Video"I think of them as souped-up floppy disks," he says. "A person with little integrity could easily steal data from the corporate network by putting it on the fob." Of course, a determined intruder could print out data and stuff it in a briefcase, but a fob that can be tucked away in a shirt pocket is "much harder to police."
Reining in the Rogues
So how does one stop the use of rogue technology? The first line of defense is a technology security strategy and the employee guidelines that support it. "We require rigid standardization so everyone is running the same laptop with the same system image and same software on it," says Belanger. "Then we give users guidelines about installing additional software and modifying the system image."
Those standards apply to any technology that employees intend to use in the workplace, even when employees are using their own money. "We call it the 'embrace the technology' approach," says Schreck. "If you want to buy a PDA, that's OK, so long as it's a PDA we've approved. The same is true with wireless access points. My group here wanted an access point, but before we deployed it we told IT. They said, 'if you want to buy it, please set it up in a secure part of the network and, by the way, turn on these specific settings.' "
Of course, gentle guidance — or even outright prohibitions — don't always do the trick. To detect the presence of rogue technology within its walls, Forrester is rolling out Cisco Systems' new Security Agent system. Other companies are buying content-monitoring tools from vendors like Vericept or network "sniffing" devices from companies like AirMagnet (see "Sniffing Out Trouble" at the end of this article). Installing a firewall on personal Wi-Fi-enabled laptops is also becoming de rigueur (though as Gold notes, "How many people have firewalls at home? Do you?").
Meanwhile, new jamming devices are countering the threat posed by camera phones that are inadvertently or deliberately brought into the office. Iceberg Systems, for instance, is beta-testing technology that would deactivate the imaging systems in camera phones once they cross into specific locations.
And for those times when all else fails and a virus is worming its way through systems, CodeFab and partner company Illuminex Inc. are at work on FireBreak, which employs a distributed, scalable network of "tar pits" and "sticky honeypots" that slow down the intrusion until its source can be identified.
In short, IT is on the job. "IT usually is the first one to get blamed for these problems, but the fact is that IT is doing all it can," says Gold. "CFOs have to realize you can't give people flat budgets and expect they can cope with new threats. The tools to close the borders have to come from somewhere."
Russ Banham is a contributing editor to CFO.com.
Sniffing Out Trouble
Chris Schear says he sometimes feels like that mildly annoying bespectacled fellow in TV commercials who's always asking, "Can you hear me now?" But Schear, an IT network security associate at Principal Financial Group, isn't gauging the clarity of his wireless service — he's "sniffing out" other people's connections.
Schear's routinely hikes across Principal Financial's campus in Des Moines, Iowa, waving a handheld device that isolates rogue wireless access points. "The range of the equipment is pretty limited — it doesn't have multi-mile ranges — so we're on foot here a lot trying to locate access points to see if they're approved or not," says Schear.
One of your neighbors, or perhaps you yourself, may have installed a wireless network at home so a Wi-Fi laptop can be used anywhere in the house. Many Starbucks and McDonald's franchises, and a number of other restaurants, now offer wireless "hotspots" that allow their customers to check E-mail or surf the Web. Principal Financial, a diversified financial services company, sports many wireless access points for external connection, but it doesn't permit wireless connections inside its buildings. And it doesn't permit business units to install their own wireless access points — that's Schear's job. "We don't want our residential-mortgage business unit running their own access points, which might allow somebody sitting in the parking lot across the street to launch the next Blaster worm," explains Schear, "or at Starbucks, piggybacking off our network, utilizing our Internet bandwidth, and doing things they shouldn't be doing."
Principal Financial, which serves 13 million customers at 250 locations worldwide, runs more than 400 wide area networks, making Schear's work particularly challenging. Any time the firm acquires another company and seeks to integrate its technology, Schear or his technicians are sent scurrying across campuses, sniffing the air with their handheld devices (from aptly named AirMagnet Inc. in Sunnyvale, California) to divine unauthorized Wi-Fi access points. When they find one, an investigation is undertaken to divine the nature of the hot spot — is an errant employee bypassing protocol in an effort to be more efficient, or is something more nefarious afoot? Notes Schear, "Every time we conduct an assessment, we almost always find something noteworthy. There are infractions."
And what of the ne'er do wells — are they punished? "Well, no; they're advised of our policy and educated," says Schear. At Forrester, says Belanger, "We don't adopt a draconian approach.... We do deal with it quickly and seriously. They're apprised of the infraction and reminded about our security guidelines."
Reader Comments» Post a comment