NYSTEC

• About NYSTEC
  • Practice Areas
  • Management
  • CEO's Letter
  • NYSTEC History
  • NYSTEC Clients
  • Health Care IT
  • Federal Labs
• The NYSTEC Difference
  • Why Choose an Independent Advisor?
  • Your Trusted Advisor
  • The Not-for-Profit Advantage
  • Certifications
  • What NYSTEC Can Do For You
  • Case Studies
• Business Inquiries
• Federal Labs
• Contract With NYSTEC
• Related Links

Remote Wireless Access to Government Data:  Security Tips

November 3, 2008

by Ed Kopp, Market Assessment Specialist, NYSTEC

In 2007, the government of France banned members of its Parliament from using smartphones over fears that sensitive data could be compromised.  In June 2008, the government of Ireland followed suit by banning officials in its Department of Foreign Affairs from using smartphones.

These drastic measures were likely fueled by incidents such as the one that occurred in New York City on a balmy summer day in 2006.  A manager with a New York financial firm decided to take advantage of the weather and work outside in Bryant Park.  Using his laptop, he accessed what he thought was the city’s free public Wi-Fi service.  In fact, he unknowingly hooked up to a rogue access point set up by a hacker.  When the employee logged onto his company’s network, the hacker stole his username and password, and later used them to breach the corporate network.

This incident demonstrates the risks organizations take by allowing their employees to access organizational networks through external wireless connections.  In addition, the measures taken by Ireland and France signal that organizations today must address security concerns for mobile devices other than laptops, including smartphones, PDAs, and even gadgets using Bluetooth.

“Unfortunately, as wireless networks proliferate, hacking attempts like the one in Bryant Park are increasingly common,” said NYSTEC consultant John Mounteer.  “This incident was a man-in-the-middle attack targeting Wi-Fi users, a type of attack that usually compromises data on laptops.  However, as smartphones and other mobile devices grow more powerful and feature-rich, they also present security problems for organizations.”

NYSTEC consultant Sean Murray explained further, “In terms of mobile security, the most common problems today are when an employee misplaces a mobile device or one gets stolen.  Other common risks include malware infections, spam, and hacking.  Also, an employee can be an organization’s worst enemy when he or she installs unknown code on a device or turns off the device’s default security mechanisms.  Plus, the failure to back up data on a mobile device can result in the loss of vital information.  Organizations must also consider security on centralized platforms such as BlackBerry Enterprise Servers and e-mail services.”

Any organization with an increasingly mobile workforce — and these days that includes most government agencies and companies — should take proper precautions before encouraging employees to access organizational networks using wireless connections, especially public ones.  A user should assume that any free wireless service, such as a Wi-Fi service in a cafe or airport, is completely vulnerable to security breaches.

At the 2008 New York State Cyber Security Conference in Albany, Mounteer and Murray presented a top-10 list of precautions that government agencies should consider before allowing employees entry to organizational networks through remote wireless technologies such as Wi-Fi and cellular services.  We are happy to share their list here.

Top 10 Precautions Government Agencies Should Consider for Wireless Access

1. Develop and enforce policies for all mobile devices.  Prevent your employees from installing their own software on devices.  Train your staff on the risks of wireless use.

2. Encrypt the data stored on mobile devices, as well as any removable media.

3. Enable and enforce access-control mechanisms.  Require login passwords, with timeouts when a device isn’t used for a period of time.

4. Consider adding centralized management.  The cost of software to manage multiple mobile devices seems expensive, but the ability to oversee such aspects as device settings, security applications, and patch updates will pay off in the long run.

5. Develop and maintain an inventory of all mobile devices used by your employees (including the specific make, model, and Operating System of each device).

6. Use a Virtual Private Network (VPN) to ensure security of data in transit.

7. If you are using a service for e-mail or messaging, know where your data is stored and ensure that proper Service Level Agreements are in place to secure those locations.
 
8. Start with conventional network defenses.  Identify every device that connects to your Wireless LAN, VPN, etc.

9. Add device defenses like mobile firewalls and antivirus software.  Limit the number of applications that run on a device.

10. If the data is important, ensure that it is backed up.