Prying Eyes

Big Ears

Intruders can drive through corporate campuses or a business community using a laptop that costs less than a thousand dollars and free software that is used for wireless access-point sniffing. They can find unsecured wireless points very quickly, and once they have that entry point into your network, they can start to learn things about your network that will help them figure out how its constructed and where its weak points are, says Yeamans. Weve all used 9/11 as a good excuse to post additional security at the front door, we look at what people are bringing into the building, and weve always watched what people plug into our networks. But now, with this technology, you dont have to plug into the network and you dont have to get into the building. You can sit in the parking lot and act like an internal hacker who has that first entry point into the system.

Eavesdropping has gotten only worse over time, according to Brad C. Johnson, vice president of the security consultant SystemExperts. Wireless has become a basic component for portable devices, whether its laptops, notebooks, cell phones, or handhelds, he says. The number of systems has increased, and the number of places that want to offer service is growing.
Johnson believes the technology needed to eavesdrop on a companys network is readily available, cheap, and easy to use. There are products out there that can cost up to $10,000 to $15,000 to do eavesdropping-like analysissniffing wireless packets [for intruders] to see whether [they] are within range of you, he says. But there also are a number of different things out there for free that are just as capable of getting intruders what they want to know.

It is not difficult to secure network entry points, Yeamans contends. The thing to remember is ultimately, like a lot of network or data security, sometimes its impossible to prevent some of these attacks completely, he says. But you can make it more complex or hard to do for the average person who is driving by or sitting in your parking lot for 30 minutes. You make it complex enough for them that they are going to give up and walk away.

Evil Twins

A newer threat to deal with is the so-called Evil Twin Hot Spots. The way our equipment is configured, when users are connecting to Prudential, they are connected over a secure VPN tunnel, Tyminski explains. You really cant eavesdrop in that type of mode. Eavesdrop is more of an issue for people who want to use hot spots where there is no security over the wireless connection. Its a concern, but its not that big a concern because it should be obvious to people. When you connect to us, you do so over a VPN tunnel, so you are over an encrypted channel coming in.

The Evil Twins are found in public locations where someone has put up an open access point to get on the Internet, Tyminski continues. Users connect to that access point, but what really is happening is the people who put up the access point can be sitting there eavesdroppingcapturing your user ID and your password. It is indeed a rogue environment, he says. [Prudential] personally hasnt ex-perienced this problem yet, but we configure our machines not to allow Wi-Fi connections that are not secure. That somewhat mitigates the risk associated with these rogue Evil Twin Hot Spots.

We have a policy that doesnt permit a Wi-Fi connection other than over a secure type of access point, Tyminski adds. So, in essence, if you are in one of these public locations with a hot spot thats wide open, you shouldnt be connected [to the Prudential network].

Whos Out There?

Part of Yeamans job is to conduct penetration testing. Its not uncommon for me to walk around our two main campuses with some of these wireless detection devices just to make sure were in compliance with our own standards.

Any new laptops on the market are configured for wireless. Savvy users can purchase an access point and plug it into a network port, according to Yeamans. This allows users to roam the office within a couple hundred feet of the access point and not be tied down to the desk. In these big campuses where people constantly are in and out of their offices and in conference rooms, people rely on their laptops more so to walk around with them, says Yeamans. When you are in a meeting, its not uncommon to see half the people or more with their laptops, either referencing material they need for the meeting or periodically checking e-mail. Its out there, its available, so people take advantage of it.

There are a couple of matters IT departments need to embrace to be on top of their wireless environment, Johnson points out. One is to do periodic surveys. You have to take some type of monitoring devicea laptop itself or an antennaand you physically have to walk or drive around and go to places to see how far this antenna really goes, he says.

Most IT departments are overburdened already, so adding a task they cant do from their office is still another burden. Such tasks are time consuming, notes Johnson. The frustrating part of these surveys is the devices actually need to be on. You really cant detect them if they are not broadcasting, he says.

Wi-Fi usage Prudential directly can control and monitor is not a big deal, according to Tyminski. We can ensure we are protected properly, he says. When you talk about hot spots and things run by a third party, that is a bigger challenge. But we are looking at software that would run on the laptop that tells you whether the access point you are connecting to is secure or not. We dont want you connecting unless you are sure you can trust the access point. If [the access point] doesnt have security on it, I dont know how you can trust it. There is software we are looking at that allows, when you are connected, your connection to go forward in such a manner it connects only to a secure access point you can trust.

Prudential routinely scans for Wi-Fi devices being connected at the Prudential offices. We know where [wireless devices] should be, and when we find them, we make sure they are configured securely, says Tyminski.

Intrusion Detection

A second hidden burden to IT departments is network event managementstudying the network traffic. The fact is, you can see what traffic is coming in through these wireless components because they are kind of like gatewaysthey are a focal point from where traffic goes out or comes in, says Johnson. To enhance your intrusion detection is more work. You have to add more filters, you have to understand what traffic is expected and what is not expected. Those two thingsthe surveys and enhancing your intrusion detectiondont normally happen. With most sites weve been to, if theyve done a survey, theyve done it once. [A survey is] the kind of thing you need to do on a regular basis.

Compatibility among different vendors is another issue, Johnson states. Vendors havent made it easy to have components from different manufacturers, even though all of them have a small set of functions underlying their infrastructure that is the same. As with any type of technology product, the thing that distinguishes one manufacturer from another is the bells and whistles. Its those bells and whistlesconfiguration issuesthat make security hard, says Johnson. Even though the industry as a whole understands this and is trying to make progress, standards dont necessarily drive the vendors. A lot of times vendors are going to err on the side of ease of use.

Not Just Laptops

A BlackBerry is another wireless device prevalent in todays business environment. Prudential has a security configuration that is required on them, reports Tyminski. When you link into our environment and sync your e-mail and your Lotus notes, you do it through a BlackBerry enterprise server product we run on our facility, he says. Prudential ensures the devices are password protected, and if employees have not used the device for a specified period of time, users have to enter a password the next time they want to use the device. If the user enters the wrong password, all the data on the machine automatically will be erased. The carrier has taken similar steps with smart phones and PDAs. We have software we can use to ensure they are configured correctly, and they have passwords on them, explains Tyminski. We dont permit you to send your e-mail to a third-party mail provider to send it to your wireless. Most of the [wireless] carriers have facilities to allow you to forward your office mail to an outside mailbox. We dont permit that. We have a product we put in that does synchronization and sends mail out securely. We only support those [devices] that support some reasonable level of security.

One of the nice parts about wireless technology, as opposed to cellular options, is it is very much like other network components, such as Ethernet hubs, according to Johnson. [Wireless devices] are very easy to plug in and start using, he says. Unfortunately, there are a lot more ramifications to having [wireless] in the network than a lot of other network components. Most of the issues have to do with human error, and a lot of the human error has to do with underestimating the amount of discipline it takes to put wireless components into your infrastructure in a safe way.

Population Questions

Patricia Eyres, an attorney and author, warns carriers they need to be aware of the population of departments where wireless business communications are most likely to take place. We have more and more wireless devices now, including text messaging on cell phones, PDAs, and wireless laptops that people use to do business communicationsInternet access and e-maillargely out of the office as well as in the office, she says. [Companies] need to be aware of the breadth of concerns. How many people or how many departments are likely to have wireless devices? The most important thing for the policy is to be sure the company addresses with all the people who could conceivably be communicating in a wireless environment that security is everybodys business.

Assuming the IT department already has taken steps with its technology to construct firewalls and other means of limiting security breaches, companies need to make sure employees know how to comply with the policy, what to be aware of, and what reasonable steps they can take to maintain the security of their own communications as they travel, according to Eyres.

Authentic Users
Although GE Insurance Solutions brings in vendors to do demos, the carrier doesnt allow these outside users to plug into its network, Yeamans states. But literally they dont need to [be plugged in] if carriers dont have their wireless configured the right way, he indicates.

There are a lot of things you need to consider before you even think about turning a wireless technology loose, according to Yeamans. One step is to force authentication. You can force the access points to accept connections only from known network card addresses, he says. Every network card, whether it is wireless or wired, has a signature that identifies it. You can use other forms of authentication at the access point to force people to provide user ID/password-type authentication before they get to the access point. Just because the access point is there doesnt mean everybody with a wireless card can connect to it.

Johnson asserts his experience with IT departments shows most understand the strengths and weaknesses and the inherent security problems that exist with wireless. Not all wireless purchases are done through IT, though. Because a lot of components of wireless are so inexpensive and because a lot of organizations dont necessarily have very rigid descriptions of what can be purchased, how it can be purchased, and whom it needs to go through, a lot of times this technology is acquired without going through normal IT procedures, he says.
When the IT department does a wireless deployment, it knows how to install new components in the network, Johnson contends. This involves beta testing and an understanding of how the organization is going to support the deployment over the long run. When [a wireless installation] goes through the normal IT channel, organizations do a pretty good job of figuring how to deal with [wireless strategy] in a successful way, says Johnson. I have seen in a lot of organizations, when theyre in the trial phase or the beta phase, they decide [wireless] is just too risky to keep going forward until [the organization] comes up with a more specific plan about how to use it.

Most problems happen when companies dont go through the normal IT deployment channels, Johnson believes. A lot of these poor decisions are driven by business needs without taking the time to understand fully the technology needs. It really does take some time to inculcate the different subtleties about how you deal with the technology in a safe way, he says.
Well-disciplined companies are finding it takes some time to understand the impact of using these devices, Johnson points out. Its easy to make the purchase and start using it, but its not so easy to figure out how you are going to support it over the long run and how to make sure youre not creating other security problems, Johnson says.

Stay in Compliance

Corporations are spending much more time and resources on security just to keep spam, viruses, and hackers out, particularly in the insurance industry, where carriers have to be especially mindful of the fact they have compliance requirements such as HIPAA. [Insurers] have an extraordinary amount of security they have put in place just because of the nature of HIPAA compliance and other regulatory and record-keeping requirements, notes Eyres.

Information security leaders believe the regulatory rulings, Sarbanes-Oxley in particular, have made their job easier. [The government] did a good job of placing the ultimate responsibility at a high enough level in the company that [security] gets attention, says Yeamans. When CFOs, CIOs, or CEOs have to put their name on a financial report and are held liable for inaccuracies or misrepresentation, security personnel have an easier time getting corporate leaders to understand their responsibilities are around security, he says. You get some footing from that. It raises the attention level.

Bigger Ladders

As technology improves, Yeamans notes, so have the tools intruders use. We are building walls, and they are getting taller ladders, he says. As far as being a security practitioner, you have to stay on top of both sides of this. You have to know whats going on from a technology perspective, and you have to know whats going on from the black hat or hacker side, as well.

Tech Guide: Mobile/Wireless and Sales Force Automation

Actek, Inc.
Birmingham, Ala.
205-403-0506
www.acteksoft.com

Adesso Systems
Boston, Mass.
888-747-0606
www.adessosystems.com

AdminServer, Inc.
Chester, Pa.
610-619-3100
www.adminserver.com

Allfinanz
New York, N.Y.
888-824-2929
www.allfinanz.com

Atlatl, Inc.
Durham, N.C.
800-768-0907
www.accu-rater.com

BlackBerry
Waterloo, Ont., Canada
519-888-7465
www.blackberry.net

Centive
Bedford, Mass.
781-778-8000
www.centive.com

CGI
Andover, Mass.
978-946-3000
www.cgi.com

Convergent Solutions Group
St. Paul, Minn.
952-953-3233
www.convergent-solutions.com

COSS Development Corp.
Milwaukee, Wis.
262-241-8989
www.cossdev.com

Database Systems Corp.
Phoenix, Ariz.
602-265-5968
www.databasesystemscorp.com

Data Life Associates
Verona, N.J.
800-950-1118
www.datalife.com

Decision Research Corporation
Honolulu, Hawaii
800-836-6057
www.decisionresearch.com

Document Sciences Corp.
Carlsbad, Calif.
760-602-1400
www.docscience.com

eAgency Systems
Newport Beach, Calif.
949-253-9131
www.eagency.com

EW Group
East Granby, Conn.
860-653-1719
www.ewgroup.com

E-Z Data
Pasadena, Calif.
800-777-9188
www.ez-data.com

First Notice Systems
Boston, Mass.
800-310-4367
www.firstnotice.com

Fiserv
Cedar Rapids, Iowa
800-322-4220
www.fiserv.com

Fitiri, Inc.
Houston, Tex.
713-981-3821
www.fitiri.com

Genelco Software Solutions
St. Louis, Mo.
800-983-8114
www.genelco.com

IBM
White Plains, N.Y.
800-426-4968
www.ibm.com

Iconixx
Houston, Tex.
713-934-0200
www.iconixx.com

INSTEC
Naperville, Ill.
630-955-9200
www.instec-corp.com

Insurance Technologies
Colorado Springs, Colo.
719-442-6400
www.insurancetechnologies.com

InSystems
Markham, Ont., Canada
905-513-1400
www.insystems.com

InterlinkONE, Inc.
Wilmington, Mass.
978-694-9992
www.interlinkone.com

Itronix Corp.
Spokane, Wash.
509-624-6600
www.itronix.com

Leadbot.Com
Tempe, Ariz.
800-959-1580
www.leadbot.com

LIDP Consulting Services
Woodridge, Ill.
630-960-0133
www.lidp.com

LifeLink
Park City, Utah
435-649-5300
www.lifelinkcorp.com

MFXchange Holdings, Inc.
Toronto, Ont., Canada
866-639-6399
www.mfxfairfax.com

Mobitor Corp.
San Ramon, Calif.
925-552-8230
www.mobitor.com

Motion Computing
Austin, Tex.
888-682-2538
www.motioncomputing.com

NaviSys
Edison, N.J.
800-775-3592
www.navisys.com

Novinsoft
Port Perry, Ont., Canada
905-985-8546
www.novinsoft.com

Panasonic
Secaucus, N.J.
800-662-3537
www.panasonic.com

Peak Performance Solutions
Hoboken, N.J.
201-792-7743
www.peakpsi.com

pTeraDac Corp.
Eagan, Minn.
800-400-4561
www.pteradac.com

Siebel Systems
San Mateo, Calif.
650-295-5000
www.siebel.com

SOLCORP
Toronto, Ont., Canada
416-673-9900
www.solcorp.com

SpeedBuilder Systems
Columbia, S.C.
866-844-3748
www.speedbuildersystems.com

Sprint
Overland Park, Kans.
800-829-0965
www.sprint.com

Steel Card
Santa Barbara, Calif.
800-553-9961
www.steelcard.com

SunGard
Wayne, Pa.
484-582-5468
www.sungard.com

Touchtone Corp.
Costa Mesa, Calif.
714-755-2810
www.wintouch.com

Verizon Wireless
Alpharetta, Ga.
404-273-9707
www.verizonwireless.com

Xerox Global Services
Rochester, N.Y.
770-569-5668
www.xerox.com