Open wireless connections and poor security practices can cost an agency.… Network security and wireless security must work hand in hand.
TECHNOLOGY
Would you like that data to go?
Wireless access without proper security opens agencies up to greater risk
By John Chivvis
|
Open wireless connections and poor security practices can cost an agency.… Network security and wireless security must work hand in hand. |
It may be happening right now.
A competitor, maybe even a former employee, is accessing your network, your management system—your data. That individual is running a report, and getting contact names and numbers, as well as expiration dates on policies, to begin “reaching out” to a new group of prospects.
This person may have never set foot in your agency, never touched your computers; he or she sat comfortably outside in the car in the parking lot, or in a nearby office or the coffee shop next door, getting all that data because you didn’t secure your network, your data and, most important, your wireless connection.
Brian Bartosh, president of Alpena, Michigan-based Top O’ Michigan Insurance (www.tomia247.com) and Tim Woodcock, president and CEO of the Davie, Florida-based Courtesy Computers, Inc. (www.courtesycomputers.com), know what open wireless connections and poor security practices can cost an agency. Both contributed to the Agents Council for Technology’s (ACT’s) newly released report, “The Independent Agent’s Guide to Systems Security: What Every Agency Principal Needs to Know.” (www.independentagent.com/act/).
Having been hacked once in the past, Bartosh knows the importance of security but knows others may not think the same way. “As part of the security working group [of ACT],” says Bartosh, “I’ve come to realize that there are so many security issues that insurance agents ignore, and if network security is open, then wireless opens it up even more.”
Bartosh, Woodcock, and ACT, as well as Gartner, Inc., a provider of research and analysis on the global IT industry, concur that network security and wireless security must work hand in hand. Gartner’s White Paper, “Winning in the Mobile and Wireless World,” suggests a three-pronged strategy for wireless security—protect the enterprise, protect the data, and protect the devices.
Tim’s Wireless Security Tips Consultant Tim Woodcock offers the following reminders for the internal office wireless network (within the office perimeter): For mobile networking (cellular and “hot spots” outside of the office perimeter) Tim Woodcock recommends: |
Protect the enterprise
According to Gartner, “Through 2006, 70% of successful WLAN (wireless local area network) attacks will be due to misconfiguration of WLAN access points and client software.”
It’s easy for Woodcock to believe the statistic because he has seen agencies that are statistics. “Not too long ago, we had an agency call us. They were noticing a big degradation and slowness in the network, and their tape drive was full to the point they needed two tapes.” He learned that the agency had recently bought wireless equipment and configured it themselves.
The problem? Woodcock says that the agency’s wireless access point was near the hallway so the business next door was using the agency’s network, servers, and tape drives to store and back up its files.
ACT’s first suggestion to agents who want to secure their wireless network is to simply position the access points in the center of the office so that the signal will radiate to the walls or windows, but not beyond. ACT follows that up with a recommendation that agents purchase equipment that can be updated as security flaws or holes are found. On both accounts, Woodcock suggests finding qualified professionals to help configure wireless access points, software and related equipment in order to customize the wireless solution specifically to the agency and the agency’s needs.
“Wireless, like any other access, needs to be utilized only where there is a legitimate business use,” says Woodcock. For example, Bartosh has wireless access in each branch location’s conference room so producers can connect when in the office. He also uses wireless to attach some scanners to the network because of where the scanner is located. However, wireless is not deployed throughout the building or for any of the desktops.
Woodcock says that “out-of-the-box” wireless solutions should be avoided. Instead, agents should take advantage of basic security features like enabling “wired equivalent privacy” (WEP) which is usually turned off as a default. Simply enabling WEP is not enough because default WEP keys are well known and easy to find on the Internet. Woodcock recommends changing WEP keys once a month.
An additional level of security is to change the default wireless network ID, called the service set identifier (SSID). As default SSIDs are also easy to crack, ACT recommends that agencies choose a new one with little or no meaning—and not the agency name. To help hide access points from snoopers, agencies can also disable the automatic “broadcast SSID” feature making wireless networks less accessible to those devices not entering the correct SSID.
“Basically, people like to poke around, Bartosh says, reminding us of the proverbial bathroom medicine cabinet. (Who hasn’t been tempted to take an uninvited peek?) As an example, Bartosh points out that when he visits his daughter at college, he will pull into a local hotel parking lot and “poke around” to see if he’s able to access their wireless network to check his e-mail or take care of a few business matters.
Similarly, using a “sniffing” device that can cost as little as $10 or just walking around with a wireless-enabled laptop, growing numbers of people “war-chalk” or “war-drive.” This means they travel around checking for available wireless connections and then marking distances, signal strength, and access notes in chalk on the road or sidewalk outside the wireless access point.
Protecting the enterprise with basic security practices such as the ones mentioned above makes it more difficult for hackers, neighbors, or passersby to get in. “Sitting in the airport with my laptop, for example, I can see a number of open access points,” says Bartosh. “So make access difficult with a password or some other security measure.”
Protect the data
While protecting the data generally means having an automated backup solution in place, in the wireless agency setting it means setting up methods not only for the data itself to be encrypted or protected but also the data traffic from server to device.
Woodcock and Bartosh agree that the basis for protecting the data is still implementation of strong security procedures and IT practices. This includes password expiration processes, changing default or administrator IDs and passwords, and allowing access only to those who “need to know.” Woodcock reminds agents of the correlation between access and security when granting employees access, “Less is always more,” he cautions.
Speaking of passwords, master passwords or lack of password changes, Woodcock is quick to note, is a big risk. “How many agencies actually go in and delete or disable an ex-employee’s network access?” he asks. Many principals assume that since a former employee can’t get to his or her desktop anymore, he or she doesn’t have access. According to ACT, account/password deactivation is overlooked as much as 30% of the time by agencies.
“As soon as an employee leaves or is terminated, the first thing we do is to disable all of the individual’s accounts and passwords, restricting their access,” says Bartosh. “If they can still get in through a wired connection (because their account hasn’t been deactivated), then wireless makes it even easier to exploit the agency’s systems.”
It is also important to consider how the data will be stored. Gartner says that through the end of this year, “90% of mobile devices that contain enterprise data will have insufficient power-on protection and storage encryption to withstand casual to moderate hacker attacks.”
For Woodcock, storage encryption of folders and data prevents compromise, especially in an environment conducive to “eavesdropping.” ACT notes that agents should consider storing confidential or sensitive information in an encrypted format, “so that it is unintelligible to anyone other than the authorized parties with the key and processes to decipher the data.”
Protect the devices
Bringing mobile or wireless-enabled devices into the mix opens up an agency to an even greater potential of risk. As a third level of security, “Don’t assume that your devices (or their operating systems) are trustworthy,” reports Gartner. “Verify trust upon access and use.”
Woodcock agrees, saying that laptops or other mobile devices need to be authorized for use by the agency’s IT staff or principal. “Programs or processes need to be in place where devices are authorized for each user and specifically configured for the network,” he says, adding that these devices should also be part of scheduled maintenance, upgrades, and patches similar to their desktop counterparts.
“If you have a laptop with Wi-Fi capability, and you aren’t careful, you could turn your laptop into a gateway for others to access,” says Woodcock. ACT adds that hackers could then tunnel through the laptop’s connection past the firewall and into the agency’s network.
For the laptops used by Bartosh and Top O’ Michigan’s producers, all have personal firewalls, anti-virus solutions, and connect securely through a virtual private network (VPN) connection. As an added layer of protection, the “security automation agreement” that all of Bartosh’s employees must sign, minimizes unwanted downloads, spyware, and other malicious programs which could compromise security by turning a private resource into a public one. With these in place, whether an employee is sitting with his or her laptop in a coffee shop, hotel room, client’s office or conference, to paraphrase Gartner, the employee controls the device, instead of the device controlling the employee.
Commonsense reminders
“Agents are beginning to use wireless more and more,” says Bartosh, which means that the comfort level with this new technology is growing. Whether it’s a wireless PDA, smartphone, Blackberry, laptop, or even systems that a wired connection can’t reach, without proper security in place to protect the business—the enterprise, the data, and the devices—agencies may not be opening up a “whole new world” but, instead, a veritable Pandora’s Box.
“For most agencies, wireless is probably the best thing since sliced bread, but out of the box, it’s nothing but an open pipe into your network,” says Woodcock. “It’s a competitive market out there, so why give anyone else access to your data?”
For Bartosh, securing the network—from without and within, wired to wireless—is just plain common sense. “When you leave for the day, do you leave the front door to your office wide open?” he asks. “You don’t do this to the other systems you operate, so why do you do it to the network?”
Author’s note: For many agents, the process of securing the agency systems seems like a formidable task. The Agents Council for Technology has published a report to the Web to help get principals on the right track. “The Independent Agent’s Guide to Systems Security: What Every Agent Principal Needs to Know” contains practical tips and basic information on topics ranging from identity management to wireless access to security breaches. The report also provides sample information security policies and a glossary of security terms. It can be downloaded from the ACT Web site at www.independentagent.com/act/.
The author
John Chivvis is a Texas-based writer who specializes in topics of technology implementation. His work has appeared in a number of national and regional publications.