In a bit of cognitive dissonance, it seems that laziness is as much a mobile security problem as ever. It doesn't seem like this should be so, but it is. In a perverse way, security forces and corporate lawyers should be happy: They apparently always will have jobs cleaning up after messy corporate incidents and accidents.
Cisco this week released a 10-country survey on attitudes to mobile security. The results, here reported in The Register, are disheartening in their suggestion that workers' security habits are regressing due to a widespread feeling that the Internet has become more secure and therefore they need not be as vigilant as before.
The wide-ranging survey dealt in part with behavior toward wireless. Workers are increasingly willing to hijack the services of others. A year ago, 6 percent said they would engage in this dangerous practice. The number is 11 percent now. The reasons for doing so include an immediate need that for some reason required jumping on neighbors' networks, convenience and not being able to determine to whom the network belonged. Ironically, the most honest group said they do so because they can get away with it.
The idea that security is getting worse is the key takeaway of this AirDefense study. The company assessed wireless security at the National Retail Federation Convention & Expo earlier this year in New York City. These results and other recent news items show that all of the screaming that security mavens have done during the past year has been a waste of breath. Fewer than 10 percent of the access points (APs) surveyed used Wi-Fi Protected Access version 2 (WPA2), currently the top security measure. Eighty percent of devices in the hall were liable to evil twin attacks, while 60 percent used the wired equivalency protocol (WEP), a defense that is about as good as that of the New York Knicks (not very good).
This is not an academic exercise, either: The firm found that people in the hall were using hacking tools and detected 39 attacks.
As always, there are good stories out there detailing how to secure networks -- whether or not anybody really is listening. For instance, Wi-Fi Planet goes a shade deeper than most pieces in explaining the problems. It also does a good job of describing how organizations can secure the data remote workers insist on throwing around so freely.
Many of the ideas are familiar to security forces. One particularly clever idea involves what could be described as a sort of positive social engineering: An organization should contract with a known hotspot provider. This service, then, would involve no out-of-pocket expense for remote workers. But the traveler would have to pay to use other providers and "T&E it" later. It is a virtual certainty that this would cut down on the use of unauthorized hot spots. There isn't anything in this Wall Street Journal piece that security forces don't already know. But it is nice to see the issue getting coverage in such a high-profile publication. The piece provides a good overview of the problem and discusses tools available from T-Mobile and AT&T to protect its subscribers. It also makes the important point that the problem is, if anything, worse than reported because companies try to hide the fact that they lost data.
The usual list of steps is outlined: Make sure computing device security is up to date; use a virtual private network (VPN); change the name of the service set identifier (SSID); turn off Wi-Fi capabilities when they are not needed; be sure that the Wi-Fi network being used is legit; and forgo banking over Wi-Fi links.