Forget the recent hype about about Chinese hackers — users and organisations should be securing mobile systems as a matter of course, so follow these tips to find out how
Reading current news and blog postings, you might think Chinese hackers are leading us to world's end, attacking our systems in ways never before seen in the history of computing.
This is an obvious overreaction. Attacks against information assets — government, corporate and personal — have been going on for some time. So why all the hype about the dangers of taking laptops to the Summer Olympics, using laptops in Chinese hotels, or carrying smartphones into Chinese public venues? The simple fact is, many users and organisations have blatantly ignored recommendations for protecting mobile devices, thus exposing themselves, their businesses, their customers, and often employees to harm.
Mobile devices in the hands of mobile workers are exposed to a variety of threats. Here's a short list:
Hotel wired networks are often wide open to eavesdropping by cybercriminals or other guests. Jacking into a network frequently equates to sending and receiving information over a single collision domain. This means all packets for a set of rooms, a floor, several floors, or even the entire hotel/motel are seen by all other systems on the network. Unprotected packets are prime targets for capture, analysis and data extraction.
Connecting to unencrypted hotel or other public wireless networks, sending sensitive information out into the ether, is a well-known problem.
Improper configuration of firewalls, or the total lack of an end-user device security perimeter, allows anyone, at any time and anywhere to use public networks to peruse private information on laptops, smartphones or PDAs.
Some unencrypted stolen or lost devices are a treasure chest of information, including passwords, customer and employee information, and user identity data. In large, chaotic venues such as the Olympics, it isn't difficult to lose a laptop or PDA.
Again this is not a complete list of potential attack vectors, but proper attention to these four issues reduces risk to a reasonable and appropriate level. The following steps are a good start in preventing information or system compromise:
Store only what you absolutely need This is the first rule of data leakage protection. Why carry around customer spreadsheets, financial data, or plans for a new product/service if you don't need them while out of the office? Absent Information can't be compromised.
Protect data passing over public wired or wireless networks The best way to prevent casual or directed packet snooping on public networks is packet or session encryption, even if encryption is limited to only traffic between the end-user device and a traffic encryption service provider on the internet. For ultimate protection, use only SSL connections to check email or access company information. When this isn't possible, online services, both free and for-fee, can fill the gap. Two examples are MegaProxy (fee-based) and AnchorFree (free).
Configure devices to block external snooping The first step in establishing a security perimeter around a device is configuration of a firewall. Personal firewalls are free on laptops running Windows XP or Vista. These solutions provide minimal protection against intruder compromise of your mobile system. More complete protection is available in security suites, such as those from AVG, McAfee or Symantec. Firewalls are also available for many handheld devices, protecting contact lists, email, and other sensitive information commonly found on PDAs and smartphones.The second step is configuring Bluetooth, on laptops and handhelds, to block all unauthorised access. Bluetooth threats and secure configuration information is found in Secure your Bluetooth wireless networks and protect your data. No laptop should be unnecessarily exposed because it lacks anti-malware protection.
Encrypt sensitive information on the device Laptop theft reports make it clear that many users and organisations haven't got this message yet. Laptop encryption doesn't have to drain your budget. Solutions such as TrueCrypt provide effective, free file and full-disk encryption. If you need a more centralised approach to key management, lost data destruction, or data recovery, online services such as Beachhead or more traditional systems such as PGP can help.
Back up critical information All business critical information should be copied to an alternate location. Even mobile users, who might not connect to the company network every day, can be protected against data loss with online solutions such as Symantec's backup.com or with Amazon.com's S3 service, supported with client software such as Jungle Disk.
In addition to the above, practice standard system hardening practices — patching, shutting down all unnecessary services, and so on. In addition to following Microsoft's best practices, consider implementing some or all NIST (National Institute of Standards and Technology) recommendations and baseline template settings.
It shouldn't take warnings about Chinese hackers to push users and organisations toward secure mobile computing. Cybercriminals come in all shapes and sizes, and from all ethnic backgrounds. Securing systems isn't about thwarting what some see as the great cyber-threat in the East. It's simply the right thing to do.
