Securing the wireless frontier

Regardless of whether the government passes mooted data-breach notification legislation, there are numerous other regulations that compel businesses to protect data.

While the House of Lords Science and Technology Committee could not convince the government that the threat of cybercrime warranted government intervention, one cannot deny that security breaches are common occurrences.

Today's e-criminals are highly skilled, organised and motivated by financial gain. We cannot stop identity theft trends from growing by burying our heads in the sand. With the introduction of every innovative technology comes new opportunities for cybercriminals to prosper.

Lately, we've seen a lot of interest from the media around wireless security threats, largely as a result of the US-based TJX breach of some 94 million cards made possible through insufficient WLAN security. Evil Twin, Wi-Phishing and Honeypot attacks are just a few of the common wireless security threats that plague the airwaves today. To deal (or not deal as the case may be) with these increasing threats, many enterprises have decided to enforce a "no wireless" policy, or allow wireless in very limited areas.

By taking a policy approach to security, organisations often embrace a false sense of security, and make themselves more vulnerable to threats as a result. I have seen the no-wireless methodology backfire spectacularly on many organisations.

Infiltrating wired networks
Standing outside a building armed with nothing more than a cheap wireless router configured with a commonly used Service Set Identifier (SSID), such as "tmobile", I have astounded many chief information officers as I demonstrate how easy it is to get laptops located inside the premises to connect automatically to my bogus network, through an attack known as Wi-Phishing.

If this happens while an unsuspecting employee is connected to the corporate network through a wired Ethernet port, I have an IP connection to the attacked laptop and am in a position to bridge from my fraudulent wireless network to the user's corporate network, at which point I have access behind the firewall. If I were a hacker with malicious intent, I would have just hit the jackpot with very little effort.

This simple trick is made possible by the fact that the standard configuration of the most popular wireless clients is set to connect automatically to wireless networks previously utilised. So if a user sets up his laptop to connect to a hotspot called "tmobile", the computer will automatically connect to any wireless network that comes into range with that SSID, unless the default settings have been changed.

About this time in my demonstration, the chief information officer is usually frantically calling his direct reports, asking how this is possible and spouting off the various policies they have in place to prevent this type of event from happening.

What these chief information officers often fail to consider is that, while they may have established policies to govern the usage of wireless networks, employees often don't understand the risks associated with failing to adher to these policies, or perhaps they just don't care, favouring efficiency over security.

Even more alarming is the fact that, for the right price, an employee could be persuaded to provide a virtually undetectable open door for a hacker through this method.

Guarding the wireless frontier
Having policies without a method of enforcement is about as sensible as expecting inmates to stay in prison without walls or guards. Businesses must view security as an obligation instead of a decision based on probability.

Admittedly, there is no silver bullet when it comes to security, but technology can help turn the tables on fraudsters. At a minimum, IT departments should use software that enforces wireless connectivity policies and automatically shuts off employees' wireless adapters when connected to wired networks. Additional layers of security can be gained through the deployment of wireless intrusion and detection systems capable of accurately locating rogue wireless devices.

Whether we love or hate the new era of mobility, wireless devices have infiltrated our lives. You can try to ban them from the workplace, but that will not make your organisation impenetrable to wireless security threats.

To truly rectify the growing e-crime problem, businesses must take new vulnerabilities seriously and implement the appropriate security measures. To do anything less is irresponsible. The old adage holds true: if you aren't part of the solution, you may be part of the problem.