VideoAt Forrester Research, analysts get to try out the latest "cool" technology for themselves: PDAs, Wi-Fi laptops, nifty storage devices. They also have the opportunity to try out some technology that many people would consider much more mundane: network "sniffing" software and intrusion-detection devices.
This state of affairs has led to some interesting security revelations at the Cambridge, Massachusetts-based technology research company. "We've pretty much experienced all the rogue technologies out there," says Richard Belanger, Forrester's chief technology officer. "We've found unauthorized Wi-Fi hotspots, had our computers in the office infected by employees using their laptops from home without a firewall, and discovered copyrighted material on corporate laptops that had been downloaded using music file-sharing tools like KaZaA. But that's what the analysts are there for; we've got hundreds of people trying every cutting-edge thing out there. Occasionally they get burned, and we [in IT] have to apply the cure."
Most companies can't cure what ails them as expeditiously as Forrester can — which is all the more reason that their IT departments are trying to stop trouble before it starts. And given the risk of an intrusion into corporate, competitive, and customer data, that seems wise. "In our estimation, 40 percent of organizations have wireless [networks] they don't even know about," says John Pescatore, vice president for Internet security at Gartner Inc., a Stamford, Connecticut-based technology research firm. "And the vendors tell us that number is low. We're finding instances where babysitters are pulling corporate data from rogue access points and posting it on chat rooms."
Before we go further, a clarificaion: In IT parlance, "rogue technology" doesn't suggest anything about deceitfulness or a lack of priciples. In many cases the "rogues" are well-meaning employees who try to wring more productivity from fewer IT dollars but — because they've wandered from the path of the tried-and-true — haven't paid sufficient attention to the security risks or additional costs. Perhaps without management's knowledge, they bought a PDA with their own money and used it to access the network, or they set up a Wi-Fi "hotspot" in a remote part of the corporate campus. Maybe they stored corporate data on a USB fob they got for free at a convention, or they used their cameraphone to take a few snapshots at work. Perhaps they used Yahoo or AOL to send an instant message to a colleague, a chat they didn't realize would be vulnerable to interception since it occurred beyond the corporate firewall.
"These are honest, well-intentioned workers, but they're also stupid, and they're everywhere," says Jack Gold, vice president of Meta Group, a Stamford, Connecticut-based technology research firm."You tell them not to use this stuff in a corporate context or to at least inform IT before they do it," laments Gold. "But you don't want a police state."
Where's the Harm?
On the other hand, heaven knows, "anything goes" is no way to run a business.
You have plenty of reasons to care about rogue technology. "One reason is lost productivity," replies Forrester chief financial officer Warren Hadley. "If employees are setting up their own technology solutions, they're not doing what they're being paid to do. And when something goes wrong — a virus infecting their laptop — they go to the IT help desk for help, which absorbs IT's resources."
Further, says Hadley, "if someone sets up a rogue Wi-Fi access point, it can open up the entire corporate network to an outsider. The ramifications here can be huge."
Hadley speaks from experience. "We saw a burst of rogue Wi-Fi activity nine months ago," says his CTO, Belanger. For about $90 each, a number of Forrester employees bought their own wireless hubs and used them to help their workgroups access the network. Unfortunately those hubs "basically allow[ed] any outsider with a Wi-Fi card in their PC to get into the corporate system," observes Belanger. Fortunately, he adds, "We were using our network sniffing and intrusion detection system and saw this weird traffic on the backbone network. We eventually tracked it down to an unauthorized hub right on our campus. This is not a good thing. We pulled it right off the network."
Wireless technology is proving to be the chink in the armor at many companies, and accounts of potentially serious breaches are legion. "Last year we discovered that American Airlines' wireless local area network at Denver International Airport was operating without any encryption and had even pasted the IP addresses of curbside terminals on the monitors," says Thubten Comerford, CEO of White Hat Technologies, a Denver-based network security assessment firm. "We even witnessed an intrusion while we conducted our security analysis. While we were sniffing, some of the wireless packets were flagged by the sniffing tool as attack packets."
Comerford says that many employees fail to recognize the risks of using wireless devices. "They'll install a wireless access point on what they see as their network in their part of the building, but behind the corporate firewall," he explains. "This way they can go from desk to conference room to between floors without having to plug in. You've now got this laptop 'walking around' connected wirelessly, but also broadcasting at the same time. Anybody in the building — and possibly outside — can listen in and pick up passwords, user names, and otherwise get to sensitive data."
Reader Comments» Post a comment