When Intel introduced the Centrino chip in early 2003, laptop users cheered that they'd no longer be scanning the shelves of computer retail stores in search of separate wireless cards for their new mobile computers. In contrast, IT staff cringed with the knowledge that built-in wireless cards in the hands of users who weren't technically savvy could wreak havoc on efforts to keep their companies' wireless networks secure.
"Wireless networks are particularly vulnerable to security breaches and attacks because the signal is wide open," explained Chuck Conley, vice president of marketing for Newbury Networks. The executive for the wireless security provider noted that, "for the first time in computing history, you don't know where your device or your user is. And because you don't know where that user is, you also sometimes don't know who that user is."
Conley pointed out that because wireless networks typically cover a 300-foot radius, signals can bleed out through brick and glass to the hallway, the sidewalk, and maybe even the parking lot across the street. He cautioned, "anyone who might not be in line of sight can hop onto that signal with relative ease, hack into the network from behind the scenes, and create a major security breach of the network and the data behind it."
Beware the war driver
With the built-in Centrino chip, when a user turns on a new-model laptop it automatically creates a wireless LAN, instantly emitting an 802.11 signal. If it's running Microsoft XP, the laptop will automatically seek a network connection. With the growing ubiquity of wireless network devices used by mobile employees, Conley recommended educating wireless users in some fundamental practices to safeguard their transmissions from a growing band of high-tech thieves known as war drivers.
Using a laptop and a modified wireless access card, anyone with the technical knowledge of an average university student can trawl through the computer records of a company that hasn't properly secured its wireless network. With more companies opting for wireless networks in place of expensive cabling throughout their offices, the opportunity for taking advantage of this unwitting "open door" policy is growing.
A 2002 survey conducted by business advisers at KPMG International found that of those companies that had fully implemented a wireless LAN, some 38 percent had failed to use any type of encryption technology to protect the information flowing over their networks. Such lax security left them vulnerable to serious breaches.
Ways to thwart hackers and attackers
Alan Greig, a registered e-security consultant with Ogilvie Communications, a telecommunications company based in the UK, suggested some basic precautions to make it more difficult for war drivers:
Although, like any computer system, wireless can't be made 100-percent secure, Greig claimed that the only way to make a WLAN relatively secure is to "treat it as a hostile connection and place [your access points] outside the firewall."
Jon Edney, author of Real 802.11 Security, agrees with Greig. "The simplest solution for business use is to keep the access points on separate wire lines and run the connection through a firewall to a VPN server." But, he admitted, it's a pain. He's looking forward to the new WPA (Wi-Fi Protected Access) security standard to address some of the fundamental issues of wireless vulnerability.
Like Chuck Conley, Edney recommends employee education as a front-line defense. "Employees can drive a dump truck through the protections [implemented by the IT staff] by installing an unauthorised wireless LAN," said Edney. For companies with lots of small branches and offices, this can be a particular problem. "All it takes is a proactive manager to go and buy an access point at the local computer store and connect it where his PC used to plug in, and you have a breach," he pointed out.
Chuck Conley likened it to "taking a cable and throwing it out the window to the sidewalk so that people can plug in." Because it's something that is almost impossible for IT departments to detect, the solution is to educate employees to the potential problem, rather than simply enforce rules.
"People tend to ignore rules because they think the IT departments are control freaks," Jon Edney observed. "But if they understand the dangers, they will cooperate."
Avoid risky wireless practices
Besides introducing unauthorised wireless technology into the corporate environment, Chuck Conley noted a couple of other highly risky business activities that catch employees unaware:
1%
6%
