Wireless worries
Perhaps the most menacing security holes may lie in pieces of the network that Internet and IT managers don't even know exist.
Wireless LANs are cropping up in an organic fashion throughout corporations, often without the knowledge of a central manager.
"Departments are going out and putting them out for the department, without thinking about the ramifications for the rest of the corporation. If the CIO found out, they'd freak out," said Dean Douglas, general manager of wireless e-business services of IBM Global Services.
Cisco Systems had that problem internally. Shortly after Cisco acquired wireless LAN gear provider Aironet, employees quickly began deploying access points around the corporate campus.
"Soon we had 260 rogue Aironet deployments," said Kittur Nagesh, product line manager for the Aironet wireless LAN solution of Cisco.
Cisco's IT department took stock of the network pieces and quickly deployed a security solution across the network. The company also created an internal policy for extending the network.
"The rogue deployments went away because people found they could work with the policy and have a well-managed system," Nagesh said.
IBM hopes to help companies examine disparate network pieces so that IT departments can be sure that the networks are secure. IBM Security and Privacy Services recently introduced a security auditor service whereby the company will audit wireless LANs for corporations and assess the security vulnerabilities.
IBM also addresses authentication and encryption issues for customers, and has introduced a security chip--a cryptographic microprocessor--that will be integrated into its ThinkPad notebooks and NetVista desktops.
The chip supports key encryption and digital signatures. Using devices with the chip, mobile workers can securely access corporate networks from public wireless LANs, such as those popping up in airport lounges and cafes, Douglas said.
Those workers can also access corporate information securely from home wireless networks, another arena that the IT department often does not oversee. Some enterprises encourage workers to order high-speed wired connections to their homes so that they can work after hours. Some of those workers may deploy their own wireless LANs in their homes, but without introducing security precautions.
"It's the IT guy's worst nightmare," said Doug Klein, CEO of Vernier Networks, a provider of security solutions for wireless networks.
The best defense against such security holes is education and the creation of corporate policies that help workers to secure their home wireless LANs, Klein said.
Vernier offers an authentication solution that sits at the wireless access point. The solution allows corporations to set policies for individual users, which restrict some employees from accessing certain information.
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology