10 Tips For Securing Wireless Devices

The best defense for companies using wireless technology is a strategy that secures everything from the front-end to the back-end. Yet “end-to-end security” can mean many different things to different enterprises.

That's why the first step before investing in firewalls, encryption, virus detection, spam blockers or any other such hardware or software, is to define end-to-end security.

The trouble is, says Craig Matthias, founder of Farpoint Group, a wireless technology consultancy, is that there is no such thing as "absolute security."

Security Strategies Still EmergingSecurity for wireless devices is still in its infancy, and luckily so are hacker attacks against the devices. But security must become a priority as enterprises become increasingly mobile, with executives and employees alike relying on wireless laptops, PDAs, BlackBerries and high-end cell phones to access enterprise networks. These devices boast multiple platforms and a variety of inherent security issues.

Though there has been some concern about “cross-pollination” of computing viruses--a virus from a cell phone infecting a computer and vice versa, the underlying technologies, at least at the present time, are still too different for this to occur, Hopen says. As the technologies continue to merge, however, it could become an issue.

Among the most common mistakes with wireless technology security, surprisingly enough, is not having any security at all, Matthais explains.

“What you need to do is secure your network to the point that the professional information thief will give up on his attempts to obtain [the company’s information],” Matthias says.

Here are 10 tips to get started on a good security strategy:1) Establish an overall security policy. This, says Alexander Doll, CFO and VP of business development for security software vendor PGP Corp., based in Palo Alto, Calif., should include not only what end-to-end security means for the company, but also lists out the responsibilities for security upgrades, permissions for accessing the network with wireless devices, building security, account access, etc. The security policy should also cover how the enterprise deals with an actual or attempted security compromise, notes Chris Hopen, CTO at Aventail, a VPN vendor based in Seattle, Wash.

2) Encrypt anything of value on the network. This includes customer data, company information or anything else that could hurt the company directly or indirectly if it gets into the wrong hands. That way, if a salesman loses a laptop or it is stolen, the customer contact information or other intellectual property has no value to the finder/thief. Don’t expend resources encrypting everything, however. A 128-bit encryption key is considered unbreakable, though shorter keys may be acceptable for less critical data. There’s no need to encrypt the company’s cafeteria menu, for example.

3) The VPN need. Use virtual private networks with Secure Sockets Layer (SSL) for communication with remote devices. This enables anyone to access the company’s Web site, which doesn’t require SSL, but limits access to applications to those with proper authorization.

4) Limit access to files. While a salesman might have need for historical customer information (name, address, previous purchases from the company), they likely have no need for the credit card number, which may be the responsibility of the accounting/billing department. So the salesman shouldn’t be able to access those files or databases. A technician may need to access hardware information to service an installation, but may have no need for customer relationship management details.

5) Use endpoint scanning technology. This identifies what wireless and wired devices are accessing the network and determines whether they have the authorization as well as proper security (e.g., updated Windows patches, no known viruses). More security threats can come from unprotected remote devices (e.g., laptops), which pick up viruses while used remotely then access the network, than from outside hackers. As a user, rather than the enterprise, often owns the devices the company doesn’t automatically perform security updates. A related major security mistake that many businesses and individuals make is allowing anyone to have access to a wireless device, says Matthias. So every wireless device should include some type of “challenge,” like a PIN and password to allow access, and should include automatic timeouts after a specific period of time of non-usage.6) Employ WPA or 802.1x technology in WLANs. This technology requires a user to use an authentication key to access the wireless LAN. The newer 802.1x technology is designed to be used in enterprise environments where both wired and wireless networks might be present.

7) Test, test, test. Testing is mandatory to ensure that security works as expected. This includes having trusted people (or third parties) attempt to hack into the system with a remote device and ensuring that authorized people can continue to access the network as desired.

8) Employ two-step authentication. For the best protection, this means more than a PIN and password. Typically, it's a combination of something a person knows (password) with something he has, like a token. Some 60 percent of Aventail installations include security tokens, Hopen says. If a company is small and has only a few people who need authorization, then it might want to consider using pre-shared keys. Larger enterprises should rely on tokens that change the keys on a predetermined basis. Hopen, for example, carries a token on a key chain that changes the key every 60 seconds.

9) Audit/monitor results. This is important not only from a security standpoint, but also for Sarbanes-Oxley compliance, Hopen points out.

10) Understand security is an continual process. IT leaders and all staff must realize that security is an ongoing process, not a one-time event. As Matthais notes, “You’re never done” when it comes to network security.0