Modernizing Authentication — What It Takes to Transform Secure Access
To many security experts, allowing employees to blithely connect to wireless LANs outside the corporate officemost commonly from home or an airport loungeis madness. "It's difficult to think of a place that's better than an airport for stealing stuff going through the air," says CERT's Rogers. Adds Mick Johannes, CTO of consultant CorpNet Security Inc.: "If the wireless network in somebody's home is insecure, and they're connected to my corporate network, [then] I have an insecure corporate network."
And there are other vulnerabilities. Some IT departments fail to place wireless access pointsradio transmitters that broadcast and receive wireless signalsin areas physically located away from windows and exterior building walls, where they can be "sniffed" easily by corporate spies trying to crack into networks from the company parking lot. The practice is common, say expertswhat CorpNet CEO Rick Shaw calls "war driving," a variation on the old scheme of "war dialing," where intruders would use programs with modems to dial phone numbers in rapid succession to find unattended system entry points. Hopping onto wireless networks is a lot easier than dialing random numbers. Adds Erik Fichtner, security director at ServerVault Inc., a security integrator: "If you're running a wireless network, you're essentially providing an RJ-45 jack out on the street that someone can walk up to and [gain] access to your network."
Another problem is that companies often mistakenly "name" the signals their access points broadcast into the ether. Anyone with a wireless LAN card and widely available network scanning software can search through a list of network names while whacking. More often than not, those devices have been given a company name by someone on that company's IT staff, making it very obvious to intruders which access points belong to which companies.
Further, when a whacker sees a company name on a broadcast signal, it's a safe bet that company's entire security strategy is weak, or nonexistent. "If the IT staff put the company's name on it, that's a big clue that they don't take the threat seriously enough, or don't understand it," says Ridgely Evers, chairman and CEO of nCircle Network Security Inc., a San Francisco-based security strategy firm.
What to do? Some companies won't use wireless networks at all. "So far, the concerns about wireless technology and information security have prevented any steps from being taken toward an implementation" at Deutsche Bank AG, says Gregg Mele, N.Y.-based vice president of the Frankfurt, Germany-based financial services firm. "In this time of security concerns, the judgment being made is that it is better to err on the side of not moving forward on something relatively new like this, where questions still remain about how to prevent data theft using such a technology."
And lack of security can cost a company a lot more than lost data. Without better wireless security policies and ways to enforce their use, insurance companies can charge higher premiums. "Wireless significantly increases the risk of criminals getting into a company's network," says Don Harris, a broker in the technology risk group at Swett & Crawford, the world's largest wholesale insurance underwriter.
A broad range of customer data, such as credit card numbers and health statistics, for example, need to be kept from traveling over insecure wireless connectionsor companies bear a greater risk of being sued by clients and customers for security breaches. "If you're not protecting your information, you've got some serious liability," Harris says. "So as underwriters, are we concerned? Definitely. A risk that has heavy utilization of wireless technology that's a very difficult underwriting risk."
CIOs can analyze their potential exposure using a scare calculatora Security Costs and Risks Estimator, such as the spreadsheet software offered by Alvaka Networks. Such software can help a CIO put a dollar value on what might happen if a client or customer sues for breach of privacy or a government agency slaps the firm with fines for leaking out data protected by law. CorpNet's Johannes says a potential fine could be as much as $250,000 for a privacy breach, depending on how it occurred. He points to new federal laws that protect hospital patient information from public scrutiny, increasing the risk of lawsuits against organizations that manage or transmit such informationand even against individual doctors who use PDAs to care for patients in a hospital.
But not every company is clueless when it comes to wireless security. At Siemens Medical Solutions, for example, the networking department conducts site audits to ferret out rogue networks. Last year, says SMS' network engineer Stuart Higgins, IT used NetStumbler to sniff out a rogue wireless network that nobody in IT had installed. The discovery led to a set of new policies aimed at curbing the problem.
Now, says Michael Alban, who manages vendor relationships for Siemens Medical Solutions, workers who use the company's sanctioned wireless LANs must use the virtual private network security software provided to them by the company. Employees are also required to attend a seminar on using the VPN, and to sign a document saying they understand and agree with the organization's security measures. Failure to comply will mean a reprimand, and could lead to dismissal. Siemens employees are also encouraged to attend occasional "lunchtime exchanges" with IT and security staff to update their understanding of security policies as they change or as external threats vary.
NetBank Inc., an Alpharetta, Ga.-based online financial services firm, takes it all a step further. Tom Cable, NetBank's chief technology officer, sends company network engineers to employees' homesto make sure there are no security holes unplugged. NetBank checks home PCs for potential security problems of all types, including rogue wireless LANs. "We do inspections at peoples' homes," says Cable, "to verify that they are meeting the standards" set up for telecommuting security. "The machine that's going to be communicating to the bank should not be connected to a wireless network in the home," he says.
Other companies, like Deutsche Bank, simply limit what types of information can go inor outto get around the security problem. "There are limits on what [employees] can access in real time on the network through dial-up," says Mele. Experts recommend that companies treat employees working on wireless networks as if they were dialing in through the most insecure connection imaginableeven if the wireless LAN is physically set up in the middle of corporate headquarters, away from windows or exterior walls that could be easily sniffed from the road or employee parking lots by intruders.