Mobility and Security Trends

According to a survey done by IDC, in next 3 years around 70% of the task
force worldwide will be working remotely. Traffic congestion, increased cost of
travel, slowdown and lots more are making work from home or mobile working a
major trend. Subsequent to growth of this trend, threat to corporate networks is
also increasing. Today if a single machine with the authentication to access the
data center is hijacked, take it for granted that the whole corporate network is
hijacked. And now the attacker doesn't even need to be in the perimeter of the
enterprise to do so.

Just to mind the seriousness of this problem, recall how many times you have
accessed an unsecure network at a coffee shop or at your neighbour with the same
laptop or smart phone which you connect to your office VPN? We all must have
done this a couple of times. Or if you have ever lost a laptop or a smart phone,
remember how many passwords and usernames of your organization's critical
services were saved in your email? Now if you think that your Windows password
is going to protect all this crucial data from the prying eyes, think again. A
simple Live OS which can boot from a CD or a USB can let a hacker open and read
your password files with ease. Well to make it tougher, most of the password
protected document files can also be easily cracked by using some every easily
available off the shelf tool.

Going back to my example of using insecure hotspots, well, if you are
connecting to AP which you don't know or don't trust, and sending data over the
network, rember, these can very easily be read by anyone connected to the same
network. They can even do eavesdropping to capture your corporate VPN login ID
and password and can then connect to your corporate network very easily. So by
doing all these small mistakes we are not only making ourselves vulnerable but
also making our organizations vulnerable.

You must be thinking by now, should I stop promoting working remotely or
working from home? I am sure that's not a very good idea. What to do then? If
you just take care of two very simple things, a majority of such problems can be
easily tackled. These two suggestions will only work well if you already have
the basic security settings such as a OS firewall, an anti virus, a spam filter,
etc. The two other things which all the mobile users of an enterprise should do,
and the companies should have in their mandate are; everyone should have an
encrypted hard drive, to make sure nobody can read the content in the drive by
bypassing the Windows authentication, and secondly, nobody should access any
unwanted network for getting the VPN connection. Both the issues can be easily
resolved by either deploying proper policies or by educating the users. The user
should be educated about the possible consequences of using a rogue hotspot, and
if required ADS based polices can also be pushed to the mobile devices to
permanently disable the access to unsecure APs.

On the other hand, if you own a laptop with Windows Vista Professional and
upward, then you can use the Windows feature called Bitlocker to encrypt your
drive. This features uses the hardware security functionality called the TPA and
can encrypt your hard drive. This software works directly on the chipset level
and as a result it is very secure.

If you don't have a Vista Professional loaded machines, don't get
disheartened. There are many open source applications which can encrypt your
hard drive. One such free application for Windows is truecrypt and you can find
it at http://www.true crypt.org/.

Not only for hard drives but also for the communications such as email,
corporate IM, VoIP etc, only encrypted data streams should be used.

To end all these thoughts, the final verdict is: if we want to see a future
of working from home and working mobile, you have to be alert about the common
security threats and rely more and more on encryption whenever it is about your
crucial corporate data.