Home » Data Protection » Wireless/Mobile

Winning the Consumer Gadget Wars

CSOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by USB drives, camera phones and other consumer gadgets

CSOs have to ensure they're not preventing employees from conducting their regular business duties. USB ports are, after all, there for a reason. USB flash drives are not all bad news either. They can be incredibly useful tools and some are available with advanced encryption standard, or AES, data protection. For an executive who can't live without his USB drive, the best solution might be to provide him with one handpicked by the security team.

Policy also has a role to play here. Dev Bhatt, director of corporate security for Airlines Reporting Corp. (ARC)â¬a company owned by the airlines that handles aspects of ticketing as well as data and analytical servicesâ¬has crafted his company's acceptable use and enterprise security policies to focus on the forbidden acts of removing corporate data or connecting an unapproved device, rather than on the device itself. The emergence of new, small, multifunction devices is happening so rapidly that companies must ensure that their policies are broad enough to include emerging technologies. If the policy is too device-specific, the CSO will end up having to rewrite the rules every few months.

Wireless Roaming Hazard. It's a sign of the times that in some cases security teams have to behave like hackers to be successful. Sniffing out ad hoc wireless networks in a "no wireless allowed" work environment is one such case. Most of the security executives we spoke with have found unauthorized wireless networks at their companies. These networks are so cheap and easy to set up that they will continue to be a problem in many companies. But detecting a clandestine Wi-Fi network two floors down is a breeze compared to the problem security executives encounter when their employees utilize wireless networks outside the office.

Wi-Fi is built into most laptops, and wireless computing is so liberating that few untethered employees can resist the lure of a coffee shop or hotel access point. But unless users are educated about the specifics of wireless security, they could be laying the corporate network bare to any curious or malicious bystander. Security policies must spell out who can access the network, how, when and where. A software-based firewall and encryption technologyâ¬whether it is wired equivalency protocol (WEP), Wi-Fi Protected Access (WPA) or ideally WPA2 (the latest version of 802.11i)â¬must be used to ensure that casual roamers aren't hopping aboard.

Employees also need education about the different scams that can affect wireless users. Christopher Faulkner, founder and chief executive of Web hosting firm C I Host, has also launched "The Wi-Fi Guy" travel blog that tracks Wi-Fi and cultural information in cities across America. He warns CSOs in particular about the dangers of "evil twin" wireless networks. An evil twin is a rogue wireless access point that a hacker-type sets up near a legitimate Wi-Fi access point. Unwary wireless users can wind up with their computers connecting to the strongest signal available; in the evil twin scenario, the users think they're on the legitimate network but are actually connected to the hacker's machine, allowing him to capture whatever data they transmit. "I tried this at an airport, and within four minutes had three people connected to my laptop doing unsecured computing in plain text," says Faulkner. In a variation of that scenarioâ¬a sort of Wi-phishingâ¬a hacker sets up another access point near a legitimate one, lures a user to connect and then prompts him for his user name and password. When providing that info doesn't lead to a connection, the mystified user usually reboots and logs onto the real network, but the hacker has already siphoned off what he wanted. Later he'll be able to log onto the network with the user's ID.