According to the Identity Theft Resource Center, there have been more than 406 publicized breaches in 2007, exposing upward of 80 million data records. Today's e-criminals are highly skilled, organized and motivated by financial gain. With the introduction of every innovative technology comes new opportunities for cybercriminals to prosper.
The idea behind this approach is that no wireless network equates to no wireless threat. However, this is a serious misconception and I would argue that this lack of foresight is one of the reasons why we are losing the war against the cybercriminals. By taking a "no-wireless" policy approach to security, enterprises often embrace a false sense of security and in the end make themselves even more vulnerable to threats.
The Infantry is Unarmed and Unorganized
The effectiveness of a "no wireless policy" as a preventative security measure relies heavily on the ability of employees to understand and their willingness to adopt the proscribed best practices. According to a 2007 study performed by the research firm InsightExpress, 73% of mobile users admitted they are not always cognizant of security threats and best practices. More than 25% also conceded they either hardly ever or never consider security risks and proper behavior, offering reasons such as "I'm busy and need to get work done" and "It's IT's job, not mine" as justifications.
Even though the dangers of using unsecured wireless networks have been repeatedly exposed by the media and emphatically discouraged for so long in the corporate environment, one-third of mobile workers admit to accessing unauthorized wireless connections, such as hijacking a neighbor's wireless connection or jumping onto unauthorized connections in public places according to the survey.
While IT departments can establish policies to govern the use of wireless networks, employees often don't understand the risks associated with not using a wireless network in accordance with the policies or perhaps just don't care - favoring efficiency over security.
Ron Teixeira, executive director of the National Cyber Security Alliance (NCSA), an organization chartered to educate the public on online security and safety, contends that, "Mobility and the Internet can be used securely and safely if businesses institute a culture of security within their workforce by providing employees with continuous cyber-security awareness and education programs."
While I applaud the NCSA's efforts to educate the public, I don't believe it is prudent to rely on employees to remember or care about IT best practices.
When Policies Fail, Data is Exposed
I have astounded many CIOs as I demonstrate how easy it is to lure laptops inside their presumably secure office into automatically connecting with my bogus wireless network through an attack known as Wi-Phishing.
In this attack, I set my trap using a cheap wireless router with a commonly used SSID such as "linksys" or "tmobile" to lure laptops into automatically connecting with the bogus network. Because many standard wireless clients are set to automatically connect to networks with these or other commonly used names, the employee is usually unaware that his or her laptop has made a connection to the unauthorized access point.
If this happens while the employee is connected to the corporate network through a wired Ethernet port, I not only have an IP connection to the attacked laptop, but am also in a position to bridge from my fraudulent wireless network to the user's corporate network - at which point I would have access behind the firewall. If I were a hacker with malicious intent, I just hit pay dirt with very little effort.
About this time in my demonstration, the CIO is usually frantically calling his direct reports, asking how this is possible, and spouting off the various policies they have in place to prevent this type of event from happening.
As the reality sets in, the CIO must come to terms with the fact that he or she has spent time and money developing policies that are not effective without a method of enforcement. While this is disheartening, the realization that an employee for the right price could be persuaded to provide a virtually undetectable open door for a hacker through this method is even more alarming.
Guarding the Wireless Frontier
Today, we have strong evidence that supports the fact that wireless attacks are being used to perpetrate network breaches and serious cybercrimes. The recently released 2007 CSI Computer Crime and Security Survey asked about "abuse of wireless network" as one of 19 different kinds of security attack or incident. Seventeen percent of respondents reported this kind of incident, slightly up from last year. It ranked ahead of nine other categories.
Admittedly, there is no silver bullet approach to security, but technology can help turn the tables on fraudsters. At a minimum, IT departments should protect all of their IT assets from the various threats arising from wireless technology, including both their fixed wired and wireless infrastructure and end-points such as laptops. To do this, organizations should deploy sensor-based technologies that can detect and locate intrusions to protect their infrastructure and use software to protect end points from being attacked or from compromising the networks to which they are connected.
Whether we love or hate the new era of mobility, wireless devices have infiltrated our lives. You can try to ban wireless laptops from the workplace, but that will not make your organization impervious to wireless threats. To truly rectify the growing e-crime problem, businesses must take their wireless vulnerabilities seriously and implement the appropriate security measures. To do anything less is irresponsible. The old adage holds true, if you aren't part of the solution, you may be part of the problem. Don't allow complacency to set in or you just might discover your organization is an unknowing accomplice to cybercrime.
Source: Renegade Airwaves in the Enterprise, By Nicholas Miller, WirelessWeek - January 09, 2008