Something in the Air

Wireless LANs can open up your enterprise to people beyond your company's four walls, but do you know who's waiting outside?

By Boulton Fernando

New York City's Times Square has long been known as "The Crossroads of the World"; its sky-high, neon billboards are ground zero to the glamour, excitement, and 2437 energy that this big city has to offer. But who knew the air was equally rich in corporate data?

Yet, on a recent summer day, a white-hat hacker (one of Ernst & Young's e-risk practice partners), equipped with a laptop and a scanner, was able to pick up email and other internal information from a half-dozen companies as he walked around mid-Manhattan's theater district. You may not be able to hear yourself think at the corner of Broadway and 42nd, but you certainly can get a good look at a lot of unguarded business data.

It's not the first time we've seen corporate data leak into the air: A similar curbside test for a large financial institution found that as roving tellers armed with pocket PCs handled customer deposits on the fly inside a local branch bank, our consultants were able to capture account numbers and transaction amounts from a nearby street corner.

And just think, these standard-issue technology breaches were relatively passive incursions; there were no break-ins. Each time, the captured data was picked up outside a company's four walls - not even breaching a firewall. Imagine how deep inside a company hackers could burrow equipped with wireless equipment and "sniffing" software.

This problem will only get worse. According to a recent survey of managers at 50 of the world's largest companies, Forrester Research found that, to date, only one in four have built wireless networks. However, the other 75 percent expect their companies will introduce the technology into their enterprises within the next 24 months. First places to be wired: shared employee spaces such as conference rooms and lounges. "Firms see the greatest potential for improved productivity in high-traffic areas," the pollsters reported. Looks like gossip overheard at the "water cooler" may be going digital.

SECURITY: THE MISSING LINK

The source of this widespread enthusiasm for wireless local area networks (WLANs) is easy to understand: Wireless networks can be cheaper to operate than traditional networks, while providing highly flexible options for linking employees in multiple locations with IS resources. Unfortunately, too many companies become so enamored with mobile computing's many possibilities that they lose sight of the technology' attendant risks. Although some risks are similar to those found in most wired network environments, others, such as the following, are unique to WLAN setups:

• Encryption standards. WLANs broadcast signals well beyond a company's four walls. The weaknesses inherent in the wireless encryption protocol (WEP) further compound this problem. As researchers at the University of California recently demonstrated, even at its highest levels, WEP encryption isn't strong enough to prevent hackers from intercepting data being transmitted to and from a laptop computer - and, if they choose, modifying that data without detection.
• Authentication. Most large companies use so-called "shared secrets," such as companywide passwords to give many users access to wireless networks. Problems of nightmarish proportions can arise if unauthorized parties get hold of those access codes, requiring the reconfiguration of every machine with access to the network. Further compounding matters, WLANs do not produce audit trails, making it impossible to know who accessed what data. This is a definite drawback for government-regulated companies, like those in the financial services and healthcare industries, where federal regulations such as the Health Insurance Portability and Accountability Act determine if and how third parties get access to an individual's records.
• Station set identifiers (SSIDs). Most WLANs operate with only a rudimentary level of access control - and even this modest protection is diluted as it's the machine, and not the user, that must prove it has access privileges. Further complications arise when companies use the manufacturer's SSIDs as the default setting. However, changing a default may not add much protection if everyone has the new password. (For example, I've seen SSIDs posted on airline Web sites for travelers who want to access their email in airport lounges!)

FOR NOW, LIMITED REMEDIES

To avoid these and other WLAN-related problems, a company will have to build a separate security infrastructure to support WLAN. In short, that means setting up a virtual private network (VPN) - which is generally defined as a combination of tunneling, encryption, authentication, and access control technologies and services used to carry traffic over the Internet, a managed IP network, or a provider's backbone - to control access to corporate applications and ensure data integrity between mobile and wireless networks. In VPNs, implementing role-based access control is also important to ensure that only authorized personnel (and not just authorized machines) have access to the network.

Here are some other things to ask yourself as your company begins thinking about setting up WLAN architecture:

Rate This Article Rating: 1 (best) 2 3 4 5 (worst) Comments: Optional e-mail address:

• Can wireless devices interoperate within your current IT infrastructure?
• What precautions should your company take to secure data transmissions between wired and wireless environments?
• How will you authenticate wireless users before they access corporate networks?
• What's the best way to leverage your company's current security investments?
• How will you learn which authorized and unauthorized individuals are listening?

Until next-generation protocols and equipment are introduced, the best advice may be to treat all wireless access points as hostile devices. In other words, when it comes to wireless networks, don't assume there's much, if any, real security in place.

Boulton Fernando [Boulton.Fernando@ey.com] is a senior manager in Ernst & Young's eRisk Solutions practice. He regularly advises industry leaders, particularly in financial services and healthcare organizations, on the risks involved in online and wireless security issues.