According to a survey done by IDC, in next 3 years around 70% of the task force worldwide will be working remotely. Traffic congestion, increased cost of travel, slowdown and lots more are making work from home or mobile working a major trend. Subsequent to growth of this trend, threat to corporate networks is also increasing. Today if a single machine with the authentication to access the data center is hijacked, take it for granted that the whole corporate network is hijacked. And now the attacker doesn't even need to be in the perimeter of the enterprise to do so.
Just to mind the seriousness of this problem, recall how many times you have accessed an unsecure network at a coffee shop or at your neighbour with the same laptop or smart phone which you connect to your office VPN? We all must have done this a couple of times. Or if you have ever lost a laptop or a smart phone, remember how many passwords and usernames of your organization's critical services were saved in your email? Now if you think that your Windows password is going to protect all this crucial data from the prying eyes, think again. A simple Live OS which can boot from a CD or a USB can let a hacker open and read your password files with ease. Well to make it tougher, most of the password protected document files can also be easily cracked by using some every easily available off the shelf tool.
Applies To: CIOs
USP: Learn security issues associated with mobility
Primary Link: None
Google Keywords: Mobility & security
Going back to my example of using insecure hotspots, well, if you are connecting to AP which you don't know or don't trust, and sending data over the network, rember, these can very easily be read by anyone connected to the same network. They can even do eavesdropping to capture your corporate VPN login ID and password and can then connect to your corporate network very easily. So by doing all these small mistakes we are not only making ourselves vulnerable but also making our organizations vulnerable.
You must be thinking by now, should I stop promoting working remotely or working from home? I am sure that's not a very good idea. What to do then? If you just take care of two very simple things, a majority of such problems can be easily tackled. These two suggestions will only work well if you already have the basic security settings such as a OS firewall, an anti virus, a spam filter, etc. The two other things which all the mobile users of an enterprise should do, and the companies should have in their mandate are; everyone should have an encrypted hard drive, to make sure nobody can read the content in the drive by bypassing the Windows authentication, and secondly, nobody should access any unwanted network for getting the VPN connection. Both the issues can be easily resolved by either deploying proper policies or by educating the users. The user should be educated about the possible consequences of using a rogue hotspot, and if required ADS based polices can also be pushed to the mobile devices to permanently disable the access to unsecure APs.
On the other hand, if you own a laptop with Windows Vista Professional and upward, then you can use the Windows feature called Bitlocker to encrypt your drive. This features uses the hardware security functionality called the TPA and can encrypt your hard drive. This software works directly on the chipset level and as a result it is very secure.
If you don't have a Vista Professional loaded machines, don't get
disheartened. There are many open source applications which can encrypt your
hard drive. One such free application for Windows is truecrypt and you can find
it at http://www.true crypt.org/.
Not only for hard drives but also for the communications such as email, corporate IM, VoIP etc, only encrypted data streams should be used.
To end all these thoughts, the final verdict is: if we want to see a future of working from home and working mobile, you have to be alert about the common security threats and rely more and more on encryption whenever it is about your crucial corporate data.