Attacks against information assets — government, corporate, and personal — have been going on for some time. Yet many users and organizations have blatantly ignored recommendations for protecting mobile devices, exposing themselves, their businesses, their customers, and often employees to harm. These devices in the hands of mobile workers are exposed to a variety of threats:
- Hotel wired networks are often wide open to eavesdropping by cybercriminals or other guests. Jacking into a network frequently equates to sending and receiving information over a single collision domain. This means all packets for a set of rooms, a floor, several floors, or even the entire hotel/motel are seen by all other systems on the network. Unprotected packets are prime targets for capture, analysis, and data extraction.
- Connecting to unencrypted hotel or other public wireless networks, sending sensitive information out into the ether, is a well-known problem. I won't beat it to death.
- Improper configuration of firewalls or the total lack of an end-user device security perimeter, allows anyone, anytime, and anywhere to use public networks to peruse private information on laptops, smartphones, or PDAs.
- Some unencrypted stolen or lost devices are a treasure chest of information, including passwords, customer and employee information, and user identity data. In large, chaotic venues, it isn't difficult to lose a laptop or PDA.
This is not a complete list of potential attack vectors, but proper attention to those four issues reduces risk to a reasonable and appropriate level. The following steps are a good start in preventing information or system compromise.
Note: These tips originally appeared as an entry in our IT Security blog.
1: Store only what you absolutely need
This is my first rule of data leakage protection. Why carry around customer spreadsheets, financial data, or plans for a new product/service if you don't need them while out of the office? Absent Information can't be compromised.
2: Protect data passing over public wired or wireless networks
The best way to prevent casual or directed packet snooping on public networks is packet or session encryption, even if encryption is limited to traffic between the end-user device and a traffic encryption service provider on the Internet. For ultimate protection, use only SSL connections to check email or access company information. When this isn't possible, online services, both free and for-fee, can fill the gap. Two examples are MegaProxy (fee-based) and AnchorFree (free).
3: Configure devices to block external snooping
The first step in establishing a security perimeter around a device is configuration of a firewall. Personal firewalls are free on laptops running Windows XP or Vista. These solutions provide minimal protection against intruder compromise of your mobile system. More complete protection is available in security suites, like those from AVG, McAfee, or Symantec.
Firewalls are also available for many handheld devices, protecting contact lists, email, and other sensitive information commonly found on PDAs and smartphones. The second step is configuring Bluetooth, on laptops and handhelds, to block all unauthorized access. For information on Bluetooth threats and secure configuration, see Secure your Bluetooth wireless networks and protect your data. No laptop should be unnecessarily exposed because it lacks anti-malware protection.
4: Encrypt sensitive information on the device
I know this is like beating the proverbial dead horse, but laptop theft reports make it clear that many users and organizations haven't yet gotten the message. And laptop encryption doesn't have to drain your budget. Solutions like TrueCrypt provide effective, free file and full-disk encryption. If you need a more centralized approach to key management, lost data destruction, or data recovery, online services like Beachhead or more traditional systems like PGP can help.
5: Back up critical information
All business critical information should be copied to an alternate location. Even mobile users, who might not connect to the company network every day, can be protected against data loss with online solutions like Symantec's backup.com or with Amazon.com's S3 service, supported with client software like Jungle Disk.And of course, practice standard system hardening practices — patching, shutting down all unneeded services, etc. In addition to following Microsoft's best practices, consider implementing some or all NIST (National Institute of Standards and Technology) recommendations and baseline template settings.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.