Network security is a constant battle of precaution and vigilance. But somehow security processes often lapse when a portable computer leaves the office network.
If such a computer is compromised on a road trip, not only is its own data at risk but the office network’s systems and data could be too.
Once any business computer leaves the trusted confines of the in-office network, it should have tools in place for the user to enhance security before logging onto untrusted networks such as public Wi-Fi, hotel, or airport lounge access points.
Public Wi-Fi can be manipulated
Wi-Fi, while often convenient when users are on the road, can make systems vulnerable.
"In an untrusted, public-access Wi-Fi network, anyone who wants to monitor activity can see and record all of the network traffic processed by the access point," says John Girard, Vice President Distinguished Analyst from the Security and Privacy research group at Gartner.
"Even if the Wi-Fi network is protected with a weak security method such as WEP or WPA Pre-shared Keys."
"Since you can see all of the traffic in the network, the attacker can monitor passively for large periods of time and can learn the IP addresses and identities of the active systems without taking action."
Lock down on wired access too
Even when wired, threats remain on any untrusted network connection. Girard recommends limiting the exposure of any information you are not willing to lose.
"If the connection is not trusted and the end point system is not trusted, then you should limit the user to basic messages and block upload and download of attachments."
A few key security choices will ensure your data remains your own.
1. "Minimise eavesdropping by using SSL (secure socket layer) for email accessed through browser," says Girard.
2. "Use SSL or IPSec VPNs to carry all traffic including email and VoIP to a fully managed company endpoint," he says.
SSL is supported by most email servers today, but some may still only support basic login credentials when being accessed through the desktop.
If a browser option is available, choosing an ‘https’ address instead of the standard ‘http’ may allow for login over SSL encryption. This not only applies to web-based email, but many different web services.
VPNs, or Virtual Private Networks, encrypt network traffic so it is unreadable between origin and destination.
Tips on protecting your business’s servers
"No business should be allowing connections without a VPN over the Internet between their offices or their individual servers," says Girard.
"VPNs are not rocket science and VPN capability is included in all Internet routing and firewalling equipment and is even supported in home-class products costing less than $100."
"There are service providers who will offer VPNs configured from the cloud at low costs for companies with limited budget and expertise that do not want to set them up."
For even greater security, there are a number of password enhancements that can also be used. These include one-time passwords or additional authentication factors that cannot be copied by an attacker.
Time based tokens, such as RSA SecurID tags, are one example, as are grid cards that get you to play a game of security bingo as part of your login process.
There are also phone-delivered passcodes now available.
"There are several systems that use the phone as a receiving device," says Girard.
"Some call your phone and provide a PIN. Others send a PIN code as a text message."
No comments:
Post a Comment