In-Depth

Wireless Networks Continue to Bleed Data, Study Reveals

New study says 80 percent of companies have at least some unsecured wireless traffic

• By Mathew Schwartz
• 06/30/2004

Red-M studied 100 global companies in a range of industries over the course of six months. Of those studied, education, manufacturing, paper and packaging, and food and beverage industries were particularly at risk. Electronics companies, followed by IT, fared slightly better, with about four out of five broadcasting data. Two-thirds of the banks and financial services institutions studied likewise broadcast data.

“Most businesses haven’t yet grasped the fact that once there is any sort of wireless device on their premises—and today you have to presume there is at least one device in your company—it acts as a point of insecurity by broadcasting company information over the airwaves,” says Red-M’s CEO, Karl Feilder.

With wireless, not knowing can hurt a company. “Sitting in your parking lot up to 300 feet away from your building with a laptop and an inexpensive piece of software, an outsider could easily see the information being freely broadcast, could receive network traffic, and could wreak havoc by exposing confidential and sensitive company information and manipulating data,” says Feilder.

Yet the real problem with securing wireless could be the unequal attention security managers—and their budgets—pay to it. While 85 percent of security managers think wireless networks require more resources than wired ones, only 55 percent report using a security product to address wireless concerns. Those statistics come from a recent survey conducted by Survey.com, and sponsored by security vendor Fortress Technologies, of “several hundred enterprise IT managers and senior technology executives.”

According to the survey, wireless adoption continues to grow, with 75 percent of large financial services, healthcare, and manufacturing organizations now using WLANs. Yet those surveyed report a WLAN image problem: a lack of perceived wireless ROI—vis-à-vis critical business functions—often means fewer security resources get applied.

Not surprisingly, for organizations that haven’t installed WLANs, security concerns are often the culprit. Of those surveyed, 63 percent think wireless access points don’t offer adequate protection, and about half had purchased a product to centralize their WLAN security management.

Almost all organizations—87 percent—now also control, or soon plan to control, wireless usage through monitoring, which will help root out rogue WLAN installations as well.

The WLAN security risk is growing. Many latest-generation laptops, PDAs, and even some hybrid cell phones come with built-in Wi-Fi, and unless security features are enabled, using them to send corporate information means someone can intercept it, especially if such devices are used at public Wi-Fi hot spots.

Inexpensive Wi-Fi infrastructure equipment is also a corporate security challenge. Many consumer routers using the wireless 802.11 specification—also known as Wi-Fi—are designed, following decades of hard-to-use computer accessories, to be easy to use by the non-technologically inclined. In the corporate realm, easy plug-and-play can be a security administrator nightmare. Now adding a wireless router to the corporate LAN is all too easy for the salesperson who wants wireless e-mail in the cafeteria, no matter the corporate security policy. Yet if wireless networking equipment isn’t on the security or IT department’s radar, no one is ensuring it’s properly configured and patched.

For example, a recent vulnerability with the popular Linksys WRTS54G 802.11g router allowed easy access to the router’s configuration page if the router’s firewall hadn't been activated. Most security-conscious users would know to keep the firewall active; not so for others. As a result of the vulnerability, an attacker could turn a susceptible router into a platform for launching spam or viruses using someone else's corporate (or home) network.

Given the ease of deployment, Red-M’s Feilder recommends companies “take it as a given that you have wireless technology somewhere inside your building, whether by accident or design,” then react accordingly. First, companies need to ensure their security policies articulate which wireless technologies are allowed, and under whose aegis, then enforce the policy. To do that, he recommends active scanning for unapproved wireless activity, strong overall network and data security (of course), plus monitoring all wireless devices attached to the network. “Because [wireless] offers infinite entry points, it requires nothing less than 24-by-7 vigilance,” he notes.

RELATED STORIES:

Disabling Rogue WLAN Access
http://info.101com.com/default.asp?id=6601

Q&A: Securing Mobile Workers
http://info.101com.com/default.asp?id=6600

Businesses Ignore Mobile PDA Threat
http://info.101com.com/default.asp?id=6448