Mobile devices have long since moved from nice-to-have to a requirement for existence. The glue that holds this mobile experience together is the wireless network.
Driven by consumer demand, the ability to connect and wirelessly access your data has become a common requirement in shopping, dining, lodging, and pretty much everything else. The expectation for wireless access is as common as the expectation for access to a restroom or water. The inherent problem is the ease of connection, defined as the easy access to wireless networks, often at the expense of security.
The new normal is teleworking, wireless networking from home, a hotel, or other remote locations. To address this security dilemma in June, the National Security Agency (NSA) released a document, "Securing Wireless Devices in Public Settings," that addressed the risks in wireless networking via three means of connections: Wi-Fi, Bluetooth, and near-field communications (NFC). The general recommendations for all three types of wireless connection are standard cybersecurity actions focused on basic cyber hygiene. These recommendations are to ensure all software is up to date with the latest versions of software, including antivirus software. Use multifactor authentication, WPA2-level encryption, and restart your system frequently. Other recommendations are to ensure your firewalls restrict traffic by whitelisting and other more technical suggestions.
One specific recommendation is to avoid free or public Wi-Fi hotspots. The reason being these connections are easily exploited. Many public connections do not require a means of authentication, and the data is not encrypted. Many user vulnerabilities are self-induced, including out-of-date operating systems and antivirus software and lack of multifactor authentication. These and other issues combine to make an easy target to exploit.
Case in point: It is easy to deploy an illegitimate access point (an evil twin) that masquerades as a trusted access point; it can be battery-operated or disguised as another object. The user's device will seek the access point with the strongest signal; these are often illegitimate by design. If the assumption is that this is a legitimate public hotspot, there is also an assumption of trust. But the reality is that every keystroke, connection password, and file transferred can be copied.
This is a common technique for hacking systems in hospitals, office buildings, and universities. The challenge for the hacker is the setup; once the user logs in through the criminal's access point, the information from every transaction is copied and stored.
The remedy is to use your own hotspot; this can be through a cellular phone or a portable hotspot device. The hotspot acts as a personnel mobile access point. Where you establish secure access through a password and where the transactions are encrypted ideally at WPA2 or better. Hotels or other businesses will often offer access through their wireless network; these are better options than open or public Wi-Fi. These options allow you to set your own password or use a random password other than the room number. However, it is hard to determine absolute security.
The info sheet recognizes that there may be times when a personal hotspot is unavailable, and there is no other option than to use a public hotspot. In this case, the best option is to use a secure virtual private network (VPN). Of course, this is not something that a remote user can set up; it is an option that must be built and provisioned in advance.
The NSA also recommends that your user profile is not the system administrator; that you only access secure websites (where the URL starts with https); and that you restrict your activity on these open networks -- do not transmit or access sensitive information, and avoid shopping or financial transactions.
When on these networks, act as if someone you do not trust is looking over your shoulder and recording your activity. When you're done, close out your activity, forget the access point, clean out the web browser cache, and restart the computer when complete. These last precautions are to remove any threats that may be in memory.
For Bluetooth and NFC, the specific recommendations are to ensure that only approved devices are connected, disable the connection, turn off discovery mode when not in use, and -- if possible -- whitelist connections. For NFC, the issue is distance, as it only works at short distances (about 8 inches). As it is used for credit card transactions, turn it off when not in use.
The general security requirement for all three connections classes is the same. Essentially this boils down to four key points: Make sure all your software is up to date, use antivirus software and multi-factor authentication, and encrypt your data. To secure your systems, start with the easy stuff first.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.