Roaming hazard. It's a sign of the times that in some cases security teams have to behave like hackers to be successful. Sniffing out ad hoc wireless networks in a "no wireless allowed" work environment is one such case. Most of the security executives we spoke with have found unauthorized wireless networks at their companies. These networks are so cheap and easy to set up that they will continue to be a problem in many companies. But detecting a clandestine Wi-Fi network two floors down is a breeze compared to the problem security executives encounter when their employees utilize wireless networks outside the office.
Wi-Fi is built into most laptops, and wireless computing is so liberating that few untethered employees can resist the lure of a coffee shop or hotel access point. But unless users are educated about the specifics of wireless security, they could be laying the corporate network bare to any curious or malicious bystander. Security policies must spell out who can access the network, how, when and where. A software-based firewall and encryption technology - whether it is wired equivalency protocol (WEP), Wi-Fi Protected Access (WPA) or ideally WPA2 (the latest version of 802.11i) - must be used to ensure that casual roamers aren't hopping aboard.
Employees also need education about the different scams that can affect wireless users. Christopher Faulkner, founder and chief executive of Web hosting firm C I Host, has also launched "The Wi-Fi Guy" travel blog that tracks Wi-Fi and cultural information in cities across the US. He warns CSOs in particular about the dangers of "evil twin" wireless networks. An evil twin is a rogue wireless access point that a hacker-type sets up near a legitimate Wi-Fi access point. Unwary wireless users can wind up with their computers connecting to the strongest signal available; in the evil twin scenario, the users think they're on the legitimate network but are actually connected to the hacker's machine, allowing him to capture whatever data they transmit. "I tried this at an airport, and within four minutes had three people connected to my laptop doing unsecured computing in plain text," says Faulkner. In a variation of that scenario - a sort of Wi-phishing - a hacker sets up another access point near a legitimate one, lures a user to connect and then prompts him for his user name and password. When providing that info doesn't lead to a connection, the mystified user usually reboots and logs onto the real network, but the hacker has already siphoned off what he wanted. Later he'll be able to log onto the network with the user's ID.
These kinds of scams frequently snare people who are in a hurry and will disregard something that looks a little unusual in their haste to get online. Educate employees to use wireless carefully and to avoid sending company confidential or sensitive information over wireless unless it is absolutely necessary and the system's safeguards have been approved by corporate security.
Peer-to-peer and Web-based services
The casualties of convenience. Peer-to-Peer (P2P) technologies and Web-based services are different animals, but they have three important qualities in common. These tools and programs are easily downloaded by employees, they frequently offer what workers see as a useful productivity-enhancing service, and most of them tunnel right through the corporate firewall, bypassing all security measures.
Take GoToMyPC, a Web-based service owned by Citrix Online. An employee can download the GoToMyPC software to his office PC, and it allows him to access the contents of his office workstation remotely from any PC connected to the Internet by typing in a user name and password. The GoToMyPC folks have published a 10-page white paper touting their security, but some basic control issues exist that should concern security executives. First, no matter how secure the program is, the security and network data are out of the CIO's direct control. Second, security executives have no control over the machine that the employee uses to remotely access the corporate network. It could be an Internet cafe where a hacker has installed keystroke loggers, or it could be a home PC using an unsecured wireless network. P2P technologies such as Instant Messenger and Skype are just as alluring and raise the same questions.
At First Data, Mellinger uses a proxy server from Blue Coat Systems to limit these kinds of external connections. Blue Coat enables Mellinger to control certain kinds of connections and provide appropriate warnings for others. Of course Mellinger doesn't want to interfere with the regular course of business, so he cautions that you have to work through the kinks with any product to ensure that employees can still access all the tools they need. "We have lawyers who need to go out and look at certain sites that we would otherwise not allow employees to visit," he says. Mellinger and his team are fine-tuning Blue Coat to match their exact needs.
At ARC, Bhatt has found that communicating with his employees is an effective way to deal with a lot of the P2P and Web activity. "Almost 100 percent of the time, people are just trying to get something done," says Bhatt. He tells employees that he wants them to feel comfortable asking questions about new products and online services without fear that they will be frowned on. If there is a cool new service that an employee wants to use, security will check it out; if they're not comfortable with that system, they'll seek a secure alternative. If there is none, security will explain why not and why that kind of activity puts the company at risk. "When users know what the danger is, it works well," says Bhatt.
First Data has also taken an added step that Mellinger believes insulates the company from many of the problems that these services can let in. The company has separate firewalls protecting each of its business units so that if a virus or breach occurs in one unit it can be easily unplugged from the others to prevent the damage from spreading. "A lot of times a company looks at itself as a monolithic entity," says Mellinger, "and we don't want to put ourselves in a position where anything that makes it into the company can impact the whole company. We use the same security controls between business units that we use between business units and the outside world."