At Forrester Research, analysts get to try out the latest “cool” technology for themselves: PDAs, Wi-Fi laptops, nifty storage devices. They also have the opportunity to try out some technology that many people would consider much more mundane: network “sniffing” software and intrusion-detection devices.
This state of affairs has led to some interesting security revelations at the Cambridge, Massachusetts-based technology research company. “We’ve pretty much experienced all the rogue technologies out there,” says Richard Belanger, Forrester’s chief technology officer. “We’ve found unauthorized Wi-Fi hotspots, had our computers in the office infected by employees using their laptops from home without a firewall, and discovered copyrighted material on corporate laptops that had been downloaded using music file-sharing tools like KaZaA. But that’s what the analysts are there for; we’ve got hundreds of people trying every cutting-edge thing out there. Occasionally they get burned, and we [in IT] have to apply the cure.”
Most companies can’t cure what ails them as expeditiously as Forrester can — which is all the more reason that their IT departments are trying to stop trouble before it starts. And given the risk of an intrusion into corporate, competitive, and customer data, that seems wise. “In our estimation, 40 percent of organizations have wireless [networks] they don’t even know about,” says John Pescatore, vice president for Internet security at Gartner Inc., a Stamford, Connecticut-based technology research firm. “And the vendors tell us that number is low. We’re finding instances where babysitters are pulling corporate data from rogue access points and posting it on chat rooms.”
Before we go further, a clarificaion: In IT parlance, “rogue technology” doesn’t suggest anything about deceitfulness or a lack of priciples. In many cases the “rogues” are well-meaning employees who try to wring more productivity from fewer IT dollars but — because they’ve wandered from the path of the tried-and-true — haven’t paid sufficient attention to the security risks or additional costs. Perhaps without management’s knowledge, they bought a PDA with their own money and used it to access the network, or they set up a Wi-Fi “hotspot” in a remote part of the corporate campus. Maybe they stored corporate data on a USB fob they got for free at a convention, or they used their cameraphone to take a few snapshots at work. Perhaps they used Yahoo or AOL to send an instant message to a colleague, a chat they didn’t realize would be vulnerable to interception since it occurred beyond the corporate firewall.
“These are honest, well-intentioned workers, but they’re also stupid, and they’re everywhere,” says Jack Gold, vice president of Meta Group, a Stamford, Connecticut-based technology research firm.”You tell them not to use this stuff in a corporate context or to at least inform IT before they do it,” laments Gold. “But you don’t want a police state.”
Where’s the Harm?
On the other hand, heaven knows, “anything goes” is no way to run a business.
You have plenty of reasons to care about rogue technology. “One reason is lost productivity,” replies Forrester chief financial officer Warren Hadley. “If employees are setting up their own technology solutions, they’re not doing what they’re being paid to do. And when something goes wrong — a virus infecting their laptop — they go to the IT help desk for help, which absorbs IT’s resources.”
Further, says Hadley, “if someone sets up a rogue Wi-Fi access point, it can open up the entire corporate network to an outsider. The ramifications here can be huge.”
Hadley speaks from experience. “We saw a burst of rogue Wi-Fi activity nine months ago,” says his CTO, Belanger. For about $90 each, a number of Forrester employees bought their own wireless hubs and used them to help their workgroups access the network. Unfortunately those hubs “basically allow[ed] any outsider with a Wi-Fi card in their PC to get into the corporate system,” observes Belanger. Fortunately, he adds, “We were using our network sniffing and intrusion detection system and saw this weird traffic on the backbone network. We eventually tracked it down to an unauthorized hub right on our campus. This is not a good thing. We pulled it right off the network.”
Wireless technology is proving to be the chink in the armor at many companies, and accounts of potentially serious breaches are legion. “Last year we discovered that American Airlines’ wireless local area network at Denver International Airport was operating without any encryption and had even pasted the IP addresses of curbside terminals on the monitors,” says Thubten Comerford, CEO of White Hat Technologies, a Denver-based network security assessment firm. “We even witnessed an intrusion while we conducted our security analysis. While we were sniffing, some of the wireless packets were flagged by the sniffing tool as attack packets.”
Comerford says that many employees fail to recognize the risks of using wireless devices. “They’ll install a wireless access point on what they see as their network in their part of the building, but behind the corporate firewall,” he explains. “This way they can go from desk to conference room to between floors without having to plug in. You’ve now got this laptop ‘walking around’ connected wirelessly, but also broadcasting at the same time. Anybody in the building — and possibly outside — can listen in and pick up passwords, user names, and otherwise get to sensitive data.”
During a recent White Hat sweep of downtown Denver, reports Comerford, his company detected a bank manager who had installed an off-the-shelf wireless access point in her office. “We were sure the bank’s IT department had not authorized or implemented this link. Meanwhile, this access point was wide open and broadcasting. Needless to say, when we told the bank it woke a few people up.”
Evidently, many companies are still asleep at the switch. “Most companies have no idea how vulnerable they are,” says Dean Au, the CEO, president, and founder of AirMagnet Inc., a Sunnyvale, California-based Wi-Fi security and performance monitoring company. “When they buy our remote handheld device and go out sniffing for wireless access points, at least 20 pop up in the first 30 seconds. Employees are out there sharing files wirelessly, and meanwhile, anybody can read their hard drives.”
Rich Mironov, AirMagnet’s vice president of marketing, recalls one client, a fund manager who had purchased some new laptops with wireless capability, who was floored when he realized that the units were shipped with the wireless functionality turned on. “Here they go taking the laptops out of the box, which are already powered up and looking for an access point,” says Mironov. “Talk about an instant security issue. If there is an access point across the street, the laptops would immediately want to talk with it. They will literally attach and connect.”
Seemingly innocuous PDAs can enable unauthorized wireless access, too. “A lot of these new pocket PCs have built-in wireless, and it seems reasonable that if you’re floating around at Starbucks with one of these with no firewall, it’s just a matter of time before some mastermind figures out a way to hack it,” says Galen Schreck, a Forrester research analyst. “We haven’t seen any pocket PC viruses yet, but they’re inevitable. Besides, there’s always the risk of losing it, which is lot harder to do with a laptop. Meanwhile, you’ve got 64 megabytes of RAM in there that may contain sensitive company information.”
PDAs pose an additional problem: “People go out and get these specialized PDAs that interfere with existing corporate systems because they’re not standardized to them,” says Belanger says. “That then takes up the help desk’s time to get the system back up and working. For example, our corporate policy is to support Palm devices. When somebody goes out and buys BlackBerry and the thing has a problem, it consumes the help desk’s resources and takes time away from supporting our legitimate PDA users.”
Is It a Tool or a Toy?
The threat of rogue technology isn’t limited to wireless applications. According to research firm IDC, some 5.5 million employees send instant messages at work. Unfortunately, many of them use free IM software that they downloaded off the Web. “Anybody can sign up and use Yahoo or AOL for instant messaging,” says Schreck.
“Normally, corporate E-mails and IM are sent through the company firewall, where there is an opportunity to filter them — HR can see if you’re talking about inappropriate things, for instance,” he adds. But that’s not true of instant messages transmitted by an outside company, such as AOL; you’d need to deploy specialized software to filter the content. Adds Schreck, “That’s why many companies forbid the use of outside IM services.”
Gold agrees that IM is another open window. “IM is important in a corporate context just so long as it is corporate IM,” he says. “It’s an incredibly effective way for employees to ask each other quick questions. But people do stupid things, sending a message to a colleague or a friend about the company’s financial information, like, ‘we’re going to have a loss this quarter — don’t tell anybody.’ Under Sarbanes-Oxley this would be material information.”
Peer-to-peer applications like KaZaA, the oddly-spelled music downloading technology, create other vulnerabilities. KaZaA is designed to allow music lovers to easily share audio files with one another, but if an employee downloads the software to an office machine, it may just as easily allow company files to be inadvertently shared with millions of other KaZaA users. “We had to rebuild ten laptops here that had been corrupted by KaZaA installations,” says Belanger. “They really mess with other programs. Moreover, there’s the risk of copyright liability — storing copyrighted music that is freely shared with others. That’s a lawsuit waiting to happen.”
Gold brings to mind a particularly Kafkaesque nightmare — the surreal distortions and sense of impending danger that only a camera phone can produce. “There’s a reason why many companies ban regular cameras at the worksite,” Gold explains. “If you’re Intel, do you want workers happily snapping pictures of their colleagues, while in the background is the company’s secret new technology?” But some managers may not look twice at camera phones, since they probably think of them more as telephones, and perhaps E-mail devices.
Belanger says that since Forrester doesn’t have a “secret proprietary manufacturing process like Apple does,” the company doesn’t prohibit camera phones. “But I wouldn’t be surprised to see Apple, a design company, or some fashion house outright ban these things.” Reportedly, Samsung and LG Electronics, among other companies, have done just that.
Then there are USB tokens — nifty little storage devices also called fobs or key chains. “You can plug one of these hundred-dollar tokens the size of a thumbnail into a standard USB port on a PC and walk away with a gigabyte of data,” says Alex Cone, CEO of CodeFab Inc., a New York-based software consulting firm. “These things are pervasive.” So pervasive, notes Belanger, that he picked up a USB token as a convention giveaway.
“I think of them as souped-up floppy disks,” he says. “A person with little integrity could easily steal data from the corporate network by putting it on the fob.” Of course, a determined intruder could print out data and stuff it in a briefcase, but a fob that can be tucked away in a shirt pocket is “much harder to police.”
Reining in the Rogues
So how does one stop the use of rogue technology? The first line of defense is a technology security strategy and the employee guidelines that support it. “We require rigid standardization so everyone is running the same laptop with the same system image and same software on it,” says Belanger. “Then we give users guidelines about installing additional software and modifying the system image.”
Those standards apply to any technology that employees intend to use in the workplace, even when employees are using their own money. “We call it the ‘embrace the technology’ approach,” says Schreck. “If you want to buy a PDA, that’s OK, so long as it’s a PDA we’ve approved. The same is true with wireless access points. My group here wanted an access point, but before we deployed it we told IT. They said, ‘if you want to buy it, please set it up in a secure part of the network and, by the way, turn on these specific settings.’ “
Of course, gentle guidance — or even outright prohibitions — don’t always do the trick. To detect the presence of rogue technology within its walls, Forrester is rolling out Cisco Systems’ new Security Agent system. Other companies are buying content-monitoring tools from vendors like Vericept or network “sniffing” devices from companies like AirMagnet (see “Sniffing Out Trouble” at the end of this article). Installing a firewall on personal Wi-Fi-enabled laptops is also becoming de rigueur (though as Gold notes, “How many people have firewalls at home? Do you?”).
Meanwhile, new jamming devices are countering the threat posed by camera phones that are inadvertently or deliberately brought into the office. Iceberg Systems, for instance, is beta-testing technology that would deactivate the imaging systems in camera phones once they cross into specific locations.
And for those times when all else fails and a virus is worming its way through systems, CodeFab and partner company Illuminex Inc. are at work on FireBreak, which employs a distributed, scalable network of “tar pits” and “sticky honeypots” that slow down the intrusion until its source can be identified.
In short, IT is on the job. “IT usually is the first one to get blamed for these problems, but the fact is that IT is doing all it can,” says Gold. “CFOs have to realize you can’t give people flat budgets and expect they can cope with new threats. The tools to close the borders have to come from somewhere.”
Russ Banham is a contributing editor to CFO.com.
Sniffing Out Trouble
Chris Schear says he sometimes feels like that mildly annoying bespectacled fellow in TV commercials who’s always asking, “Can you hear me now?” But Schear, an IT network security associate at Principal Financial Group, isn’t gauging the clarity of his wireless service — he’s “sniffing out” other people’s connections.
Schear’s routinely hikes across Principal Financial’s campus in Des Moines, Iowa, waving a handheld device that isolates rogue wireless access points. “The range of the equipment is pretty limited — it doesn’t have multi-mile ranges — so we’re on foot here a lot trying to locate access points to see if they’re approved or not,” says Schear.
One of your neighbors, or perhaps you yourself, may have installed a wireless network at home so a Wi-Fi laptop can be used anywhere in the house. Many Starbucks and McDonald’s franchises, and a number of other restaurants, now offer wireless “hotspots” that allow their customers to check E-mail or surf the Web. Principal Financial, a diversified financial services company, sports many wireless access points for external connection, but it doesn’t permit wireless connections inside its buildings. And it doesn’t permit business units to install their own wireless access points — that’s Schear’s job. “We don’t want our residential-mortgage business unit running their own access points, which might allow somebody sitting in the parking lot across the street to launch the next Blaster worm,” explains Schear, “or at Starbucks, piggybacking off our network, utilizing our Internet bandwidth, and doing things they shouldn’t be doing.”
Principal Financial, which serves 13 million customers at 250 locations worldwide, runs more than 400 wide area networks, making Schear’s work particularly challenging. Any time the firm acquires another company and seeks to integrate its technology, Schear or his technicians are sent scurrying across campuses, sniffing the air with their handheld devices (from aptly named AirMagnet Inc. in Sunnyvale, California) to divine unauthorized Wi-Fi access points. When they find one, an investigation is undertaken to divine the nature of the hot spot — is an errant employee bypassing protocol in an effort to be more efficient, or is something more nefarious afoot? Notes Schear, “Every time we conduct an assessment, we almost always find something noteworthy. There are infractions.”
And what of the ne’er do wells — are they punished? “Well, no; they’re advised of our policy and educated,” says Schear. At Forrester, says Belanger, “We don’t adopt a draconian approach…. We do deal with it quickly and seriously. They’re apprised of the infraction and reminded about our security guidelines.”
A punitive approach doesn’t work because it encourages people to go underground, explains Belanger. “Rather than wait for the security czar’s permission to use some new technology,” he adds, “they just figure out a way to bypass the rules in such a way that it ends up compromising security even more significantly.” And as Schear notes, “We don’t want technology to be a disabler; we want it to be an enabler.” —R.B.