Table of contents
Network security controls and practices are among the most mature, but can businesses be sure that some network traffic is not sneaking past traditional controls, especially with the recent proliferation of new mobile wireless and other IP-enabled devices?
With the rise of mobile enterprise applications and related trends such as the consumerisation of IT and bring-your-own-device (BYOD), an increasing number of enterprise employees are looking to access corporate networks through Wi-Fi hotspots, both internally and externally.
Whether or not these Wi-Fi hotspots increase the potential of data leakage depends mainly on an organisation's strategy for network security.
If organisations continue to rely on network security as a key control in the protection of their data, Wi-Fi is a potential avenue for data leakage, according to Matthew Lord, chief information security officer at IT-enabled business services firm Steria UK.
"An attacker could just sit in an organisation’s car park and try to force their way into the network by trying a combination of user IDs and passwords until they gain access," he said.
If enterprises want to use Wi-Fi hotspots safely, they must follow two data leakage prevention strategies: set them up as an internet hotspot with no access to internal systems, and use a stronger form of authentication such as client-side certificate authentication.
Internal Wi-Fi hotspots – where there are separate corporate and guest networks, and the corporate network has tight controls, including device authentication – are therefore generally not an issue for network traffic slipping past controls.
However, corporate users could be tempted to switch to the guest network where there are fewer or no controls, and that is where leakage could occur. Best practice would be to set up a guest network that requires temporary credentials to enable connections.
SMEs are typically at highest risk of data leakage through public Wi-Fi hotspots because they do not commonly use VPNs
Public Wi-Fi hotspots, such as those commonly provided by coffee shops, are typically unencrypted, which means any wireless sniffer or rogue wireless access point can get all the traffic because all the data packets are open. Therefore, data leakage prevention depends on how the mobile device accessing the network is protected and configured.
Best practice would be for public hotspots to move to WPA2 to encrypt each session and for businesses to allow access to internal networks only through a virtual private network (VPN) client, which means all a traffic sniffer would see is a stream of encrypted data packets. This also prevents traffic redirection and man-in-the middle attacks associated with web access over https.
Small and medium enterprises (SMEs) are typically at highest risk of data leakage through public Wi-Fi hotspots because they do not commonly use VPNs.
"SMEs often just open connections on the firewall to the mail server, maybe even the remote desktop protocol (RDP) server, requiring only a username and password, and they don't really check the consistency of the computer. SMEs are a real problem – they need to be educated and shown how easy in many cases it is to secure remote access," said Vladimir Jirasek, security professional and member of Cloud Security Alliance, UK chapter.
Although kits do exist for setting up rogue base stations capable of intercepting 3G traffic, rogue Wi-Fi hotspots are a much more likely target, according to William Beer, director of information and cyber security at consultancy PricewaterhouseCoopers (PwC).
While there are vulnerabilities in wireless mobile communication channels, Wi-Fi is easier to target because of all the built-in safeguards in 3G, which require more specific expertise and advanced hardware to intercept, representing a lower return on investment for hackers, he said.
Register free with Computer Weekly to download our exclusive 10-page buyer's guide to network security
Best practice for mobile devices that support 3G, high-speed packet access (HSPA) and Wi-Fi is to use voice-over-IP (VoIP) instead, and run a peer-to-peer call manager software to encrypt the traffic, according to Jirasek. This enables all traffic to be encrypted over an untrusted network, he said.
Another potential avenue of data leakage is the increasing number of IP-enabled devices within the enterprise, including printers, CCTV cameras, point-of-sale (POS) systems, building access, and other control systems.
The fact that most devices can operate on an IP network, coupled with the fact that most corporations need to save money today, inevitably means there is an increasing use of the corporate network as a communications backbone for more than just file and print servers.
In light of this fact, and the need to block as many avenues for data leakage as possible, organisations need to treat their internal networks as hostile and implement the right level of security on all networked devices.
If devices don't need to talk to each other, they should not be able to
Vladimir Jirasek, member of the Cloud Security Alliance
"A good example would be to encrypt CCTV footage between the camera and the recorder or implement a hardened factory control server with a firewall on your network, rather than an unprotected workstation running system control software," said Steria's Lord.
Again, best practice is to segregate different types of devices and apply different security controls accordingly, said Jirasek. "You don't want to put IP devices on the same domain or network as your computers. If they don't need to talk to each other, they should not be able to," he said.
Ideally, all traffic should be monitored, but when you make a cost/benefit analysis, it may seem excessive to do so.
"You need to make a judgement call based on the threat analysis [to ascertain] whether it is worth putting these controls into some segments," said Jirasek. "It would be very bad practice to have it all on the same network, but this is what small companies are doing. SMEs don’t really have money to segregate the network."
The best approach would be to have anomaly detection protection which baselines the network traffic and looks at the patterns and identifies the anomalies.
"That would be the best from a pure network traffic point of view, but for the determined attacker you need to be prepared on the host – so have it tightly secured, users not having admin rights, some sort of protection against RAM-scraping malware, good anti-virus and anti-malware, the data classified and potentially segregated – with access over some kind of Citrix session, and then ideally if the user has access to secrets inside the organisation they should use a different PC for browsing the internet," said Jirasek.
Register free with Computer Weekly to download in-depth articles from our expansive research library.
Complexity is the biggest challenge for large enterprises. Security vulnerabilities typically arise because of misconfigurations. With only 30% to 40% of firewall rule bases used, organisations tend to expose their networks to access for which there is no business purpose.
"Data leakage is seldom a problem with technology. It is not an issue of data sneaking past network controls, but of misconfiguration of those controls and a reluctance to fix known misconfigurations for fear of blocking business access to the network," said Jody Brazil, founder and chief technology officer of Kansas-based security management firm FireMon.
For large corporate and government networks, he said that in addition to reactive security information event management (SIEM), there needs to be a complementary proactive capability to build a picture of overall risk by identifying all network access.
This enables organisations to reduce risk by blocking unnecessary access paths before there is a security incident. "Most organisations are astounded when we show them how many paths there are to their network that could be used for unauthorised access," said Brazil.
FireMon, he said, goes beyond rival configuration management systems by combining traditional operational capabilities with continuous risk monitoring and visibility, which includes the ability to identify and prioritise risk mediation tasks and model the knock-on effects of any network configuration changes.
Many organisations are still relatively weak when it comes to continuous monitoring, according to PwC's Beer. "I am always surprised to see how log data is not being used to pinpoint potential attacks," he said.
Like all security challenges, however, technology alone is not enough. Especially in the BYOD era, enterprises need to ensure that employees are aware of the risks of using mobile devices to access corporate networks and data.
"There are a whole range of mobile device management suppliers, but enterprises need to do more around people and awareness because of the problem is often the user, who becomes the weakest link," said Beer.
While many organisations have appropriate technologies, policies and awareness programmes in place for desktop and laptop computers, he said it is often lacking when it comes to smartphones and other mobile devices. The level of awareness of the potential risks of IP-enabled devices is also relatively low. "We need to raise the profile of unmanaged IP-enabled devices because the number of these vulnerabilities is only going to increase," warned Beer.