Wireless technology, in fact, is proving to be the chink in the armor at many companies. “Last year we discovered that American Airlines’s wireless local-area network at Denver International Airport was operating without any encryption and had even pasted the IP addresses of curbside terminals on the monitors,” says Thubten Comerford, CEO of White Hat Technologies Inc., a Denver-based network security assessment firm.
Comerford adds that many employees don’t recognize the risks of using wireless devices. “They’ll install a wireless access point on what they see as their network in their part of the building, but behind the corporate firewall,” he explains. “This way, they can go from desk to conference room to between floors without having to plug in. You’ve now got this laptop ‘walking around’ connected wirelessly, but also broadcasting at the same time. Anybody in the building—and possibly outside—can listen in and pick up passwords, user names, and otherwise get to sensitive data.”
Even seemingly safe PDAs can enable unauthorized wireless access. “A lot of these new pocket PCs have built-in wireless, and it seems reasonable that if you’re floating around at Starbucks with one of these with no firewall, it’s just a matter of time before some mastermind figures out a way to hack it,” says Galen Schreck, a Forrester research analyst.
The threat of rogue technology isn’t limited to wireless applications. According to research firm IDC, some 76 million employees worldwide sent instant messages in the workplace in 2003—more than half using free IM software, such as Yahoo or AOL, downloaded off the Web. The problem, explains Schreck, is that “normally, corporate E-mails are sent through company-provided applications, where there is an opportunity to filter them—HR can see if you’re talking about inappropriate things, for instance.” But that’s not true of instant messages transmitted by unauthorized software; they require specialized software to filter content.
Meta Group’s Gold agrees that IM is another open window. “IM is important in a corporate context—just so long as it is corporate IM,” he says. “But people do stupid things, sending a message to a colleague or a friend about the company’s financial information, like, ‘We’re going to have a loss this quarter—don’t tell anybody.’ Under the Sarbanes-Oxley Act, this would be material information.”
Peer-to-peer applications such as Kazaa, the oddly spelled music-downloading technology, create other vulnerabilities. Kazaa is designed to allow music lovers to easily share audio files, but if an employee downloads the software to an office machine, it may just as easily allow company files to be shared with other Kazaa users. “We had to rebuild 10 laptops here that had been corrupted by Kazaa installations,” says Forrester’s Belanger. “They really mess with other programs. Moreover, there’s the risk of copyright liability. That’s a lawsuit waiting to happen.”
Then there are USB tokens—nifty little storage devices also called fobs or key chains. “You can plug one of these $100 tokens the size of a thumbnail into a standard USB port on a PC and walk away with 256 megabytes of data,” says Alex Cone, CEO of CodeFab Inc., a New Yorkbased software consulting firm. “A person with little integrity could easily steal data from the corporate network by putting it on the fob.” Of course, a determined intruder could print out data and stuff it in a briefcase, but a fob tucked away in a shirt pocket is “much harder to police.”