A network performance specialist by profession and principal with The Technology Firm, Tony Fortunato has spent his career working with enterprises to solve issues around networks and security. In recent years, he has seen growing demand on the part of organizations for a specific type of corporate security training around network usage and practices. In an interview with Denise Deveau, Fortunato discusses the areas that IT professionals commonly continue to overlook in as they build out their security strategies. An edited version of this discussion follows below.
Denise Deveau: Unlike some security training, your presentations tend to focus on the weaknesses in human behaviour and in in-house practices. Why is this type of training needed?
Tony Fortunato: You might think that your security and IT policies provide an air-tight, secure environment. But the truth of the matter is, no system is bullet-proof. The effectiveness of any system relies on knowing and monitoring where your holes or possible exposures lie.
In my years of experience, I have found some common practices that cause all sorts of issues with corporate security. Some risk can be generated by users, others by IT departments themselves. Many of the scenarios that create risk are neither malicious nor intentional.
Deveau: What are some of the biggest problems you have come across?
Fortunato: Overall, what is happening is that people are leveraging whatever technology is available. Despite the fact that many of those technologies were designed with the best of intentions to make our lives easier, they are creating a wide range of challenges for IT departments that are often overlooked.
For example, remote access is coming into play in a big way. Many corporations have remote access solutions for staff, such as TeamViewer, GoToMyPC, VNC and LogMeIn. Google’s Chrome Remote Desktop has free remote desktop software that is remarkably easy to install. Yet these technologies have made it easier for users to circumvent security policies when using their tablet, laptop or phone to access their desk computer. In reality, it’s like taking a network connection and hanging it outside your window and saying to others, “Please don’t use it.”
The best way to handle this is to ensure that users either cannot access these sites, block those specific port numbers or limit what clients can install on their computers.
Another major problem is USB or Bluetooth adapters that connect devices directly to the internet. This can be particularly problematic if the computer is the property of the corporation because it can allow users to circumvent corporate policies and restrictions. However, there are PC configuration changes that can be used to control this practice.
Deveau: Rogue access points have always been a focus for security. What kind of threats do you see today?
Fortunato: There are several risks relating to rogue access points. Let’s look at physical rogue access points first. Say a client wants to have wireless coverage in a meeting room or use a personal device at work, so they simply connect an access point to their network drop to create a hotspot. These USB powered devices are extremely small and easily mistaken for a USB hard drive and easy to overlook if you don’t have an official wireless deployment.
There are a variety of solutions than can help, including WiFi scanners and monitoring and management tools such as NetStumbler, InSSIDer, AirMagnet Enterprise and Airwave.
Even more risky is software-based rogue access points where users install an app on their computer to share their network connection (e.g. Connectify and Intel MyFi). This is becoming more common with the rise of tablets. To avoid this, you should have proper software installation protocols in place to prevent or limit installation of apps.
Last but not least are smartphone hotspots. A smartphone can be configured as a hotspot that allows other devices to get internet access. Using the phone as a WiFi to cell modem creates new challenges, particularly when a laptop connected to the corporate wired network has a WiFi connection to the internet. While there is no hard and fast solution to solving this, IT managers can be more vigilant about monitoring for rogue access points and limiting which WiFi networks users can use to connect.
With the proliferation of devices being brought into the workplace, it’s important that IT treat the practice in the same way they would treat an employee bringing in a guest. A simple question to ask yourself is, would you allow an employee’s guest to connect to the corporate network? A good strategy is to create a separate WiFi or wired guest network.
Deveau: What would you say is one of the most common issues you have seen in large enterprises?
Fortunato: I can’t tell you how many big corporations I visit where I come across temporary networks. These are often slapped together because of a special project or emergency need with little regard for corporate security and protocols. The problem is, these temporary networks never get decommissioned, and everybody in the know is aware they exist so will plug into them and go to whatever sites they want to. In one of four enterprises, it’s likely I will find someone plugged into a temporary network who’s downloading music and movies all day and totally taking advantage of the situation.
In most cases, these networks were never part of the corporate network or properly secured. Temporary networks should have an expiry or decommission date, and should be set up as a separate network.
Deveau: What should the IT manager be doing to control some of these practices?
Fortunato: Given the complexity of keeping up, the million dollar question you need to ask when prioritizing requirement is what is the risk/reward scenario? The short answer is, it all depends on the audience or group you support and the type of data that is being exposed. For a corporation that has a large data entry pool, the chances of someone pulling tricks is diminished. But an IT manager working at a university is dealing with kids who are circumventing security all the time.
From a non-technology standpoint, the best defense is education and vigilance. IT should be constantly checking new products and applications and ensuring that the current network isn’t vulnerable.
A corporate policy, document or general information should also be available to inform users about security and general internet safety. When people understand the existing policies in place, they are more apt to comply and to educate their co-workers.
It’s essential to let people know that security procedures matter, and more importantly, why they are in place. People need to be told what websites they can visit, what software they can install and why they can’t do things such as turn their machines into access points or disable their antivirus because it’s slowing down their system.
Keep in mind that policies should be concise and specific when detailing what users can and can’t do. After all, you don’t say “please reconsider getting into a vehicle after having an alcoholic beverage”. Rather, it makes more sense if you say “Don’t drink and drive”.
Ultimately, good security practices need to be a part of the corporate culture.