Risk Management

Monsters Inc.

The security risks unleashed by rogue technology may far outweigh any productivity gains.
Russ BanhamApril 1, 2004

At Forrester Research Inc., analysts get to try out the latest cool technology for themselves: PDAs, Wi-Fi laptops, nifty storage devices. Their jobs also call for reviewing much more mundane technology, like network “sniffing” software and intrusion-detection devices.

Testing such tools has led to some interesting security problems at the Cambridge, Massachusetts-based technology-research firm. “We’ve pretty much experienced all the rogue technologies out there,” says Richard Belanger, Forrester’s chief technology officer. “We’ve found unauthorized Wi-Fi hot spots, had our computers infected by employees using their laptops from home without a firewall, and discovered copyrighted material on corporate laptops that had been downloaded using music file-sharing tools. But that’s what the analysts are there for; we’ve got hundreds of people trying every cutting-edge thing. Occasionally they get burned, and we [in IT] have to apply the cure.”

Most companies can’t cure such ills as easily as Forrester can, which is why corporate IT departments are trying to stop trouble caused by rogue technology before it starts. Observers believe there is plenty of trouble brewing. “In our estimation, 40 percent of organizations have wireless [networks] they don’t even know about,” says John Pescatore, vice president for Internet security at Gartner, a Stamford, Connecticut-based technology research firm. “And the vendors tell us [the figure is much higher].”

A clarification: in IT parlance, “rogue technology” doesn’t suggest anything about deceitfulness or a lack of principles. In many cases, the “rogues” are well-meaning employees who try to wring more productivity from fewer IT dollars but haven’t paid enough attention to security risks or costs. Perhaps without management’s knowledge, they bought a PDA with their own money and accessed the network, or they set up a Wi-Fi hot spot in a remote part of the firm. Or maybe they sent an instant message to a colleague via Yahoo or AOL, not realizing the chat would be vulnerable to interception since it occurred beyond the corporate firewall.

“These are honest, well-intentioned workers, but they’re also stupid, and they’re everywhere,” says Jack Gold, vice president of Meta Group, a Stamford, Connecticut-based technology research firm. “You tell them not to use this stuff in a corporate context or to at least inform IT before they do it,” laments Gold. “But you don’t want a police state.”

Chinks in the Armor

On the other hand, “anything goes” is no way to run a business. For one thing, rogue technology can actually lead to lost productivity. “If employees are setting up their own tech solutions, they’re not doing what they’re being paid to do,” says Forrester CFO Warren Hadley. “And when something goes wrong—say, a virus infecting their laptop—they go to the IT help desk, which absorbs IT’s resources.” Moreover, he says, “if someone sets up a rogue Wi-Fi access point, it can open up the entire corporate network to an outsider.”

Forrester executives speak from experience. “We saw a burst of rogue Wi-Fi activity nine months ago,” says CTO Belanger. For about $90 each, some Forrester employees bought their own wireless hubs and used them to help their workgroups access the network. Unfortunately, those hubs “basically allow[ed] any outsider with a Wi-Fi card in their PC to get into the corporate system,” remembers Belanger. Fortunately, he says, “we were using our network sniffing and intrusion-detection system and saw this weird traffic on the backbone network. We eventually tracked it down to an unauthorized hub right on our campus.”

Wireless technology, in fact, is proving to be the chink in the armor at many companies. “Last year we discovered that American Airlines’s wireless local-area network at Denver International Airport was operating without any encryption and had even pasted the IP addresses of curbside terminals on the monitors,” says Thubten Comerford, CEO of White Hat Technologies Inc., a Denver-based network security assessment firm.

Comerford adds that many employees don’t recognize the risks of using wireless devices. “They’ll install a wireless access point on what they see as their network in their part of the building, but behind the corporate firewall,” he explains. “This way, they can go from desk to conference room to between floors without having to plug in. You’ve now got this laptop ‘walking around’ connected wirelessly, but also broadcasting at the same time. Anybody in the building—and possibly outside—can listen in and pick up passwords, user names, and otherwise get to sensitive data.”

Even seemingly safe PDAs can enable unauthorized wireless access. “A lot of these new pocket PCs have built-in wireless, and it seems reasonable that if you’re floating around at Starbucks with one of these with no firewall, it’s just a matter of time before some mastermind figures out a way to hack it,” says Galen Schreck, a Forrester research analyst.

Instant Mess

The threat of rogue technology isn’t limited to wireless applications. According to research firm IDC, some 76 million employees worldwide sent instant messages in the workplace in 2003—more than half using free IM software, such as Yahoo or AOL, downloaded off the Web. The problem, explains Schreck, is that “normally, corporate E-mails are sent through company-provided applications, where there is an opportunity to filter them—HR can see if you’re talking about inappropriate things, for instance.” But that’s not true of instant messages transmitted by unauthorized software; they require specialized software to filter content.

Meta Group’s Gold agrees that IM is another open window. “IM is important in a corporate context—just so long as it is corporate IM,” he says. “But people do stupid things, sending a message to a colleague or a friend about the company’s financial information, like, ‘We’re going to have a loss this quarter—don’t tell anybody.’ Under the Sarbanes-Oxley Act, this would be material information.”

Peer-to-peer applications such as Kazaa, the oddly spelled music-downloading technology, create other vulnerabilities. Kazaa is designed to allow music lovers to easily share audio files, but if an employee downloads the software to an office machine, it may just as easily allow company files to be shared with other Kazaa users. “We had to rebuild 10 laptops here that had been corrupted by Kazaa installations,” says Forrester’s Belanger. “They really mess with other programs. Moreover, there’s the risk of copyright liability. That’s a lawsuit waiting to happen.”

Then there are USB tokens—nifty little storage devices also called fobs or key chains. “You can plug one of these $100 tokens the size of a thumbnail into a standard USB port on a PC and walk away with 256 megabytes of data,” says Alex Cone, CEO of CodeFab Inc., a New York­based software consulting firm. “A person with little integrity could easily steal data from the corporate network by putting it on the fob.” Of course, a determined intruder could print out data and stuff it in a briefcase, but a fob tucked away in a shirt pocket is “much harder to police.”

Reining in the Rogues

So how can firms stop the use of rogue technology? One defense is a technology security strategy. “We require rigid standardization so that everyone is running the same laptop with the same system image and the same software on it,” says Belanger. “Then we give users guidelines about installing additional software and modifying the system image.”

Those standards apply to any technology that employees use in the workplace, even when they use their own money. “We call it the ’embrace the technology’ approach,” says Schreck. “If you want to buy a PDA, that’s OK, as long as it’s a PDA we’ve approved. The same is true with wireless access points. My group here wanted an access point, but before we deployed it we told IT. They said, ‘If you want to buy it, please set it up in a secure part of the network and, by the way, turn on these specific settings.’”

Of course, gentle guidance doesn’t always work. To detect the presence of rogue technology, Forrester is rolling out Cisco Systems’s new Security Agent system. Other companies are buying content-monitoring tools from vendors such as Vericept or network sniffing devices from companies such as AirMagnet. Installing a firewall on personal Wi-Fi-enabled laptops is also becoming de rigueur. And for those times when all else fails and a virus invades, CodeFab and partner Illuminex Inc. are at work on FireBreak, which employs a distributed, scalable network of “tar pits” and “sticky honeypots” that slow the intrusion until its source is found.

In short, IT is on the job. “IT usually is the first to get blamed for these problems, but the fact is that IT is doing all it can,” says Gold. “CFOs have to realize you can’t give people flat budgets and expect they can cope with new threats. The tools to close the borders have to come from somewhere.”

Russ Banham is a contributing editor of CFO.

Picture This

The damage camera-phones cause in the workplace is only beginning to be recognized.

“If you’re Intel, do you want workers happily snapping pictures of their colleagues while in the background is the company’s secret new technology?” asks Meta Group’s Jack Gold. But managers often don’t look twice at camera-phones, thinking of them more as telephones, or perhaps E-mail devices.

New jamming devices, however, are being developed to counter the threat. Iceberg Systems, for instance, is beta-testing technology that would deactivate the imaging systems in camera-phones once they cross into specific locations. Meanwhile, some companies, such as Samsung, have recognized the danger, and reportedly banned the devices altogether. —R.B.