Declaring war on mobile hackers

There is no doubt that a carefully implemented roll-out of mobile access will free key employees from the chains of their desks, and allow them to do their jobs in a more flexible and effective manner using mobile and wireless devices such as laptops, PDAs and smartphones.

However, opening up networks to employees needing remote access to mission critical systems also opens up a Pandora's Box for IT mangers who need to ensure that the same remote access cannot be used by malicious hackers to wreak havoc.

"Data that is transported outside of the organisation is facing a continuous threat. Mobile devices can be lost or stolen which means that the information they contain can be lost to a company," warned Neil Barrett, technical director at Information Risk Management.

"If they are stolen the data needs to be protected so there is a requirement for confidentiality. This in turn points to a requirement for encryption and a for access password controls of a suitable strength for the information that is being carried.

"For mobile workers, it has to be said that there are no real new security challenges, but the existing security challenges are writ large because they fall outside the control of the main organisation."

According to Barrett, one of the main issues facing IT mangers attempting to secure mobile network access comes from individuals within companies who are increasingly accessing systems using their own mobile and wireless devices without any centralised control.

"Companies are taking mobile security seriously, but the main problem is that wireless networks are not enacted primarily by the companies themselves," explained Barrett.

"They are rolled out by individuals; someone from a department who gets a wizzo mobile device for Christmas and decides to use it to access work systems. Companies understand the risk implicitly, but these employees do not."

Industry analyst Butler Group agreed that a lack of IT department control over these devices being connected to company networks by individuals is creating a growing security problem.

"A lot of wireless access is being foisted on IT managers by the high powered executives who have just got the latest smartphone for Christmas and demand that they be able to use it to access their corporate email," said Alan Lawson, research analyst at Butler Group.

Growing popularity of wireless Lans
Evidence suggests that this 'bottom up' approach to wireless deployment is contributing to the fast growing popularity of wireless local area networks (Lans).

"Because the users who have wireless Lans at home are driving the need for wireless Lans in corporations, the security weaknesses of their small office/home office [SoHo] products have created the current wireless Lan security perceptions," said Mike Banic, director of product marketing at Trapeze Networks.

"SoHo products offer limited security with static Wireless Equivalency Protocol [Wep] implementations that are rarely enabled. To overcome the weak security of static Wep, early implementations included virtual private network connections over the wireless Lan."

Lawson highlighted the broadcast characteristics of wireless Lans, which can make network access available outside a company's offices, as a key issue.

"The problem we have is that most network administrators cannot provide effective security for fixed infrastructures, so the problem is much greater with wireless technology as a hacker could just walk into the area around the company's network," he said. "Witness incidents such as drive-by spamming. It creates a tremendous problem."

Barrett agreed that securing wireless Lans should be treated as an imperative. "Wireless gives you more opportunity to mess up from the perspective of the organisation," he explained.

"And there are issues for the remote workers themselves. With a wireless network signals are broadcast outside the office so the issue is that a hacker with a transceiver can pick up this medium and, if security is not strong enough, authenticate themselves on that medium. Then they can piggyback the legitimate connections."

Banic argued that wireless Lan security is rapidly maturing as today's enterprise products offer strong authentication using protocols such as IEEE 802.1X/PEAP that only permit legitimate users onto the network.

He added that these systems also support dynamic encryption keying to try and eliminate the possibility of a hacker breaking the cryptography by capturing a serious of packets to determine the value of the static key.

Hackers target new platforms
As wireless Lan deployments are becoming mainstream, companies are taking the security issues more seriously, but next-generation mobile devices such as GPRS and 3G smartphones represent a growing threat as hackers begin to target the platforms.

"As 2.5G and 3G networks become part of our everyday life, hackers and virus writers will launch attacks that exploit these new technologies," said Arvind Narain, senior vice president at McAfee Security.

The company predicts that, as more mobile devices begin to run PC-like software, malicious users will find it easier to attack these systems.

However, while acknowledging that such devices could be used by hackers, Barrett pointed out that there is currently no evidence of real-world instances of security breaches via smartphones.

He advised that, whatever the device being used to connect to the network, it is the actual nature of the connection that must be secured.

"The issue with opening up an access point is firstly to make sure that it is not a back door," he said.

"These connections should not go directly onto the corporate backbone. They should go to a separate, dedicated demilitarised zone and usually the most secure access should be through a secured extranet or virtual private network."