Use of VPNs will be key to success of public wireless hotspots
The ability to work while on the go is perhaps the single most important feature of portable, internet-connected devices to business users. However, according to InformationWeek, the open-access networks frequently used by mobile workers provide little to no data security.
Commonly installed in public locations, like coffee shops, airport terminals and hotels, public Wi-Fi connections are juicy targets for potential identity thieves and corporate spies, the publication said.
"It's trivially easy to snoop on unencrypted protocols and perform traffic analysis with Wireshark or a similar network protocol analyzer, or hijack browser sessions with a plug-in such as Firesheep. Public networks are also fertile ground for man-in-the-middle attacks, in which a rogue access point diverts all your traffic through a hacker's PC, where it can be captured, analyzed and mined for passwords and other sensitive information," according to the news source.
Rogue access points can even be configured to take advantage of auto-reconnect features for WLAN connections, so when a laptop scans for known networks, like those belonging to an employer, the malicious system mimics the appropriate SSID and tricks the device into connecting, the publication added.
For those simply looking to browse the web in order to kill some time, this might not matter too much - as long as they don't log into anything like online banking or email accounts, since the rogue AP can easily log usernames and passwords. However, those that need to access valuable business information via a public connection are in serious trouble if all they have available is an open Wi-Fi network.
There are, however, some defenses available, according to InformationWeek. Although it's not foolproof protection, the use of SSL Certificates to authenticate sessions can defeat less sophisticated attacks with ease. Care must be taken, though, to ensure that the issuing certificate authority is trustworthy, since an attacker able to spoof the SSL certificates means users are back at square one as far as security is concerned.
A combination of SSL certificates and virtual private network use, then, may be the best practical option for many companies, the news source reported. VPNs effectively provide an encrypted connection through which mobile devices can work and halt most - though not all - session hijacking and man-in-the-middle attacks in their tracks. Most of the time, InformationWeek said, attempted data security breaches of this kind will either cause the connection to fail outright - since the session will fail to validate - or prevent even a successful attack from gaining access to any important data, since everything will be encrypted between the company's networks and the user's machine.
An important tip for businesses looking to keep their data security measures running smoothly with VPNs, the publication stated, is to ensure that split tunneling is deactivated for all implementations of the technology that will have to connect to public wireless networks. While the performance boost from split tunneling is helpful to users on a home broadband network, the report noted, all traffic should be made to use the encrypted option if on an open-access Wi-Fi source. This will mean all data traveling across the connection goes through the company's networks and back onto the internet from there.
Encryption technology has seen limited adoption in the past because of a perceived performance cost, according to other experts. However, current options provide several ways around this roadblock, including an increasing number of methods to encrypt data in-memory.