Wireless local area networks are becoming more prevalent and they are leaving security holes in many organisations' networks.
DCA Technologies CEO and managing director Mario Calleja has a problem. People pay his company good money to provide expert, independent consulting on, among other things, implementation and management of communications networks. Yet after months spent working with numbers of customers exploring the potential for implementing wireless LANs (WLANs), neither consultancy nor customers have been able to satisfactorily quantify the security risks involved.
"Take-up of wireless infrastructure is a lot slower than we expected, because of the security issue, and because insufficient information is available on how real the scare is," Calleja says. "The corporate standard that's out there seems to think that the security scare is much ado about nothing, but you go to the vendors and you get many different answers."
The issue of wireless LAN security seems to be becoming more, not less, confused as time goes by. Sifting fact from vendor chaff to make their own judgements about security is just one of the problems besetting CIOs looking at the issue of wireless. Some are finding themselves having to scan their own networks to discover just how many wireless LANs are already installed behind their backs before they can even think about wireless security. At least, the canny ones who have woken up to the fact that their company has a problem are doing so.
Ask yourself these questions. If I were to drive past your building with a wireless network interface card (NIC) operating in "promiscuous" mode, could I pick up the signals and Media Access Control (MAC) addresses of all of your organisation's broadcasting devices so I could map your network access points? Could I then impersonate those MAC addresses to saunter through your wired network? If you think the answer is "no" because the IT group has not authorised installation of any wireless LANs, you might want to phone a friend before you answer out loud.
Wireless LANs are just too cheap. Inevitably, the do-it-yourselfers - perhaps the same people who bypassed the IT department to put a PC on their desk before business was ready to endorse them - have been every bit as cavalier about installing wireless base stations and NICs behind their CIO's backs. "It's essentially a grass roots revolution in which employees are bringing these devices into the organisations," says US-based Evans Data analyst Joe McKendrick. "Employees are still essentially the prime purchasers for these devices."
Wireless appliances are proliferating in Australia too, says DeMorgan managing director and CTO Craig Wright, at a time when CIOs still have relatively little understanding about how wireless works, and even less about wireless security. "Most companies don't have any good policies, so what happens is either IT groups decide to do these things without properly testing them, or end-user groups do," Wright says.
"Now quite often it's because they think they'll save money on cabling or whatever else, especially if they're in an office temporarily. Or if they're moving around in different areas it's quite often simpler to just whack in a box and away you go. But you have to justify the cost of having wireless, and trying to secure it as well. You have got to add up the whole equation, not just what the vendor tells you initially," he says.
Those users buying cheap hardware and hooking it up to networks without informing anyone probably do not realise it, but they are not only opening up huge vulnerabilities in the corporate network, they are also advertising them to the world. "Corporate information is floating through the air, and the company doesn't even realise they're wireless," Ed Skoudis, vice president of security strategy at New York-based IT services firm Predictive Systems recently told US Computerworld. "Of your Fortune 100 companies, the vast majority of them have wireless [networks]; they just don't know it yet."
To make matters worse, an Australian survey by CSC late last year found about 60 per cent of sites deploying wireless LANs across Australia had not enabled encryption. Director, global information security services, Kim Valois says most system owners and users have no idea where their data is going and fail to realise wireless networks are "always on".
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.