Mobile phones and Wi-Fi hotspots are making a mess of enterprise security strategies.
With smart phones and other gadgets supporting three or more wireless standards at a time, security officers have begun sniffing the airwaves for rogue devices accessing their networks as well as employee phones and laptops carelessly left in a "discoverable" mode.
Some are also contemplating entirely new policies, such as banning all wireless devices from the network except those issued and managed by IT.
Bluetooth, RFID and ZigBee (for building automation) are among the wireless standards that may soon be available to users of a single device. Many security consultants believe hackers are already preparing exploits for some of the standards.
Meanwhile, Wi-Fi-enabled laptops, even those with hardwired Ethernet connections, often connect simultaneously with insecure hotspots in the same building. The result is an unwanted bridge between two worlds: one secure; the other wide open.
"The point is to keep other people off your networks and to keep your people
off other [unauthorized] networks," said Matthew Gray, CTO of Boston-based Newbury Networks Inc., which sells a WLAN monitoring and intrusion prevention application called WiFi Watchdog.
Many security officers are using technology from companies such as Newbury and Berkshire, U.K.-based Madge Ltd. to watch for wireless devices operating in their air space. Madge's WLAN Probe provides any Wi-Fi or Bluetooth device's brand and model name, and its MAC address, if available.
Many similar systems can also repel strangers trying to connect to the network, while blocking authorized devices from inadvertently connecting with unauthorized Wi-Fi access points.
The kinds of attacks that will target users of Bluetooth, RFID and other wireless standards are only beginning to emerge. But their effects -- identity theft, eavesdropped VoIP phone calls and Trojans -- could be catastrophic to individuals and companies.
"Bluetooth hacks are a real possibility," Fran Rabuck, president of the mobile technology consultancy Rabuck Associates in Philadelphia, said at the Wireless Security Conference and Expo last week in Cambridge, Mass.
Rabuck said there are several things security managers can do to enhance security. Among them, establish policies and procedures for quarantining devices, tagging them so they can be returned if lost, even having them wipe themselves clean if they are stolen. Another suggestion: purchase wireless devices that use some form of biometrics, such as a phone that recognizes its owner's fingerprint, to further safeguard company assets.
A company is putting itself at great risk, Rabuck said, "if you don't own the device and are not controlling the data."
Some companies that haven't yet deployed WLAN services are evaluating their networks to see if they are already vulnerable to wireless hacks.
"We do some scanning of the network [for rogue wireless routers]," said Daniel Hartnett, vice president of information security at Delaware Management Holdings Inc. in Philadelphia. "We haven't detected anything. But that doesn't mean it hasn't, or won't, happen."
Many organizations refuse to set-up Wi-Fi access without security appliances, among them the Yakima Valley School in Washington, which recently implemented Wi-Fi security technology from Madge.
"We had an additional challenge in that the data security group, which had to authorize the solution, was convinced that wireless couldn't provide the necessary security," said Rodney Kluever, IT systems specialist at Yakima. He won the security group over with his plan to guard Yakima's wireless access points and devices with monitoring appliances that deny access to unauthorized users.