The right mobile security policy

IT managers charged with responsibility for controlling the security threats created by mobile workers find themselves between the rock of achieving a secure infrastructure and the hard place of opening up the network sufficiently to allow remote users to work effectively.

To solve this problem it is necessary to go back to the drawing board and rewrite security policies so that they identify and address the many and varied issues which granting wireless and mobile access creates.

Kevin Foster, strategy manager with security testing company NTA Monitor, warned that the biggest danger against which security policies must protect is that of remote PCs being used as a backdoor into the corporate network.

"Remote access PCs without firewalls can be targeted whilst connected to a normal internet service provider," he explained. "The scale of the attack can be significantly increased by deploying an insecure topology, enabling remote users to gain access direct to the network."

Foster advised that, based on NTA Monitor's work providing vulnerability testing for corporates, a viable security policy capable of dealing effectively with potential vulnerabilities from remote wireless access should focus on and address the following 10 security issues:

1. Control access centrally
All remote access traffic should be directed through a single, resilient point of control, logging and alerting, usually the corporate firewall.

2. Enforce strong authentication
Apply the most appropriate form of strong authentication based on the volume of remote users and value of data and systems being accessed. Two-factor authentication schemes requiring a physical token and user Pin are recommended.

As it requires both the token and Pin to be present during authentication it is less likely that a laptop left on the train could be used access the corporate network. However the unit costs of such tokens make this prohibitive for large numbers of remote users.

According to NTA Monitor, if a company is relying on username and password authentication it should enforce a strong password scheme requiring a minimum of eight characters, using a combination of digits, upper and lower case letters, as this results in eight to the power 62 possible combinations required to crack the password.

3. Enforce strong encryption over remote links
Ensure that all remote connections are conducted over encrypted tunnels. 128-bit encryption is recommended given current computer processing power.

4. Remote client physical security and disk encryption
NTA Monitor warned that corporates need to safeguard sensitive information stored on remote PCs and laptops, not just while data is in transit.

The remote PCs should include disk- or directory-based encryption that prevents free and easy access if the device is lost or stolen. Although limitations and flaws in various methods of disk encryption have been documented, some encryption protection is better than nothing.

5. Install personal firewalls on remote clients
"We've seen organisations make use of free remote client software offered in conjunction with site-to-site VPN software modules provided with specific firewall products," said Foster.

"CheckPoint for example has traditionally offered 'SecuRemote' client software which enables authenticated and encrypted channels to be set-up with the corporate firewall. This component doesn't, however, offer firewall protection to the remote client.

"Without firewall protection the remote client could be targeted by a scan of an ISP's dial-up user space, and potentially allow an attacker to gain access through the VPN to your internal network."

6. Restrict access to what is required: server, services, time of day
It is essential that remote users should be correctly assigned to user groups.

"Access should only be enabled per user group based on the servers they need to access, the services required, and the time and days on which work is expected to occur," said Foster. "It is not generally advisable to allow remote access to all systems, by all users, using any IP service."

7. Log and alert on all remote access traffic
All security systems and target servers must be configured to centrally log all activity and to issue alerts on malicious activity. Without this it will be difficult to detect user abuse or whether a remote worker's laptop or PC has been compromised.

8. Policy
Before granting access to remote workers, the objectives and strategies for both implementation and security should be defined at a policy level.

"It should be made clear who is to be given access, for what purpose and for what types of information or resources," said Foster.

"A risk assessment should be applied to each element to understand the risk exposed by offering such access. The policy must outline the responsibilities of the individual to keep their remote access secure, and must be clearly understood by all staff involved and regularly updated to reflect evolving business processes."

9. Training
All staff involved must be given training at regular intervals regarding the security and operational risks associated with remote access to the corporate network. Once users understand the risks and their responsibilities, they are much more likely to buy in to the concept of keeping remote access secure.

10. The human factor
"The security policy should be tied in with staff contracts, and any breach of the policy should be linked to disciplinary action. Remember that it could be the chief executive who's done something naughty. Want to tell him he's wrong? Better to refer to the policy," suggested Foster.

Aside from technical security breaches and remote workers inadvertently opening the corporate network up to external attack, corporates must still remain aware of the disgruntled employee.

An existing employee who is dissatisfied with the way the company has treated them (this can be anyone right up to senior management level) can have very high information privileges. So, in part, information security should be the responsibility of all departments, not just IT.

"If companies treat and reward their staff well for effective work, employees are more likely to have a sense of ownership and belonging to the company and will be more interested in protecting their own access, and ensuring that others do not compromise the company's security and future," Foster concluded.