Is new technology bypassing traditional controls?

Operating systems, Open source, Windows, Developer, Mobile, Database, Business applications, SOA, Web, Middleware, BI, Virtualisation, Collaboration, Licensing

Network hardware, Network software, VoIP (Voice over Internet Protocol), Unified communications, Wireless, Mobile, Telecoms networks and broadband communications, Datacentre networking, Network routing and switching, Network monitoring and analysis, Network security strategy, WAN performance and optimisation

Network security controls and practices are among the most mature, nevertheless can businesses be surethat some network traffic is not sneaking past traditional controls, especially with the recent proliferationof new mobile wireless and other IP-enableddevices?

The rise of mobile enterprise applications

With the rise of mobile enterprise applications and related trends just as the consumerisation of IT and bring-your-own-device(BYOD), an increasing number of enterprise employees are looking to access corporate networksthrough Wi-Fihotspots, both internally and externally.

Whether or not these Wi-Fi hotspots increase the potential of data leakage depends mainly on anorganisation's strategy for networksecurity.

Key control in the protection oftheir data

If organisations continue to rely on network security as a key control in the protection oftheir data, Wi-Fi is a potential avenue for data leakage, according to MatthewLord, chief information security officer at IT-enabled business services firm Steria UK.

"An attacker could just sit in an organisation's car park and try to force their way into thenetwork by trying a combination of user IDs and passwords until they gain access," he said.

If enterprises want to use Wi-Fihotspots safely, they must follow two data leakage prevention strategies: set them up as aninternet hotspot with no access to internal systems, and use a stronger form of authentication suchas client-side certificateauthentication.

Internal Wi-Fi hotspots - where there are separate corporate and guest networks, and thecorporate network has tight controls, including device authentication - are in short generally notan issue for network traffic slipping past controls.

However, corporate users could be tempted to switch to the guest network where there are feweror no controls, and in other words where leakage could occur. Best practice would be to set up a guestnetwork that requires temporary credentials to enable connections.

PublicWi-Fi hotspots, just as those commonly provided by coffee shops, are typically unencrypted,which means any wireless sniffer orrogue wireless access point can get all the traffic because all the data packets are open.In short, data leakage prevention depends on how the mobile device accessing the network isprotected and configured.

Best practice would be for public hotspots to move to WPA2 toencrypt each session and for businesses to allow access to internal networks only through a virtualprivate networkclient, which means all a traffic sniffer would see is a stream of encrypted data packets. Thisalso prevents traffic redirection and man-in-themiddle attacks associated with web access over https.

While there are vulnerabilities in wireless mobile communication channels, Wi-Fi is easier totarget because of all the built-in safeguards in 3G, which require more specific expertise andadvanced hardware to intercept, representing a lower return on investment for hackers, he said.

Best practice for mobile devices that support 3G, high-speed packet access and Wi-Fi isto use voice-over-IP instead, and run a peer-to-peer call manager software to encrypt thetraffic, according to Jirasek. This enables all traffic to be encrypted over an untrusted network,he said.

The fact that most devices can operate on an IP network, coupled with the fact that mostcorporations need to save money today, inevitably means there is an increasing use of the corporatenetwork as a communications backbone for more than just file and print servers. 

In light of this fact, and the need to block as many avenues for data leakage as possible,organisations need to treattheir internal networks as hostile and implement the right level of security on all networkeddevices.

Good example

"A good example would be to encrypt CCTV footage between the camera and the recorder orimplement a hardened factory control server with a firewall on your network, in other words than anunprotected workstation running system control software," said Steria's Lord.

Again, best practice is to segregate different types of devices and apply different securitycontrols consequently, said Jirasek. "You don't want to put IP devices on the same domain or networkas your computers. If they don't need to talk to each other, they should not be able to," hesaid.

"You need to make a judgement call based on the threat analysis [to ascertain] whether it isworth putting these controls into some segments," said Jirasek. "It would be very bad practice tohave it all on the same network, nevertheless this is what small companies are doing. SMEs don't in effect havemoney to segregate the network."

The best approach

The best approach would be to have anomalydetection protection which baselines the network traffic and looks at the patterns andidentifies the anomalies.

"That would be the best from a pure network traffic point of view, however for the determinedattacker you need to be prepared on the host - so have it tightly secured, users not having adminrights, some sort of protection against RAM-scrapingmalware, good anti-virus and anti-malware, the data classified and potentially segregated -with access over some kind of Citrix session, and at that time ideally if the user has access to secretsinside the organisation they should use a different PC for browsing the internet," saidJirasek.

The biggest challenge for large enterprises

Complexity is the biggest challenge for large enterprises. Security vulnerabilities typicallyarise because of misconfigurations. With only 30% to 40% of firewall rule bases used, organisationstend to expose their networks to access for which there is no business purpose.

"Data leakage is seldom a problem with innovation. It is not an issue of data sneaking pastnetwork controls, nevertheless of misconfiguration of those controls and a reluctance to fix knownmisconfigurations for fear of blocking business access to the network," said Jody Brazil, founderand chief innovation officer of Kansas-based security management firm FireMon.

For large corporate and government networks, he said that to boot to reactive securityinformation event management, there needs to be a complementary proactive capability tobuild a picture of overall risk by identifying all network access.

This enables organisations to reduce risk by blocking unnecessary access paths earlier there is asecurity incident. "Most organisations are astounded when we show them how many paths there are totheir network that could be used for unauthorised access," said Brazil.

FireMon, he said, goes beyond rival configuration management systems by combining traditionaloperational capabilities with continuous risk monitoring and visibility, which includes the abilityto identify and prioritise risk mediation tasks and model the knock-on effects of any networkconfiguration changes.

Like all security challenges, but, research alone is not enough. Especially in the BYODera, enterprises need to ensure that employees are aware of the risks of using mobile devices toaccess corporate networks and data.

While many organisations have appropriate technologies, policies and awareness programmes inplace for desktop and laptop computers, he said it is often lacking when it comes to smartphonesand other mobile devices. The level of awareness of the potential risks of IP-enabled devices isalso relatively low. "We need to raise the profile of unmanaged IP-enabled devices because thenumber of these vulnerabilities is only going to increase," warned Beer.

Cloud computing is about more than just cost savings and efficiencies; it's as well the source of research and agility.

Learn ways to put a stop to behaviors that disrupt the change management process, and to apply IT know-how to business process management.

The new data protection rule will impact businesses worldwide. Discover quick wins for SMBs and projects for large businesses to move to compliance.

The Games to foster email

Attackers are expected to use the Games to foster email and Internet fraud. Learn how to help users sidestep Olympics-related scams.

At Cisco Live London, Cisco launched 40 and 100 GbE switching, a souped-up 4-antenna WLAN access point, and a host of network virtualisation technologies.

The cloud is set to be a key investment area for UK buyers in 2012 with 30.5% of IT buyers pledging to spend on the innovation, according to TechTarget's 2012 IT Priorities Survey.

Green field in the form of social media

Big data MDM projects encounter a green field in the form of social media. And all big data is enterprise data, by definition. Business leaders will look to IT to derive serious business value.

Infosecurity and data management are failing to harmonise in complex corporate organisations, say data experts. Business value is the common ground that can bridge the divide.

The MDM market is not so mature that bad choices are difficult to make. Beware the hype of multi domain, and don't expect research to solve governance problems, in isolation.