How to Rope In Rowdy Technologies

1 2 Page 2
Page 2 of 2

Bob Degen is the former supervisor of the financial crimes unit for the U.S. Secret Service, where he additionally served on protective detail for presidents Nixon, Reagan and Bush. Currently he is senior vice president for corporate security of First Data (the parent company of Western Union), where he has seen proof of wobbly wireless security. A high-placed executive at the company bought himself a WLAN and, despite Degen's numerous warnings about the security problems, was bound and determined to use it. After a business trip to Paris, he came to Degen and apologized for having ignored his warnings. The executive sheepishly went on to explain that he had been on his WLAN in the hotel, had turned it off, but was puzzled when a light indicated that he was still connected to the network. It turned out that a guy two rooms down had been on a WLAN as well and the lines had gotten crossed. Each had become connected to the other company's LAN, and the light was on because the other guy was still on First Data's network.

The standard security protocol for wireless is WEP (wired equivalent privacy), and since its release in 1997 a number of flaws have been found that allow anyone with the right tools to break the encryption. Even the example of the hacker on the park bench is out of date. By using increasingly powerful receivers and transmitters, it's now possible to break into a wireless network from as far as 10 miles away. According to one vendor, a telecom customer that realized its exposure even went so far as to put special windows into its new facility to block transmitters and protect internal wireless communications. It had to evaluate up to six window systems before it found one it couldn't transmit across. But for most companies, security-driven window replacement is an unattainable and expensive luxury.

This is not the only problem that wireless presents. Like Degen's executive who was determined to use his wireless LAN out of the office, employees can easily set up their own WLAN access points within the company walls. WLANs use wireless network cards and small boxesthe size of a CD driveas network access points. They can easily be tucked in a drawer or under a desk. Whether they are set up by an employee who wants to e-mail during meetings or by a hacker looking to establish 24/7 access to your network, it is virtually impossible for CSOs to find them.

While security experts such as Schneier contend that wireless will never be secure, others see hope. "Well-implemented end-to-end cryptography or a virtual private network offers strong protection against certain kinds of attacks," says Hernan. While he cautions that there are other kinds of attacks for which these solutions may not work, he believes that "most organizations would be well served to use end-to-end security or a VPN as part of a strategy for securing a wireless network." The biggest problem with wireless security systems is that many companies aren't bothering to use them. An informal 2001 Gartner survey found that more than 60 percent of companies operating wireless networks didn't even have WEPthe most basic security that comes packaged with a wireless LANturned on.

But one thing that CSOs need to educate their executives about is that while it is possible to conceal specific content, the fact that person X is having a conversation with person Y can't be hidden. This creates a scenario similar to one in which White House reporters see 20 pizzas being delivered to the West Wing at 2 a.m. and conclude that something big is brewing. At times, the very fact that communication is taking place at all can become a security breach. For example, a flurry of text messages between execs at two rival banks could signal that a long-rumored merger is in the works.

Although CSOs can controlor at least have significant input intocompany-sponsored wireless installations, the greater vulnerability may come from employees, like Degen's executive, who go out and set themselves up on wireless. While it is a must to create and enforce strong policies, Degen also advocates a touch of humiliation as an effective deterrent. "I didn't get to where I was because I'm such a persuasive guy," he says. "We have a saying in my group that 'adversity is my friend.' When something bad happens, jump on it, make a big example out of it, don't hide it." When a bank or government group comes in and gives First Data a bad security audit, Degen believes in making it public within the organization to increase the pressure on business units and employees that might be tempted to ignore a security mandate. "Look at what's at risk," he says. "Take advantage of bad things and parlay them into as much as you can get."

Many CSOs might be horrified at the idea of tarnishing their own reputation within the company by exposing security flaws, but Degen plays the strong security mandate he's been given for all its worth. When it was recently discovered that a facilities executive was flouting the company's security policy by letting his employees use a loading dock door instead of the employee card-reader turnstiles, Degen organized a sting operation. He asked an employee from the company's Tulsa, Okla., office (a stranger at the company's Colorado headquarters) to piggyback on facilities employees going in and out through the dock doors. Time after time employees let him in, even though nobody knew who he was. Degen wrote up a ticket for every violation.

"I'm going to take all 30 of these tickets and throw them on [the facilities executive's] desk," he says. "Then I'm going to hold a remedial security class for all his people, and it's going to be long and gruesome."


PDAs and cell phones are becoming central tools in the organizational communications infrastructure. And as the computing power of these devices has increased, CSOs have seen the big security wall around their systems crumble. Now they struggle with the problem of how to control the usage and ensure the security of these new digital mobile assets.

The ease of use and mobility of portable devices have increased dramatically in the past five years, but as Byrnes points out, that's not always a good thing. "Data stored on any handheld device is even more mobile than a stolen laptop," he says. "For devices that communicate via wireless, the ability to steal or alter the data is a significant risk." The solution is encryption, he says. "If critical data must be stored, it must be encrypted; and if critical data must be communicated, it must be strongly encrypted."

However, the current generation of hardware devices is not powerful enough to support strong encryption, and only in late 2002 will a new generation of devices hit the market with a processor architecture robust enough to be truly secure.

That offers little hope for CSOs whose enterprises are already flooded with these devices. Frustrated with the lack of security, Degen ruled that employees could not use PDAs and wireless modems to connect to First Data's systems. He notes that the decision is still a sore point with executives but was necessary because the company handles too much sensitive information to allow those kinds of holes to exist. "All we need is to lose 373 million credit card numbers," he says. "Western Union has 9 billion transactions per month. What if somebody was listening to those?"

At EDS, Clark has dealt with the issue by ensuring that every system that dials in to the networkwhether it's a home PC or a PDAgets an automatic download of virus control software. By putting controls at the access points, Clark can cut off any messages that might contain a virus.

As CISO of Contra Costa County in California, Kevin Dickey has the added burden of not only protecting these devices but ensuring that taxpayer funds aren't being wasted when they're bought. He is now in the process of working with all the county's department heads and elected officials to develop a policy that governs their usea process that he knows won't earn him any friends. As in other organizations, the problem in Contra Costa County is that many employees purchase PDAs themselves. Consequently, there's no way for Dickey to know how they're being used or what kind of information is being loaded. "Allowing employees to put county assets on a PDA gives me heartburn from a security perspective," says Dickey.

If economically feasible, one heartburn-avoidance strategy would be for companies to provide the devices to employees as a means of gaining an added layer of control. That way the CSO can make sure all such devices include appropriate security and are properly configured.

Copyright © 2002 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)