Wireless local area networks are all the rage right now in business as companies deploy these systems in-house to pull the plug on “campus-bound” remote workers and allow mobile workers to take advantage of the thousands of wireless hot spots sprouting up across the country. But do these wireless pathways offer enough security for most business applications?
The answer, for the most part, is yes, because the bulk of the information transferred wirelessly via the 802.11 connection at your local coffee shop or airport lounge is not really mission-critical. If someone were to take the time and effort to tap into your signal there really wouldn’t be that great a security risk. We’re talking about your e-mail, some customer orders and maybe your Web-browsing habits, which will become available to the hacker. However, as the information traveling the airwaves does become more sensitive—and it will, since the return on investment benefits of these systems is becoming more dependent on the quality and strategic utility of the data—then there are some real concerns about security when it comes to wireless access.
Recently, while I was participating on a panel at a major telecommunications conference, a speaker representing a large independent security testing agency spent the last few minutes before the session sniffing around for an available wireless signal at the large convention center hosting the event. Not only was he able to sense the presence of an 802.11 signal (a relatively easy task), but was quickly able to identify who was using the network and what kind of data they were accessing at that moment. If his efforts were not curtailed by the start of the program, he would soon have discovered the IDs and passwords of each individual on the network and might have even gone beyond that by springing open a few back doors into the network itself.
The fact is that all 802.11 wireless networks are inherently insecure since they are based on wired equivalent privacy (WEP) standards. While you can turn on a system’s 802.11 security and protection, it will pretty much function only as a deterrent and warning to those who try to enter the wireless network without authorization. WEP security will provide enough of a barrier to make it very clear to whomever tries to break in is doing so without authorization, say security experts. But it won’t stop someone with technical knowledge and the right snooping tools.
Wireless as a Terrorist Threat
Right now as much as 70 percent of the 802.11 wireless systems worldwide are totally unprotected and have no security systems whatsoever, according to the WorldWide WarDrive (www.worldwidewardrive.org), a group of security companies and hobbyists who are interested in identifying the location of wireless hotspots, providing an analysis of these sites and raising awareness of the need for security.
In fact, the inherent vulnerabilities of 802.11 wireless systems recently prompted officials associated with the U.S. Department of Homeland Security to label it a potential terrorist threat. They’ve dropped strong hints that if the industry does not do something to secure the networks, government might consider widespread regulation of these systems.
To that end, President Bush established the Critical Infrastructure Protection Board and charged the board with defining a National Strategy to Secure Cyberspace. The recommendations to come from this group will affect the security architectures of all types of wireless systems in businesses, public wireless hot spots and homes.
The IEEE, a standards-setting organization, is presently working on a WEP to establish a less penetrable barrier than current systems. The working group charged with this task is just now releasing proposed specifications to wireless device and software manufacturers to solicit comments and suggested changes. Final specifications will most likely be available later this year for incorporation into a new generation of more secure wireless products. Some vendors, however, have rushed products into the market even though the proposed specifications are far from established. As a result, these vendors risk compatibility issues with the final specification once it is released, says a source involved in the IEEE’s wireless security committee. The IEEE has reportedly taken legal action against one or more of these vendors in an effort to halt production and eliminate any confusion that might give the perception that the specification is officially released.
Playing Devil’s Advocate
Meanwhile, what can companies with mobile field forces or sales forces do to ensure some levels of security are in place and that a remote worker using an available 802.11 system in a public place is not opening a back door to the central information resource? Here are a few basic suggestions:
•Limit data transmissions and accesses to non-sensitive corporate information. While this may be hard to determine (since one person’s proprietary data may be another person’s digital trash), it might be wise to play Devil’s Advocate and ask yourself this: If the data you are wirelessly zapping back and forth were to fall into the hands of your competitor, would that pose a significant problem?
•Don’t sniff around for errant wireless signals on which to piggyback and access your e-mail or corporate data. It is not only unethical, but could present legal questions concerning who owns the data that travels without permission over another company’s wireless road. Also, a company might be able to recognize and identify your efforts to get a free ride and subsequently file a formal complaint.
•Be careful when using public wireless hotspots, especially those that are not supported by a recognized entity (such as an airline or national chain of coffee shops). Many systems are established by retailers or vendors as a goodwill gesture and might not offer the level of security needed to fit the scope of your information. If you do make use of wireless hotspots as you travel, it might be a good idea to sign up with national provider such as Boingo Wireless (www.boingo.com), which offers one-fee access to more than 1,000 sites throughout the U.S. and wireless virtual private network (VPN) security as an option.
•Find reliable and effective virus protection software and keep it installed on your mobile system to scan for bits and pieces of code that might tailgate on your e-mail messages. Symantec Corp.’s Norton Anti-Virus is the top seller, but there are other alternatives out there. One is the AVG Anti-Virus System, developed in the Czech Republic and available through a U.S. holding company called Grisoft. A complete single-user version of the software is available free through the company’s Website. Multiple license versions, as well as versions offering telephone support, are available for a nominal fee.
•Do your homework when it comes to wireless equipment, wireless services and security and virus-checking software. Sure, that $39 wireless access card is a steal, but is it reliable and does it offer basic support for existing security standards? Obviously you can’t test and check the compatibility of each and every device and piece of software, but there are organizations that have taken on this responsibility. One very reputable source is ICSA Labs, a testing group that is a division of TruSecure, which tests and certifies a variety of wireless and Internet-based technologies. In fact, it is the ICSA that will make suresoftware and hardware developers perform due diligence in keeping up with thelatest bugs and potential breaches, or face the consequences of fines and loss of certification.
Tim Scannell is president of Shoreline Research (www.shorelineresearch.com), a consultancy based in Quincy, Mass.