Lagging technology means that the new generation of smartphones and wireless-networked handheld computers are likely to be the weakest link in companies trying to protect their networks.
IT managers attending the Compsec 2001 conference in London's Queen Elizabeth II conference center on Wednesday were told that protecting the perimeter of their networks is likely to become almost impossible as wireless devices become more popular among employees. Instead, IT managers should concentrate on protecting individual digital assets--an in-depth defence approach.
Graham Titterington, senior analyst at Ovum, said there are still major problems with connecting wireless networks to wired networks, caused chiefly by the business need getting ahead of the technology.
"There is a particular problem with devices using the 802.11 wireless network standard," said Titterington. "The encryption is easily broken, and once broken can provide easy access to corporate networks for anyone listening in."
Furthermore, if a wireless gateway is located on the corporate Ethernet network, then that network will broadcast all the data passing through it over the airwaves. "If someone cracks the encryption, they can intercept everything," Titterington added.
Titterington also noted that the theoretical weakness at the WAP gateway, where two protocols have to be splined, could also be a problem in future.
But the immediate points of vulnerability are the mobile devices themselves--including notebooks--which tend to be poorly protected and which often contain sensitive but unencrypted data. "These things are very easy to steal, and while they have a limited use in enterprises, as they become more powerful the danger to corporate networks will become very real."
Thames Valley Police recently reported a leap in thefts of laptops in their area, where some of the UK's leading companies are located. A total of 1,137 laptops--valued at £1.8m--were stolen, largely from cars, in the year to May.
The simple advice, said Titterington, is to be "very careful indeed" when connecting wireless networks to wired networks. "From the business side, there is growing need for communication with mobile employees, while the vendors keep offering increased bandwidth, but somewhere between the two security has rather been lost in the gap."
And more weaknesses will appear in the networks as phones become vulnerable to viruses. "Until just recently, phones were immune from viruses simply because they didn't have the power to host them, and PDAs were immune because they were not connected. Now the two are merging the risk of viruses getting into a corporate network this way is increasing."
But, said Titterington, the solution is not to stop people doing things, but to adopt the new philosophy of corporate security. "In the old days security used to be about defending the perimeter of an organisation and keeping people out. That doesn't work now." Companies now want people at least to visit their Web sites, and e-business is often collaborative. "In that situation even identifying perimeter of enterprise is near impossible, let alone defending it."
"The solution is to defend individual assets. Build firewalls around individual servers, encrypt individual databases."
Titterington's comments were echoed by Symantec's managing director for Northern Europe, Aled Miles. "In the old days of security it was them (outside the organisation) and us (inside). Now those lines are getting fuzzy. If you want your house to be safe, you could bury it underground, bar all the doors and windows and not let anybody in or out," said Miles, "but that's not what most people want". Miles advocates risk assessment of individual assets: "Ask yourself, what really is the one asset that if it fell over your business would stop?"
Miles recounted the story of one chief information officer at a Fortune 100 copmany whose network suffered for three days after being hit by the Nimda worm. "He told his staff 'this must not happen again.' But you know what--Nimda will happen again. The trick is how you protect you assets and how you manage those assets when the next Nimda does strike."