properly, travels properly and is protected from people who shouldn't get it, but [is] accessible to those who do need it.
"Sniffer products function in a wireless environment like LANs, WANs or ATM networks," she added. "The same kind of technology -- a wireless sniffer card in a laptop -- can detect and verify that your encryption protocols are being used and can find rogue access points, so you can shut them down."
"It's so easy to use wireless, but people need to be just as vigilant as they are within a corporate network," Fisher noted. "Wireless devices shouldn't be set to use the defaults that come with the equipment. Wireless infrastructure is in a growth curve, so the technology is not necessarily there to make it reliable yet.
"You don't need a PhD in physics to be able to use wireless technology efficiently and securely, but you do have be vigilant and treat it seriously," she added.
For his part, Junaideen recommended: "If sniffer technology senses a device has been compromised, shutting down the wireless connection immediately is the safest step to take. If someone tries to compromise a lost device, data wipe software can detect activation and wipe all data from the unit. Users need some understanding of what the device is doing -- and what their responsibilities are to protect data."