Keep Hackers Guessing: Protecting Corporate Information While On The Go

Transcription

1 Keep Hackers Guessing: Protecting Corporate Information While On The Go Proactive tips for wireless information security for traveling professionals. In today s world where WiFi hotspots are available in every hotel and airport, corporate business travelers can easily fall prey to hackers just by checking or surfing the Web. Hackers are constantly seeking out innovative methods to exploit ignorance of this rapidly evolving technology. Proprietary and competitive intelligence information can be leaking from employee mobile devices through public WiFi if potential adversaries are nearby. Although hackers typically phish for interesting information as opposed to directly targeting an individual or organization, if the information is visible it could end up in the wrong hands. What s more, if a wireless device becomes infected with malware from a bogus link or network, then it could go on to infect company drives when the device reconnects to the corporate network. Protecting sensitive information and mobile devices while connected to public, unsecured networks requires taking a proactive approach. Learning some basic security maneuvers can help to avoid a number of these pitfalls. This white paper outlines useful information security tips to help keep users free of common wireless device breaches and attacks. This is not an exhaustive list but rather meant to discuss trending information. Connect With Caution Staying connected to the office is a must for busy professionals, making public WiFi use almost unavoidable. It seems convenient, especially if WiFi is free or made available in-flight on a long international trip. And it is almost certainly convenient for the nearest hacker to eavesdrop on personal or corporate information. In an interview with USAToday.com, the CEO of Errata Security, Graham Whether noted, If you re using WiFi in a public place and you re not getting hacked, it s only because there s nobody around bothering to do it. Hackers have a number of reasons for sniffing wireless traffic from phishing for interesting information to targeting a particular person or organization. Either way, there are a number of common mistakes users make that can create opportunities for would-be adversaries. Connecting to home and company WiFi networks feels safe and many people do not consider that public WiFi and even hardwire connections must be treated differently. Public WiFi

2 hotspots are a hotbed for hackers to sniff Web traffic. Hackers can easily create a rogue access point (rogue AP) to scan others Web activity by mimicking or creating public WiFi networks anywhere from hotels to airports. Therefore, users must be proactive and put up defenses when connecting on-the-go. Common convenience features of many popular Websites are also to blame for security breaches. For example, the option to keep me logged in saves a cookie on the device and can invite hackers to capture username and password data in public settings using malware, according to the IT security publication, CSOonline.com. They can then impersonate the user online with the information captured. In addition, the security of information sent over mobile devices is a growing concern as the use of smart phones and tablets eclipse PCs for busy travelers and corporations attempting to keep field sales representatives connected to the office. And since wireless companies no longer offer unlimited data plans, users are encouraged to seek WiFi access to cut down on data usage costs. Fishnet Security reported that 35% of companies using mobile devices name them as the biggest threat to the organization s data. Many users do not consider the potential risks associated with accessing company on mobile devices. And the growth in this sector means hackers are constantly looking for new ways to breach these devices as well. A few simple tweaks will help keep corporate and personal data protected from hackers, such as turning off certain device features when not in use, managing Web browser options, cookies and passwords, and ensuring sensitive data is encrypted. Stop Signaling Disable WiFi and Bluetooth Capabilities Each computer and mobile device has a unique identifier known as a MAC address. WiFi and Bluetooth technology use MAC addresses to connect with compatible devices. When a device s Bluetooth and WiFi connection capabilities are turned on, the MAC address is detectable by nearby hackers. Hackers can use the MAC address to identify or remember devices without the victim s knowledge each time they are within range of a network again, allowing them to track the user and their activities, wirelessly. Recommendation: Disable WiFi and Bluetooth capabilities when the service is not in use. If a hacker finds interesting information the first time, it s likely they will try again the next time the user is within range. Delete Old Networks from the WiFi List Wireless devices remember networks they have been previously connected to. Laptops and mobile devices constantly seek to reconnect to these networks, even if they are no longer within range, basically beaconing work and home network names to anyone who is listening. A rogue AP can trick a device into connecting to a "known" network or one in its list that is actually a hacker, opening the user to an attack. Once the hacker has access to the user s device, a number of breaches are possible, from capturing sensitive information to disseminating 2

3 malicious software onto the device. What s more, malicious software can infect corporate networks once the user returns to the office with the compromised device. Recommendation: Unless currently connected to a particular wireless network, the network should be cleared from the device s memory. Use the device's feature to "forget this network," if available, so it doesn't constantly seek reconnection. Surfing Safety Use VPN to Protect Data The risk of hackers sniffing sensitive corporate data, and personal financial information over public WiFi is ever present. Even the odd hardwired option, unless owned personally or by the corporation poses risks. For this reason, many companies require that employees use VPN or Virtual Private Networks when connecting to company networks from another location. VPNs tunnel through to company networks, encrypting data transmitted over the Internet. Hackers will reach for low hanging fruit in public settings and if VPN is in use, then adversaries will likely move on. According to the publication eweek, company IT staff may prefer that you use the VPN for non-business traffic [as well], rather than bring a virus into the office. Recommendation: Use company VPN whenever possible, even on mobile devices that are used to access corporate . There are also a number of options such as OpenVPN to setup personal VPN services. Use SSL on Websites When Possible Regardless of the Website, it s a good rule of thumb never to pass login credentials over the Web without using SSL (Secure Socket Layer). If a username and/or password are sniffed from one Website, they can be used to hack into other sites such as online banking sites. SSL encrypts data transmitted over the Web so hackers can t monitor activity. Recommendation: Many sites now offer SSL as a default login method. The URL bar should display https before the name of the Website. In addition, a Chrome extension called HTTPS Everywhere is available to fix any gaps in information security. According to the maker it encrypts communications with many major Websites, making browsing more secure. If using login credentials on unsecure Websites which is not recommended ensure your password is strong and complex, and change it regularly. Use Secure Mail When Possible No one should have access to besides the sender and recipient(s). s travel a long distance, across many different servers to reach their final destination. And all is susceptible to interception, and in some cases, eavesdropping along the way. PCWorld.com remarks that encryption software such as PGP (Pretty Good Privacy) and S/MIME is like a virtual envelope for your messages, ensuring they make it to the intended recipient without being snooped. They encrypt messages and provide a key that will translate the 3

4 message into plain text for the intended recipient(s). Most notably, governments and hackers themselves use methods such as these to secure their own . Recommendation: Never, under any circumstances, log into without a secure connection like SSL when using Web based programs such as Gmail or Yahoo. Users should take the time to research which encryption method such as PGP or S/MIME will work best for their purposes or the organization. Personal S/MIME certificates are free. PGP key creation is more complex and therefore, less vulnerable to attacks. However, this may take some effort on the part of IT to setup. Passwords Management Virtually every Website requires a password nowadays, and it can be overwhelming to remember them all. This leads to using the same password for multiple sites and using simpler, easier to remember passwords. And as noted above, users are also likely to choose the keep me logged in option on several Websites, which opens them up to vulnerability in pubic WiFi settings. Recommendation: Invest in a password management service like LastPass or 1Password. Essentially, users enter login credentials for any password protected Websites into the password management service and the service does all the remembering. Users then log into the password management service to safely access password protected sites going forward. Passwords can be as complex and varied as they should be and users will only have to remember the login for the password management service. Some services now have mobile device capabilities as well to keep users protected on all devices. LastPass has a free option and 1Password has a reasonable onetime fee. Browser Management Clear Caches and Browsing History Online activities can easily be traced by examining browser history. For those traveling abroad, foreign intelligence services may find valuable information in browser history, for example. Caches speed up browsing experience by keeping local copies of Websites visited on the device. If a site is malicious in any way, a copy will remain stored on the device unless the cache is cleared. Recommendation: Clear caches and browsing history automatically after every browser session. Clear and Change Downloads Folder The downloads folder is a catch-all location for all downloads to any device. It also is a treasure trove of online activities and interests for anyone snooping around. Recommendation: Keep potential adversaries guessing by clearing out downloads folders. Change the default downloads folder to something more appropriate or configure the browser to prompt the user for a folder location before each download. 4

5 Disable Java in the Browser Java is one of the most reliable exploit vectors on the Web. It allows hackers and malicious Websites to infect browsers and write files to a victim s hard drive. This is another situation in which the compromised device can infect company drives if connected. Java is such a security issue that Apple doesn't even include it in Safari. Recommendation: Turn Java off when in public WiFi settings or remove it completely. Install Chrome Extensions for Tracking Privacy Online activities are constantly tracked by Websites and governments, especially social media sites, even after the user is no longer on the site. The information at the very least is used to solicit to users based on surfing habits. There are a few extensions for Chrome (and other browsers) that will help limit your digital footprint. However, Chrome is regarded as a browser with less vulnerability when proper precautions are taken. Recommendation: Chrome offers a number of excellent privacy and non-tracking tools you can install, such as Disconnect, Do Not Track Me and Ghostery. Some have more robust features than others, so it will be a matter of preference. Best Practices for Cookies Cookies track online activity. They offer up specific ads based on users surfing habits. They also allow Website logins to be saved and shopping carts to remain populated when the user navigates away from and subsequently returns to certain sites, like Amazon. They also arguably help legitimate Websites improve user experience, so there is some debate about turning off cookies or using extensions that block them. However, cookies can allow login credentials to be hijacked or sidejacked by which a hacker uses software such as Firesheep to gain access to a user s account and can therefore, go on to get other information and logins. Recommendation: Select browser settings and either turn off cookies entirely or limit their storage to when the browser is closed. Ultimately, it will be a matter of preference once again, but be aware of this vulnerability. Note: Some recommendations may require the assistance of the organization s IT department if company policy does not allow employees to have administrative privileges on laptops or other wireless devices. The Big Picture Anyone who really wants the information likely knows a way to get it. More advanced network and device security measures such as full disk encryption and protocols for transferring sensitive corporate files may also be worth considering for organizations that deal with highly sensitive data or a high volume of international travel. 5

6 These proactive measures are a good start to basic information security on-the-go. Remember that many of these recommendations apply to mobile devices as well as laptops, so check smart phone and tablet settings to ensure that all devices are ready for travel. For more information on how to improve corporate information security contact Cipher Systems, LLC at As a full service competitive and market intelligence consultancy, Cipher offers custom strategic research, management consulting and award-winning, customized intelligence software systems. Our team of experienced and talented staff helps business professionals produce actionable corporate intelligence and make better decisions across industries Riva Road, Building th Floor Annapolis, MD Tel: / Fax: info@cipher-sys.com 6