Technology: WirelessBy Gary Bolles | Posted 07-19-2002
Now, someone can steal your company's most sensitive data by snatching it out of thin airright from the company parking lot.
Sound more like scare talk than reality? Guess again. On May 1, an anonymous customer of Best Buy Inc. told SecurityFocus Online, a Web site for a security threat management firm, that he was able to break into Best Buy's internal sales data network from his carwhich was parked in one of the store's parking lots. He tapped into the network, he said, after installing into his laptop a wireless card that he had just bought in the store.
It's not certain whether any customer credit card numbers or other purchasing information held by Best Buy at its 499 stores across the country has actually fallen into the wrong hands, but the discovery of the company's vulnerability caused a brouhaha at Best Buy headquarters.
The problem? Best Buy, in some of its checkout lanes, uses portable point-of-sale terminals that are tied to its servers by a wireless local area network, or LAN. The LAN relies on the 802.11 wireless networking standard, known as Wi-Fi. But Best Buy did not, apparently, bother to turn on the most fundamental security feature that's built into Wi-Fi, thereby leaving customer credit card data unencrypted and open to snooping. At first, Best Buy pulled its wireless POS systems from its stores. Now, though, they're back in use, says spokeswoman Joy Harris, because the company has bolstered its wireless security procedures.
But Best Buy's vulnerability is hardly unique. Many companies fail to take even the most basic wireless security precautions. Still have doubts? Take a ride with government software consultant Todd Waskelis in Virginia's Dulles corridor, a thruway outside Washington, D.C. that is lined with high-tech firms. Waskelis can slip a wireless card into his laptop, drive down Route 7 and pick up one wireless network after another, including the networks of a major credit clearinghouse. "Instead of hacking from the Internet, people can hack from the road, and probably get to the accounting server," Waskelis says.
But the culprit, say experts, isn't the technology as much as it is poor management. Few companies think about wireless security as a business problem, and fewer still think of wireless security as a critical component of their company's business strategya set of choices to be made about what level of wireless risk is acceptable, and how to manage exposure while monitoring the network continuously for new holes and threats.
"The concept of wireless is on many peoples' radar screens, [but] the concept of wireless security is on far fewer of them," says Larry Rogers, a senior member of the technical staff at the CERT Coordination Center at Carnegie Mellon University. CERT trains companies to help secure the Net.
The first mistake many companies make, says Diana Smetters, security researcher at the Palo Alto Research Center (PARC), is failing to prohibit employees from setting up their own wireless networks at the office. If there's a wired connection available in, say, a conference room, anyoneemployees, contractors, partnerscan create a new local area network. With wireless LAN cards available for less than $100 at most local electronic superstores like Best Buy it's easy for these so-called "rogue" networks to slip into the company under IT's radar screen.
That's not to say that Wi-Fi is not at all secure. It's just that the equipment is typically shipped with its security softwareknown as WEP, or Wired Equivalent Privacyturned off. Using WEP means users have to fire up a browser, log onto a wireless access point and choose security keys. According to CERT's Rogers, some employees might consider doing all of these things more trouble than they're worth. "Or, they may be just clueless," says Rogers.
But even when WEP is turned on, it's no match for the toughest wireless hackers, or "whackers." WEP can be "broken" by anyone with a wireless laptop, a widely available encryption-buster program and enough time. Even relatively undetermined technophiles, for example, can use freeware software such as NetStumbler with a Wi-Fi card to sniff out exposed networks.
The NetStumbler site, for example, lets people see the locations of unprotected access points around the U.S.a gold mine for would-be corporate spies. If the CEO's nightmare is to wake up and see the corporation's unannounced acquisition plans, for example, plastered across The Wall Street Journal's front page, then the CIO's equivalent is finding the company's wireless network exposed on NetStumbler.
Another cause for wireless insecurity: the failure by workers to take needed security precautions when they work on a wireless device from outside the officewhether from Starbucks, the airport lounge or from home. PARC's Smetters says it's easy for a corporate spy seeking to "sniff" the laptop of a competitor. "Say I want to find someone who works in Corporation X," she says. "What I'm going to do is sit in a coffee house around the corner and wait for somebody from Corporation X to sit down with their laptop" and then, using a wireless card and "sniffer" program, begin scanning that person's laptop without their knowledge, if no wireless security software is in place. "People are going to take their laptops, and with wireless they're going to be moving in and out of your firewall in a much more dynamic way than they would have or could have before," she says.
To many security experts, allowing employees to blithely connect to wireless LANs outside the corporate officemost commonly from home or an airport loungeis madness. "It's difficult to think of a place that's better than an airport for stealing stuff going through the air," says CERT's Rogers. Adds Mick Johannes, CTO of consultant CorpNet Security Inc.: "If the wireless network in somebody's home is insecure, and they're connected to my corporate network, [then] I have an insecure corporate network."
And there are other vulnerabilities. Some IT departments fail to place wireless access pointsradio transmitters that broadcast and receive wireless signalsin areas physically located away from windows and exterior building walls, where they can be "sniffed" easily by corporate spies trying to crack into networks from the company parking lot. The practice is common, say expertswhat CorpNet CEO Rick Shaw calls "war driving," a variation on the old scheme of "war dialing," where intruders would use programs with modems to dial phone numbers in rapid succession to find unattended system entry points. Hopping onto wireless networks is a lot easier than dialing random numbers. Adds Erik Fichtner, security director at ServerVault Inc., a security integrator: "If you're running a wireless network, you're essentially providing an RJ-45 jack out on the street that someone can walk up to and [gain] access to your network."
Another problem is that companies often mistakenly "name" the signals their access points broadcast into the ether. Anyone with a wireless LAN card and widely available network scanning software can search through a list of network names while whacking. More often than not, those devices have been given a company name by someone on that company's IT staff, making it very obvious to intruders which access points belong to which companies.
Further, when a whacker sees a company name on a broadcast signal, it's a safe bet that company's entire security strategy is weak, or nonexistent. "If the IT staff put the company's name on it, that's a big clue that they don't take the threat seriously enough, or don't understand it," says Ridgely Evers, chairman and CEO of nCircle Network Security Inc., a San Francisco-based security strategy firm.
What to do? Some companies won't use wireless networks at all. "So far, the concerns about wireless technology and information security have prevented any steps from being taken toward an implementation" at Deutsche Bank AG, says Gregg Mele, N.Y.-based vice president of the Frankfurt, Germany-based financial services firm. "In this time of security concerns, the judgment being made is that it is better to err on the side of not moving forward on something relatively new like this, where questions still remain about how to prevent data theft using such a technology."
And lack of security can cost a company a lot more than lost data. Without better wireless security policies and ways to enforce their use, insurance companies can charge higher premiums. "Wireless significantly increases the risk of criminals getting into a company's network," says Don Harris, a broker in the technology risk group at Swett & Crawford, the world's largest wholesale insurance underwriter.
A broad range of customer data, such as credit card numbers and health statistics, for example, need to be kept from traveling over insecure wireless connectionsor companies bear a greater risk of being sued by clients and customers for security breaches. "If you're not protecting your information, you've got some serious liability," Harris says. "So as underwriters, are we concerned? Definitely. A risk that has heavy utilization of wireless technology that's a very difficult underwriting risk."
CIOs can analyze their potential exposure using a scare calculatora Security Costs and Risks Estimator, such as the spreadsheet software offered by Alvaka Networks. Such software can help a CIO put a dollar value on what might happen if a client or customer sues for breach of privacy or a government agency slaps the firm with fines for leaking out data protected by law. CorpNet's Johannes says a potential fine could be as much as $250,000 for a privacy breach, depending on how it occurred. He points to new federal laws that protect hospital patient information from public scrutiny, increasing the risk of lawsuits against organizations that manage or transmit such informationand even against individual doctors who use PDAs to care for patients in a hospital.
But not every company is clueless when it comes to wireless security. At Siemens Medical Solutions, for example, the networking department conducts site audits to ferret out rogue networks. Last year, says SMS' network engineer Stuart Higgins, IT used NetStumbler to sniff out a rogue wireless network that nobody in IT had installed. The discovery led to a set of new policies aimed at curbing the problem.
Now, says Michael Alban, who manages vendor relationships for Siemens Medical Solutions, workers who use the company's sanctioned wireless LANs must use the virtual private network security software provided to them by the company. Employees are also required to attend a seminar on using the VPN, and to sign a document saying they understand and agree with the organization's security measures. Failure to comply will mean a reprimand, and could lead to dismissal. Siemens employees are also encouraged to attend occasional "lunchtime exchanges" with IT and security staff to update their understanding of security policies as they change or as external threats vary.
NetBank Inc., an Alpharetta, Ga.-based online financial services firm, takes it all a step further. Tom Cable, NetBank's chief technology officer, sends company network engineers to employees' homesto make sure there are no security holes unplugged. NetBank checks home PCs for potential security problems of all types, including rogue wireless LANs. "We do inspections at peoples' homes," says Cable, "to verify that they are meeting the standards" set up for telecommuting security. "The machine that's going to be communicating to the bank should not be connected to a wireless network in the home," he says.
Other companies, like Deutsche Bank, simply limit what types of information can go inor outto get around the security problem. "There are limits on what [employees] can access in real time on the network through dial-up," says Mele. Experts recommend that companies treat employees working on wireless networks as if they were dialing in through the most insecure connection imaginableeven if the wireless LAN is physically set up in the middle of corporate headquarters, away from windows or exterior walls that could be easily sniffed from the road or employee parking lots by intruders.
The ideal setup? PARC's Smetters says it's a wireless network isolated from the rest of the company's regular local area network (see
Ultimately, though, the main weapon in the CIO's security arsenal against insecure wireless LANs is the VPN. Virtual private networking software is invariably used whenever employees dial in remotely over the insecure Internet, and experts and users say the same should be true for wireless LANs. For Dave McLean, network systems engineer for the City of St. Petersburg in Florida, that meant ordering up additionaland often expensivesecurity software. "We consider the 802.11 to be [insecure], and we put a VPN on top of it," he says. Though some experts point to the additional cost of VPNsfor large companies with no such security, for example, it could be millions of dollarsMcLean maintains it can be worth it.
Besides getting a level of security protection it didn't have before, the city is also saving money. Its move to use wireless LANs to link together buildings formerly connected by frame relay and cable modems is saving city taxpayers thousands of dollars in huge monthly communications bills. McLean says the city expects to see the full payback on its multimillion-dollar investment within 18 months of installation. Says McLean: "It's too late to plug holes in your system once data has already leaked out. The ROI when it comes to security is, ultimately, the theft that didn't happen."
CIO Insight Copy Chief Debra D'Agostino contributed to this article.
Are You Snoop
Are You Snoop-Proof?
The Wireless fact sheet is available as an Adobe Acrobat PDF.