Modernizing Authentication — What It Takes to Transform Secure Access
Each January in Las Vegas, the Consumer Electronics Show (CES) offers a peek at next year's hottest high-tech gadgetry. As CES 2010 attendees gazed longingly at Internet-connected 3D TVs, automobiles, and e-Readers, we couldn't help but ponder their security implications. Because forewarned is forearmed, here is our Top Ten list of potential risks that enterprises should consider and a few new counter-measures.
10) Lost devices
Enterprises are already painfully aware of the risk associated with lost laptops. With this year's bumper crop of netbooks, smartbooks, and smartphones, that risk grows. From the Google Nexus and Motorola Backflip to the Lenovo IdeaPad U1 Hybrid and Freescale Smartbook Tablet, we're talking lighter, thinnerand even easier to lose. But we also spotted a creative counter-measure at CES: Zomm's "wireless leash" for Bluetooth-enabled devices. Stray too far from your device and this key-fob vibrates. In a pinch, the Zomm can also answer incoming calls or dial 911.
9) Wireless espionage
Wireless cameras are made with good intentions, but these tiny tykes have grown so inexpensive and easy that potential abuse must be taken seriously. Consider the Avaak Vue Personal Video Network ($299)a self-configuring mesh of 2.9 x 1.0 x 2.1-inch wireless cameras that transmit ten minutes of video per day for an entire year on a single battery. Real-time feeds are relayed by a paperback-sized gateway across the Internet to your iPhone. The time has probably come for enterprises to be on the look-out for unobtrusive wireless cameras installed without authorization.
8) Location leakage
Location-awareness has become standard on 3G/4G/Wi-Fi devices, driving a surge in apps that leverage this knowledge. Many location-based services were demonstrated at CES 2010, from vehicle navigation to apps that help friends find each other. Such services can be a double-edged sword essential to support certain business activities, but possibly "leaky" if used without IT guidance. For example, Root Wireless announced a free smartphone app that "crowd sources" location and usage data from volunteers to generate detailed carrier coverage maps. Enterprises can tap this data to pick the best carrier(s) for their workforce but they should also be concerned about workers sharing business smartphone locations with any unauthorized third party.
7) Safer backupshttps://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
The good news: Backing up a laptop (or netbook or smartphone) onto portable or cloud storage has grown almost trivial. The bad news: With co-mingling of business and user data, the risk of business data ending up on unmanaged USB drives and third-party servers is growing. But we're also seeing more consumer-accessible encrypted data backup solutions. Take CMS BounceBack, a transparent continuous back-up app that copies laptop or netbook files onto 256-bit AES-encrypted storage. Consumer backup products are no substitute for enterprise backup of managed devices, but it couldn't hurt to encourage employees to use encrypted backup for personal devices.
6) Social networking on steroids
Enterprises are already battling social networking threats, from attacks that target IM apps to phishing on sites, such as Twitter and Facebook. At CES 2010, it was abundantly clear that social networking is no longer limited to PCs and phones. From TVs and home media servers to e-Readers and Blu-Ray players, just about every device with an Internet connection and UI has jumped on the social networking bandwagon. Safer browsers and host-resident anti-phishing measures won't protect these users. Teach employees to avoid social networking security pitfalls on any endpoint device by using common sense and network-based phishing filters.
5) Digital living vs. data leakage
Devices that use the Digital Living Network Alliance (DLNA) standard to discover, connect, and communicate with each other were plentiful at CES 2010. It's never been easier to share videos, music, photos, and other digital content on your home network. Alas, that means that leaking data stored on corporate laptops connected to home networks has also grown easier. Remember when IT learned to block NetBIOS on home networks, while permitting exceptions for network printing or office file sharing? It's time to work DLNA protocols into that paradigm, so that corporate laptops can reap the benefits of DLNA safely or block them entirely where appropriate.
4) Malware inside the (home) firewall
As a broader variety of networked consumer electronic devices are deployed inside home networks, they could become a large and undefended target for hackers. After all, Skype-enabled TVs and Netflix/Amazon/Pandora-capable DVD players don't run anti-malware. And networked CE products often have unsecured Web GUIs or undocumented admin ports that could potentially be exploited. Educate employees to beware of future attacks that might originate such products "inside the firewall" -- for example, don't configure laptop or netbook firewalls to trust your entire home subnet, and always firewall Wi-Fi-enabled smartphones.
3) E-Reader explosion
CES 2010 was a debutante ball for the e-Reader, including compelling new products such as the Plastic Logic QUE ProReader and Spring Design Alex. IT departments should be on notice: Employees will carry these new e-Ink tablets into the office and connect them to corporate networks via Wi-Fi. The QUE ProReader even synchronizes with Outlook calendar entries and e-mail. So add e-Readers to your company's list of employee-liable mobile devices to evaluate and safeguard.
2) 4G hits the road
This also seems to be the year for mobile 3G/4G routers. New "personal Wi-Fi hotspots" include Sprints Overdrive 3G/4G Mobile Hotspot router by Sierra Wireless. For automotive enthusiasts, there's the Ford MyTouch, which turns your dashboard into a Wi-Fi hotspot when paired with any 3G/4G USB adapter. What do these high-speed mobile hotspots mean for enterprise security? Not only are they yet another device to manage and secure, but they shatter the previously-assumed one-to-one binding between cellular data subscriber and user.
1) Wi-Fi Direct
Of all technologies debuting at CES 2010, Wi-Fi Direct may have the most immediate security impact. Intel even garnered the CES "People's Voice Award" for their WiDi, where an Intel Core i5 laptop sent video over Wi-Fi directly to an HDTV. Unlike the infrastructure mode Wi-Fi used in enterprise WLANs, Wi-Fi Direct offers quick, temporary, peer-to-peer connections. Send a file to a printer. Share a photo with a colleague. Like ad hoc mode, Wi-Fi Direct bypasses AP or controller-based security policies. However, a Wi-Fi Direct device can connect simultaneously to an AP and peers.
According to the Wi-Fi Alliance, enterprise APs will be able to discover and close Wi-Fi Direct applications, inform all clients of rules governing Wi-Fi Direct, and remove a Wi-Fi Direct device from an infrastructure WLAN. Only time will tell how many (certified or pre-standard) Wi-Fi Direct products support those capabilities. In the meantime, enterprise IT should consider Wi-Fi Direct and develop policies for acceptable use.
As this list shows, a consumer-oriented show such as CES can be a useful arena in which to ponder the business implications of new products and technologies. Some of the above-noted risks may never come to fruition; others may take more than a year to materialize. But at least a few will (someday) have real business impact. So take this opportunity to look ahead, assess potential threats, and be prepared to act if and when that need arises.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.