Patrick Heim, vice president of enterprise security at McKesson Corp., a pharmaceutical distributor with 24,000 employees, has no sense of humor when it comes to wireless eavesdropping into his company's computer network. Because McKesson allows some employees to access e-mail and information off the company's server through their wireless devices, the McKesson system can be vulnerable to hackers. This rogue access by unauthorized wireless users is made possible unknowingly by employees hooking up via their wireless, particularly while in public places such as an airport, a train station or your local Starbucks. "It's a significant risk to the company," says Heim. "Suddenly, you have a huge gaping security point. Wireless signals don't respect walls."

McKesson's answers to this security threat: plenty of rules and a virtual private network (VPN). A VPN is a tunnel of sorts that blocks access to the network by users not authorized to enter the tunnel and acts as a private thruway between an employee's laptop and the company's network. "It's a very mature technology, whereas wireless security standards are immature," says Heim. "WLAN (wireless local area network) security is more difficult than Internet security. And, there isn't a good way of monitoring rogue access in a big company."

Battening Down the Wireless

Recommended For You

Unfortunately, McKesson is way ahead of the pack when it comes to plugging these rogue access holes. According to a recent Jupiter Research survey, only 48% of companies have implemented security on corporate wireless networks. "The larger firms seem to be sitting on their laurels more than smaller ones," says Gary Morse, president of New York City consulting firm Razorpoint Security Technologies Inc. "They make only a marginal effort to do WLAN security properly. The biggest vulnerability is complacency."

Sure, many experts will claim that talk of hackers mercilessly stalking companies is over-hyped by the consultants looking to make a buck. Yet, hackers need only a Pringles can for an antenna and a wireless card to pry into access holes made by wireless. What's more, WLAN hackers are totally anonymous, unlike cyber warriors. "A hacker could be sitting next to me," says Gerry Cockram, program manager of Sprint Corp.'s Wi-Fi. "But it's virtually impossible to track that individual."

While industry-wide standards are only now getting hammered out, slowing the process, the Wi-Fi Alliance, an industry trade group that includes Toshiba Corp. and Texas Instruments Inc., has been pushing for stronger security encryption. The first attempt, called WEP (Wired Equivalent Privacy), was a weak encryption that was easily cracked in 2001–making it an industry-wide bad joke. But the newer, much stronger version WPA (Wi-Fi Protected Access) software is being tacked onto security devices now, insiders claim. "Wireless security is being ramped up pretty fast," says Jupiter Research analyst Julie Ask.

Help is also on the way thanks to wireless vendors like Cisco Systems Inc. and Symbol Technologies Inc. that have pioneered their own encryption and authentication security used on their wireless components. But at least 20 new vendors have jumped into the hot wireless space, many without track records. The trick, says Ask, is getting interoperability between competing technologies, and some of the newcomers are too busy touting their own agendas in search of market share.

Meta Group analyst Chris Kozup claims that vendors are hindering the process of building a secure, scalable wireless LAN. "Vendors have allowed politics to defeat the primary goal of attaining interoperability," he wrote in a Meta Group research report. The upshot: Kozup predicts that such a system will not be attainable for another year at least.

In the interim, hammering out a security defense is also crucial. And the first step in combating wireless marauders, say experts, is getting a security audit. "We think of security like a pyramid," says Morse, "with the general hacker threat at the bottom. We start with the basics first and then move into elite attacks." However, most insiders also note that security holes are usually opened by unknowing employees and are rarely malicious.

"Think of wireless security as a component of controlling the network," counsels Patrick Rafter, a spokesman for Bluesocket Inc., which makes WLAN security products. In other words, wired solutions like firewalls that filter data, encryption that scrambles traffic and authentication for identifying users also do double duty in the wireless world. For example, with authentication, you can approve use of parts of the company network, such as the finance server. That way it's easier to control access, he says.

Without clear security antidotes, say experts, the key is layering wireless security tools. For example, combining firewalls with VPNs, as McKesson did, is one viable route. "Security is a process, not a product," adds Razorpoint's Morse. "You can't just rely on one product and say 'okay, I'm finished.'" The mistake most companies make, he says, is relying on one security technology like VPNs.

Sometimes the WLAN security answer is as simple as changing the default security key on a computer that's easily hacked into. "In general, there's one default key per vendor," says Nick Brigman, vice president of product strategy at security consulting firm Red Siren.

A looming corporate nightmare is monitoring security at hot spots–public places such as restaurants, airports or parks where employees decide to call up their e-mail or get a little work done via their wireless. As use of wireless devices becomes common and increasingly more employees are granted wireless access to company networks, the threat rises exponentially. That's why McKesson banned use of non-corporate wireless LAN hook-ups that aren't protected by a VPN; the harshest penalty, says Heim, is being fired. "Rogue deployment is one of the biggest risks," he says.

Linking Security to the Paycheck

In the end, security is still a management issue, say experts. Security features must be invoked properly, since vulnerabilities can be exploited in minutes. Yet, Morse estimates that less than one-third of users actually turn on security devices on their laptops or PDAs–the rush to connect is so great. That's why employee awareness programs are essential, say analysts. "Awareness has to happen every day," says Sprint's Cockram. "From wall posters to mouse pads. Buy-in has to occur all the way up to the CEO." McKesson, for example, sent out strongly worded e-mails to employees, saying that they could only use corporate wireless devices that use the company VPN.

A widely circulated, one-page best practices document also helps. Some prescient companies are even folding security policy into employee performance reviews. "Having a better security mindset is being tied to money," explains Morse.

The issue is at least on most companies' radar screens–and not a moment too soon. Says Razorpoint's Morse: "There's no shortage of holes to find and hacker penetrations to clean up after."

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.