Smartphones present new security threats for government agencies.
Wireless networks are nearly everywhere nowadays in the public sector. State and local governments nationwide have fervently pursued them for so long that it's unusual to find an agency or municipality with employees who can't access an office network on a wireless connection. And with smartphones becoming popular, the government wireless umbrella is becoming crowded with different types of access points -- some mobile, others stationary and all representative of in-demand technology that's transformed how government works.
Consequently state and local IT professionals must work diligently to keep up with the security challenges this sprawling technology causes.
In June 2008, Symantec released the Critical Connections report, which contained results of a survey conducted two months prior on information security priorities. Of the 600 participants, 200 were from state and local government, 200 from federal and 200 from the private sector. Only 24 percent of state and local respondents planned to increase spending on mobile security in 2008, even though 34 percent of them said mobile security was a critical issue. And only 52 percent of state and local respondents rated their organizations highly -- 8, 9 or 10 on a 10-point scale -- when it came to IT security. When asked to name their No. 1 security concern, 60 percent said they were most worried about data breaches.
And since keeping government data safe is their top concern, no doubt they're aware of one major challenge -- safeguarding local, employee-only private networks from the outside world.
Who's on Your Network?
"When you place a Wi-Fi access point, which is commonly called an AP, on the network, it's usually attached to the LAN," said Ira Victor, director of compliance for Data Clone Labs Inc., a firm that helps clients address information security challenges. "But because the Wi-Fi signal goes everywhere, it makes it open to the public even though it's on your LAN."
In this case, security managers must weed out unauthorized users. They need to identify what security level is necessary, determine who is an authorized user and create policies to ensure everyone understands the protocols.
"The most important requirement from a network access control perspective would be defining your policies for accessing your environment. That's really the prerequisite for any effective network access control," said Patrick Wheeler, Symantec senior product manager for endpoint security. This includes establishing what security software and configuration options should be on each computer accessing the network, how often antivirus and other software should be updated, and putting it all in the policy to drive compliance. "That's going to be the first requirement for best practices," Wheeler said.
Security officers should also plan and understand their objectives, he added. Do you want the same access control and security standards for employees as for contractors who might only access the network a few hours a day or week? If so, are these contractors using the same types of laptops mobile employees use? "Some organizations are going to want a very tight, locked-down network access control solution. For others, that might be overkill," Wheeler said. "I think understanding your priorities and objectives is really the next best step. The third thing that is really critical, is making sure there's coordination between the different people who are going to be affected by, and ultimately managing, a network access control solution."
Westchester County, N.Y., is centralizing the management of various pockets of wireless devices that have been deployed in different areas. Only employees can use the private network.
"We're trying to standardize the fact that if you're a county employee, and you access a particular wireless network or segment, credentials that you currently have as an employee are authenticated to allow you to get onto that particular network," said Lennox Harris, the county's network engineering manager.
Authentication means verifying users' identities before granting network access.
Westchester's authentication credentials include passwords, and the county issues laptops to employees that are configured by a desktop support group. The laptops have security software and authentication settings, so if remote employees use them, there's no chance they will compromise the network by accessing it with consumer-grade personal laptops.
Everyone knows about firewalls, but what are other security practices that help secure a wireless network?
"There's a whole bunch of things that you can do," said Mark Weatherford, executive officer of the California Office of Information Security and Privacy Protection. His office helps state agencies implement information security protocols.
Weatherford advises administrators create unique service set identifiers (SSIDs), or a network name. For example, in a Linksys network, the word "linksys" is the default SSID. It's a good idea to change it to something less obvious to ward off unwanted attention.
Administrators should also use media access control (MAC) address filtering, said Weatherford. The MAC address is a number that identifies a computer's network adapter. Each computer accessing a wireless network has a different MAC address. MAC filtering can deny network access to a computer with the wrong MAC address.
"Obviously encryption of the network itself is the most important thing that you can do," said Weatherford, who recommends using Wi-Fi Protected Access 2 (WPA2).
Wi-Fi Protected Access (WPA) technology encrypts data at an advanced level and establishes strong access controls and user authentication. Weatherford said WPA has stronger encryption algorithms than the Wired Equivalent Privacy tools found on many wireless networks. He recommends employees develop strong passwords and change them often.
"Ideally from a mathematical standpoint, a good, strong password is 20 characters, and you could make a sentence and make it a pass phrase, so think 'pass phrase' as opposed to 'password,'" Victor said.
But IT managers might breathe a little easier if their employees entered more than just passwords to access the network. Additional authentication methods include: something a person knows, like a password or identification number; something a person possesses, such as a card ; or a unique physical characteristic, for example, a fingerprint, voice recognition or other biological identifier.
Some of these methods might be too techie, costly and complicated for many state and local governments, but protecting citizens data is important.
"We have a higher moral obligation perhaps than the private sector does because our public constituents really can't decide to opt out of whether they do business with the government or not," Weatherford said. "They have to do business with us, whether it's providing information to the department of motor vehicles or tax information. They can make a decision whether they want to walk into X bank and conduct their banking transactions or walk into a store and buy their groceries."
Anyone interested in protecting wireless networks should remember the tiny mobile computers many people carry -- cell phones. If someone uses an application on a handheld device over a wireless connection, they're potentially putting sensitive information at risk. With so many people using wireless devices, the chances of this happening are skyrocketing.
In 2006, FierceWireless, an online publication about wireless news and trends, partnered with Bluefire Security Technologies to survey 1,800 smartphone and wireless device users nationwide. These users comprised workers from various sectors, including government. More than 80 percent said their organizations' handheld device usage increased during the past two years. Sixty-seven percent of respondents said they worried about Web access security via their smartphones, and 70 percent said their top wireless security concerns were viruses or attacks on corporate networks and the security of data during transmission over wireless or cellular networks. Forty percent were concerned with loss or theft of wireless devices.
Mobile phones can access private networks via the Internet just like laptops, and both devices can be compromised by viruses. A cell phone can be infected with technology that lets a malicious third party see and hear what the user sees and hears -- work meetings, text messages and phone calls are vulnerable. Because cell phones are so small, they are easily lost; a stranger can pick up a government-issued phone that's dropped on the ground and access the data.
"The users themselves still think of these devices as phones. They don't think of them as the computer that sits on your hip," said Paul Miller, Symantec managing director of mobile security. Consequently the same suspicious activity malware found on people's desktops might go unnoticed on their phones. "They're more apt to dismiss it or accept it because they don't think of these things as computers."
But they should. It's a good idea to put security software on phones and PDAs. Manage the cell phone under the same network access control policy that governs "regular" computers. Give cell phones password protection, antivirus software and consider monitoring activity with mobile device management (MDM) software. MDM software allows remote management of mobile devices -- most of these solutions focus on PDAs and smartphones.
Keep in mind that as computing and mobile technology evolves, security in all areas, including the wireless world, will undergo periodic changes.
"It's an art, not necessarily so much a science," said Westchester County's Harris about network security. There are many options, and the best ones depend on budget and type of network. "You have to see where you are in your particular growth in your network and see what changes need to be made."