Caution: No Wires Attached

They're here, they're insecure, and they're gaining a foothold in your enterprise

By Daintry Duffy

A lot has been written about the security flaws of wireless networks, and you've probably heard the tales of the enterprising hacker who can sit on a park bench in the heart of the financial district and tap into dozens of wireless networks. But for CIOs the challenges of wireless are only getting larger as the holes in security go unpatched, and employees either demand greater wireless connectivity or surreptitiously achieve it on their own.

"Wireless is robustly insecure," says Bruce Schneier, author, cryptographer and CTO of Counterpane Internet Security, a security-management service provider. "The only way to look at wireless is to assume that it's completely insecure."

Bob Degen is the former supervisor of the financial crimes unit for the US. Currently he is senior vice president for corporate security of First Data (the parent company of Western Union), where he has seen proof of wobbly wireless security. A high-placed executive at the company bought himself a WLAN and, despite Degen's numerous warnings about the security problems, was bound and determined to use it. After a business trip to Paris, he came to Degen and apologised for having ignored his warnings. The executive sheepishly went on to explain that he had been on his WLAN in the hotel, had turned it off, but was puzzled when a light indicated that he was still connected to the network. It turned out that a guy two rooms down had been on a WLAN as well and the lines had got crossed. Each had become connected to the other company's LAN, and the light was on because the other guy was still on First Data's network.

The standard security protocol for wireless is WEP (wired equivalent privacy), and since its release in 1997 a number of flaws have been found that allow anyone with the right tools to break the encryption. Even the example of the hacker on the park bench is out of date. By using increasingly powerful receivers and transmitters, it's now possible to break into a wireless network from as far as 10 miles away. According to one vendor, a telecom customer that realised its exposure even went so far as to put special windows into its new facility to block transmitters and protect internal wireless communications. It had to evaluate up to six window systems before it found one it couldn't transmit across. But for most companies, security-driven window replacement is an unattainable and expensive luxury.

This is not the only problem that wireless presents. Like Degen's executive who was determined to use his wireless LAN out of the office, employees can easily set up their own WLAN access points within the company walls. WLANs use wireless network cards and small boxes - the size of a CD drive - as network access points. They can easily be tucked in a drawer or under a desk. Whether they are set up by an employee who wants to e-mail during meetings or by a hacker looking to establish 24/7 access to your network, it is virtually impossible for CIOs to find them.

While security experts such as Schneier contend that wireless will never be secure, others see hope. "Well-implemented end-to-end cryptography or a virtual private network offers strong protection against certain kinds of attacks," says Hernan. While he cautions that there are other kinds of attacks for which these solutions may not work, he believes that "most organisations would be well served to use end-to-end security or a VPN as part of a strategy for securing a wireless network". The biggest problem with wireless security systems is that many companies aren't bothering to use them. An informal 2001 Gartner survey found that more than 60 per cent of companies operating wireless networks didn't even have WEP - the most basic security that comes packaged with a wireless LAN - turned on.

But one thing that CIOs need to educate their executives about is that while it is possible to conceal specific content, the fact that person X is having a conversation with person Y can't be hidden. At times, the very fact that communication is taking place at all can become a security breach. For example, a flurry of text messages between execs at two rival banks could signal that a long-rumoured merger is in the works.

Although CIOs can control company-sponsored wireless installations, the greater vulnerability may come from employees, like Degen's executive, who go out and set themselves up on wireless. While it is a must to create and enforce strong policies, Degen also advocates a touch of humiliation as an effective deterrent. "I didn't get to where I was because I'm such a persuasive guy," he says. "We have a saying in my group that 'adversity is my friend'. When something bad happens, jump on it, make a big example out of it, don't hide it." When a bank or government group comes in and gives First Data a bad security audit, Degen believes in making it public within the organisation to increase the pressure on business units and employees that might be tempted to ignore a security mandate. "Look at what's at risk," he says. "Take advantage of bad things and parlay them into as much as you can get."

Many CIOs or CSOs might be horrified at the idea of tarnishing their own reputation within the company by exposing security flaws, but Degen plays the strong security mandate he's been given for all its worth. When it was recently discovered that a facilities executive was flouting the company's security policy by letting his employees use a loading dock door instead of the employee card-reader turnstiles, Degen organised a sting operation. He asked an employee from the company's Tulsa office (a stranger at the company's Colorado headquarters) to piggyback on facilities employees going in and out through the dock doors. Time after time employees let him in, even though nobody knew who he was. Degen wrote up a ticket for every violation.

"I'm going to take all 30 of these tickets and throw them on [the facilities executive's] desk," he says. "Then I'm going to hold a remedial security class for all his people, and it's going to be long and gruesome."