After deciding that the company isn’t ready for wireless and the security challenges the technology poses, the CIO sits in his office going over his email and sipping a cup of coffee.
What he doesn’t know is that down the hall in a secondary conference room, three workers from the accounting department are having a meeting, calling up information online using a wireless connection they set up themselves. After they all pitched in, it didn’t cost more than a lunch, really. And now they have Internet access from meeting rooms and even the cafeteria.
And what they don’t know is that in a parking lot down the street, a hacker sits in his car. He’s found the unprotected access point and he’s going through the files on the accountants’ computers — company financials, employee salary figures and Social Security numbers.
It’s a scary scenario but one that’s not uncommon, according to industry analysts.
”I believe it’s more common than most companies would like to admit,” says Bob Hillery, vice president of forensics and intrusion research at
Intelguardians LLC, a security consultancy based in Washington. ”I’ve been in organizations where they say they don’t have wireless, but they did… Employees get it set up and don’t tell IT anything about it.
”If someone has just dropped in a wireless connection and not told you, you don’t have a perimeter any more,” adds Hillery, who also writes a column for eSecurityPlanet.
Hidden wireless connections are turning into a hidden nightmare for CSOs and CIOs. No matter how much security an administrator has employed in his network, all it takes is one hidden access point to blow a gaping hole in the network, leaving the company wide open to attack.
And since it doesn’t take much more than rudimentary technical skills and a quick trip to Radio Shack to set up a wireless connection, it’s happening quite frequently within corporate walls — whether administrators know about it or not.
”In a lot of companies, middle and junior managers like to take additional steps to make themselves and their workforce more efficient,” says George Bakos, a senior security expert at the Institute for Security Technology Studies at Dartmouth College. ”One of the ways to do that is to have wireless in their department. That way they have mobile meetings. People are no longer tied to their desks. They can take their materials with them and remain connected.”
Striving for Efficiency
And Bakos says employees sometimes aren’t even thinking that they’re ripping a hole in their company’s security defenses. Wireless just seems like a good idea that maybe the company is ”too cheap” to bring on board. For about $100 or less, they figure they’ll just do it themselves.
Maybe employees know it’s something they shouldn’t do, but figure it’s worth the risk since it’s a slim shot that they’ll actually get caught.
”One person trying to be more efficient or clever can punch a hole in your security wide enough for a truck to drive through,” says Bakos. ”Say someone in financial has an access point. He thinks he’s working faster and he’s able to work in the conference room and not just at his desk. But his files that are going back and forth to the servers are now visible. His email is visible. Authentication credentials, including passwords and challenge responses, are visible…
All of that is critical enough for the IT department to spend a heck of a lot of money protecting it on the wired side.”
Hillery said he witnessed one instance where one employee had set up a wireless device in the office despite knowing that it was against company policy. To help pay for it, he set up a box that said ‘Donations’ and collected money from his co-workers. When they were caught, about a dozen employees were part of the company’s wireless conspiracy.
”Because it’s so easy, it tends to happen fairly often,” says Abner Germanow, program manager of enterprise networking at Framingham, Mass.-based IDC, an industry analyst firm. ”If 100 companies did a wireless survey, probably five to 10 would find access points they didn’t know about… If it’s left open and you’re a company that people are trying to get information on, it’s a worrisome issue.”
To make sure this isn’t happening, IT administrators first need to formalize a policy saying that unauthorized wireless access is not permitted. Then make sure employees know about the policy and what it means — and remind them fairly frequently. There also needs to be some teeth behind the policy. If a delinquent employee will only get her wrist slapped for breaking the rules, what are executives saying about the importance of the policy?
And it’s time to survey company grounds looking for wireless connections. Both Hillery and Bakos say it’s a fairly easy thing to do. Configure a laptop with NetStumbler or Kismet and then walk around the facility. When the system beeps, you know you’ve stumbled on a problem.
”If you have a wireless connection sitting out there unguarded, a hacker with a laptop and a good antennae could get any information that comes and goes through that connection,” says Hillery. ”What if you’re using AutoCad or server-based Word? Every time you send something, they get a copy.”