Winning the Consumer Gadget Wars

CSOs will need smart policies, good awareness programs and judicious enforcement to manage risks presented by USB drives, camera phones and other consumer gadgets

1 2 Page 2
Page 2 of 2

Employees also need education about the different scams that can affect wireless users. Christopher Faulkner, founder and chief executive of Web hosting firm C I Host, has also launched "The Wi-Fi Guy" travel blog that tracks Wi-Fi and cultural information in cities across America. He warns CSOs in particular about the dangers of "evil twin" wireless networks. An evil twin is a rogue wireless access point that a hacker-type sets up near a legitimate Wi-Fi access point. Unwary wireless users can wind up with their computers connecting to the strongest signal available; in the evil twin scenario, the users think they're on the legitimate network but are actually connected to the hacker's machine, allowing him to capture whatever data they transmit. "I tried this at an airport, and within four minutes had three people connected to my laptop doing unsecured computing in plain text," says Faulkner. In a variation of that scenarioa sort of Wi-phishinga hacker sets up another access point near a legitimate one, lures a user to connect and then prompts him for his user name and password. When providing that info doesn't lead to a connection, the mystified user usually reboots and logs onto the real network, but the hacker has already siphoned off what he wanted. Later he'll be able to log onto the network with the user's ID.

These kinds of scams frequently snare people who are in a hurry and will disregard something that looks a little unusual in their haste to get online. Educate employees to use wireless carefully and to avoid sending company confidential or sensitive information over wireless unless it is absolutely necessary and the system's safeguards have been approved by corporate security.

Peer-to-Peer and Web-Based Services The casualties of convenience. Peer-to-Peer (P2P) technologies and Web-based services are different animals, but they have three important qualities in common. These tools and programs are easily downloaded by employees, they frequently offer what workers see as a useful productivity-enhancing service, and most of them tunnel right through the corporate firewall, bypassing all security measures.

Take GoToMyPC, a Web-based service owned by Citrix Online. An employee can download the GoToMyPC software to his office PC, and it allows him to access the contents of his office workstation remotely from any PC connected to the Internet by typing in a user name and password. The GoToMyPC folks have published a 10-page white paper touting their security, but some basic control issues exist that should concern security executives. First, no matter how secure the program is, the security and network data are out of the CSO's direct control. Second, security executives have no control over the machine that the employee uses to remotely access the corporate network. It could be an Internet café where a hacker has installed keystroke loggers, or it could be a home PC using an unsecured wireless network. P2P technologies such as Instant Messenger and Skype are just as alluring and raise the same questions.

At First Data, Mellinger uses a proxy server from Blue Coat Systems to limit these kinds of external connections. Blue Coat enables Mellinger to control certain kinds of connections and provide appropriate warnings for others. Of course Mellinger doesn't want to interfere with the regular course of business, so he cautions that you have to work through the kinks with any product to ensure that employees can still access all the tools they need. "We have lawyers who need to go out and look at certain sites that we would otherwise not allow employees to visit," he says. Mellinger and his team are fine-tuning Blue Coat to match their exact needs.

At ARC, Bhatt has found that communicating with his employees is an effective way to deal with a lot of the P2P and Web activity. "Almost 100 percent of the time, people are just trying to get something done," says Bhatt. He tells employees that he wants them to feel comfortable asking questions about new products and online services without fear that they will be frowned on. If there is a cool new service that an employee wants to use, security will check it out; if they're not comfortable with that system, they'll seek a secure alternative. If there is none, security will explain why not and why that kind of activity puts the company at risk. "When users know what the danger is, it works well," says Bhatt.

First Data has also taken an added step that Mellinger believes insulates the company from many of the problems that these services can let in. The company has separate firewalls protecting each of its business units so that if a virus or breach occurs in one unit it can be easily unplugged from the others to prevent the damage from spreading. "A lot of times a company looks at itself as a monolithic entity," says Mellinger, "and we don't want to put ourselves in a position where anything that makes it into the company can impact the whole company. We use the same security controls between business units that we use between business units and the outside world."

Stay on Top of Trends One key to dealing with all of these developments is for CSOs and their security teams to commit themselves to an ongoing learning process focused on new tools and technologies and the novel ways they will affect corporate security. Companies tend to go overboard with overly draconian security measures when a trend takes them by surprise. "There's a line of sensibility here," says Mellinger. "The object is to stay ahead of the people who aren't doing anything [malicious], who just have no security awareness at all. As long as I can stay ahead of that crowd, I'm in good shape."

Security leaders should also keep in mind that you can't blame it all on the bits and bytes. "This is about synergy and multifunction," says Purdue's Rogers. Recalling the security concerns that e-mail raised when it first came into general usage, he cautions CSOs to remember that, "the technology is neutral. It's not good or bad. It can be used in novel ways. But if we survived e-mail, we'll survive this evolutionary process too."

Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline