Public networks are a major threat to corporate assets as mobile workers still fail to use VPN’s and take proper security precautions.
This comes from security vendor Bromium who have released details of the CTIA Super Mobility – Understanding Mobility and Risk survey it carried out a few weeks ago. The survey which consists of just 6 questions revealing an interesting snapshot into the attitude of mobile workers who seem to prefer any free Wi-Fi service rather than connect to their phone and use a Virtual Private Network (VPN).
Details of the survey and its results were released in a blog by Clinton Karr on the Bromium website. In it he lists the questions and responses which make for amusing and slightly disturbing reading.
Corporate data increasingly accessed via public networks
86% of the respondents admitted that they used their mobile device to access the corporate network, data and their email. This is unsurprising, after all we have been pushing users to use mobile devices for well over a decade. The arrival of the smartphone and the tablet have just increased pressure for users to access data remotely.
Walk into any coffee shop or even café these days and there are people logged onto their devices working. The vast majority of them are using the free Wi-Fi provided. What they don’t know is if they are really connected to the establishments own Wi-Fi or a fake Wi-Fi set up by a hacker who has popped in for coffee and some free data.
Surprisingly as many as 36% of respondents said that they would not use a public network which is hard to square off with the way people work today. Survey after survey points out that people check their mobile devices as many as 50 or more times a day. Karr claims 100 times per day in his blog which is fairly high and while it might possibly be overstressed execs looking at corporate email it is more likely that this is people checking social media.
With the odd exception, it is rare to see anyone who has wired their phone to their computer. This is not some old fashioned approach but using the USB to talk to the phone rather than Wi-Fi helps to protect against any risk of having data hijacked. It also ensures that you are using the data allowance on your device. This is not to say that this is a perfectly secure route but it is far more secure than using the public Wi-Fi in a coffee shop, café or pub.
VPN use up to 37% but far from an acceptable value
When asked again about public network usage in the context of what technologies were used to protect themselves, 25% said they avoided public networks. This figure jars with the 36% who said they never access company data or email over public networks. It could be a difference between what Bromium define as a public network and what the users see as a public network.
When it came to protecting themselves 37% of users said that they used a VPN to create a secure connection to their office. This is a good start but it is still a long way from perfect. Part of the reason may be that historically VPNs were difficult to set up and a lot of companies didn’t really support them. That has changed over the last few years and we are seeing VPN deployment increasing.
38% of users claimed to avoid entering sensitive information. The question here is what do they mean by sensitive? Usernames and passwords to corporate websites are very sensitive as are logins for mobile banking. If people are not entering this on their devices it is highly likely that they have chosen to have the device remember who they are. This is just as dangerous given the increasing rate of theft of mobile devices.
Only 20% of users are using SSL when browsing and it is unclear if this is because they were talking about browsing the web in general or because their employers didn’t support SSL for mobile connections. There was also no question as to whether users were taking advantage of the private or privacy mode when using the browser on their devices.
This disables browsing history and the web cache as well as blocking cookies. While this causes problems with using some sites it is about improving the overall security for the user that is important.
Assessing the risk of a public network
One of the challenges for anyone using a public network is assessing the risk it poses. The reality is that all public networks are risky and subject to being hijacked by hackers. It doesn’t require a lot of skill or equipment and it is easy to sit in a coffee shop and begin to capture information. An inexperienced hacker can get started in less time than is normal to drink a large coffee. With coffee shops now becoming work and meeting places, sitting there for an hour or two is no longer going to attract much attention.
So how did users rate the risk of public networks?
- 33% thought coffee shop/restaurants were high risk although only 6% thought they were low risk
- 29% said that airport networks were high risk with 6% saying the risk was low
- 21% called out hotel and convention centre networks as a high risk while 7% thought the risk was minimal
- 10% identified municipal networks as high risk while 45% thought they were pretty safe
- 6% felt that transportation networks on planes, subways and buses were high risk with 35% prepared to say the risk was low.
There are some very disturbing numbers here for any security professional. Doing comparisons here is not easy as it all depends on where the coffee shop and restaurant is and the type of hotel and convention that is taking place. Generally large chain coffee shops are easy pickings for hackers as they will have a good turnover of business people using them as an office. With 61% of users using coffee shops, the chances of getting attacked are good.
Restaurants are different. While you can sit there and take time eating, the Wi-Fi is often limited and sitting there with a mobile device open is often frowned upon even at lunchtime in most cities. The risk here is more from the cloning of credit cards.
Convention centres, on the other hand, draw hackers like honey draws bees. It doesn’t have to be a technology conference to attract hackers. They are looking for ways to capture information that will give them access to corporate data and networks. This is easily saleable on the open market. 85% of respondents admitted they had used the free convention centre Wi-Fi making them very easy targets indeed.
In the early 2000’s when Microsoft moved its TechEd conference to Barcelona it ran a session showing how many attacks were being made against attendees from inside the conference network. Like other vendors it had an active policy of identifying and then locking such people out of the network. If they could also be identified, they were also ejected from the event.
Hotels are also good targets and now that many have coffee shops in them that are open to the public as hoteliers look to expand their earnings, it is easy to sit and capture data. Hotels are also where most business people will do work in the evening and as the use of wired networks goes out of fashion, the increase in Wi-Fi only network connections makes it easier for hackers to collect data.
Working against the hacker is often the size of the building which often means that it is pot luck as to who is in range unless you socially engineer the check-in staff to get placed near your target. Hackers have also managed to penetrate hotel routers in the past and used them to install spyware and other malware on guests computers.
The lack of awareness of public network risk should come as no surprise despite the constant warnings that hit the press. People like something for nothing and as they become increasingly addicted to being connected in one form or another they will always gravitate towards public networks.
It would have been useful for the survey to have asked if corporate data and email was encrypted on the mobile device as that would have given a better look at security. Based on these findings, however, it is of no surprise that corporate credentials are so easily obtained leading to cyberattacks.