Hotspot Safety for Business Users
February 01, 2008
The only reliable way for employers to manage the associated risk for mobile workers is to define, monitor, and enforce hotspot acceptable use policies. Here, we show you how.
Last month, we illustrated five common-sense steps that anyone can take to defeat most Wi-Fi hotspot threats. Unfortunately, many users still insist on skinny-dipping in shark-infested hotspot waters. The only reliable way for employers to manage associated business risk is to define, monitor, and enforce hotspot acceptable use policies.
Something old, something new
Before Wi-Fi, remote workers used dial-up or broadband to reach corporate networks. Because those links connected business assets to the public Internet, measures were needed to deflect unsolicited inbound traffic and ensure data confidentiality. As a result, many workers are now required to use anti-virus, personal firewall, and a VPN tunnel when connecting from afar.
These measures certainly apply when Wi-Fi hotspots are used to support remote access. But in the all-wired world, workers knew exactly where and when they were connected. With Wi-Fi, nearly everyone forms accidental associations. Most have automatically (re)associated to a stranger's AP with the same familiar home, hotspot, or muni SSID used in the past. Some have tried to connect to a legitimate AP, but were transparently redirected to a malicious evil twin. Both mistakes can place the Wi-Fi client at risk for hours or days without user awareness.
Further, users are sorely tempted by the ease and ubiquity of Wi-Fi. When employees jack into a hotel or business center LAN, they can identify the network owner. But when workers browse the airwaves, many connect to any SSID that might offer Internet access, without any real hope of knowing who they actually reached. For example, Windows XP users that associate to an Ad Hoc called "Free Public Wi-Fi" will, by default, automatically probe for that SSID forever more, passing this apparently-irresistible network name along to strangers.
Finally, open Wi-Fi APs create a cozy environment for anonymous cybercrime. Sure, the Internet makes it easy to launch application attacks from dynamically-addressed botnets. But personal firewalls can block those TCP/IP packetsthey cannot stop PHY and MAC attacks like Wi-Fi driver exploits that can remotely take control of or crash a laptop that isn't even associated. Public Internet hotspots exacerbate this by drawing potentially high-value business targets to venues where Wi-Fi attackers can hang out without raising suspicion.
Playing by the rules
Despite these risks, employers needn't discourage Wi-Fi hotspot use. Convenient wireless Internet access can significantly improve worker productivity and availability. Taking steps to identify and mitigate these new risks can be a far better use of time and money.
If you are responsible for securing offsite workers, review your existing remote access policy to identify situations where Wi-Fi might be used. Decide who should be allowed to use Wi-Fi, where, and why. For example, should employees be allowed to use corporate laptops to send personal traffic over Wi-Fi at home or at public hotspots? Should they be allowed to use personal PDAs to send business traffic at ANY hotspot or only at authorized hotspots?
Next, analyze the business risks that hotspots add to each usage scenario, the security measures that might be deployed to mitigate them, and whether the resulting cost/risk/reward is acceptable. For example, perhaps you have the infrastructure to manage Wi-Fi settings and patches on corporate laptops, but not on personal PDAs. How does that impact the risk and cost of permitting business communication from personal devices at hotspots?
Use your analysis to decide whether or not to permit Wi-Fi in each scenario, and under precisely what conditions. If there are employees, devices, or applications for which hotspot risks are considered too great, specify how you will enforce those restrictions. Where public hotspot use is acceptable, identify recommended and/or required security measures and how they will be implemented and verified.
Protect and defend
After consideration, some businesses will ban hotspot usebut must then take steps to prevent it. Most will end up allowing hotspot use for business communication. Some may even encourage it by providing financial support. In all cases, the next step is to implement and enforce hotspot security in accordance with your defined policy.
Shore up client defenses. If you have a process for managing laptops, PDA, or smartphones, refine it to close Wi-Fi loopholes. Use your patch manager to automatically deploy Wi-Fi driver updates and related OS patches. Use device management tools (e.g., Group Policy Objects) to centrally-configure Wi-Fi parameters. Refine endpoint security policies where needed to facilitate hotspot usefor example, letting portal login traffic bypass your VPN client. Small businesses without fancy IT infrastructure may need to complete these tasks manually, but the goal is the sameassert control over client hardware, software, and settings to deflect not only Internet threats, but also Wi-Fi hotspot threats.
Learn more: go to page 2 of 2.