Truth 34 Rogue wireless access points

You’re at work, feeling a bit burned out or bored, and want to chat with a friend online. Unfortunately, your company has blocked all chat sites. Of course, you start wondering if there is another chat program available that your company hasn’t blocked yet. After searching for awhile, you find that your company has really done its homework and blocked every chat program you can find. That’s when it hits you. Your laptop has wireless capabilities built right into it.

You bring up a list of potential wireless access points that are in range of your office. Some of them appear to be secured, but you come across one labeled “Linksys” that doesn’t require a password. You give it a shot, and the connection attempt fails. Then you remember that your office has set up a default Internet gateway that you use while in the office. So it stands to reason that you won’t be able to connect to this new wireless network unless you remove the default gateway that your IT department set up. After you do that, you connect to the wireless network without a hitch, and suddenly, the Internet is yours. You can chat, visit any site you like, and behave as though you were surfing from your computer at home.

If you’re an IT manager, your stomach has probably just knotted up because you can already guess where this is going to end up. For those of you who aren’t techie, it’s important to understand that the IT manager who had placed all those restrictions on the network put them there as a major part of your company’s network security. In fact, for each minute that you continue to be connected to that rogue wireless access point, not only are you putting your own computer and possibly your identity in jeopardy, but you are also putting the entire corporate network at risk.

A law firm I once worked with asked me to test its internal security. Like the fictitious company I described at the beginning of this Truth, this law firm’s IT department had locked down its access to allow only email communication and limited Web access. While I was onsite, I noticed some strange traffic coming from one of the computers on the network. I asked to be taken to that computer, so I could find out what was going on. It turned out to be the laptop of one of the attorneys, who was defensive when I asked him if I could look at his computer. I explained that his computer seemed to be running malicious software on the network and I was concerned that it might be compromised. Finally, the attorney relented and let me take a look. It turned out that he had been connected to a third-party wireless access point and had been using it for the past several months. Because he had been connected to this rogue wireless access point while also connected to the company’s internal network, his computer had been compromised and was being used without his knowledge to infiltrate the rest of the organization’s network.

Most companies use a firewall to protect their computers from the outside world. Firewalls prevent computers on the inside of the firewall from being accessed by anyone outside the company network. Because this layer of security exists, even if your computer on the network has a potential security fl aw, hackers can never touch it. System administrators rely heavily on the firewall as a primary line of defense for keeping their networks safe. However, if you set your computer to connect to the Internet using a different path, such as a random wireless access point, you have just lost that primary line of defense.

Because that compromised laptop was also still connected to the law firm’s internal network, the user had basically become a conduit allowing the hacker to access his computer through the wireless side and subsequently attack other computers on the wired corporate side. Fortunately for the law firm, the hacker never gained access to the primary database. However, the hacker was able to gain access to the employee’s online bank account, his Netflix account, several pending case files, as well as all his email correspondence.

Employees often do not understand the risks of disabling the security measures that their companies have taken. More importantly, IT personnel rarely explain the limitations that they pose on users. This creates tension as users start to make their own assumptions and eventually look to subvert those security measures.

So when limiting access on your network, follow these simple tips.

Don’t block too much. There is a balance between protecting a network and becoming a dictator. If employees can’t access information needed to at least do their jobs, they will become creative, which could ultimately put your network at greater risk.

Explain the risks to your employees. No one wants to be hacked. Ensure that employees understand that the security controls in place serve an important purpose. Make certain they understand the layers of security on your network and the risks if those layers are bypassed.

Make sure your policies address new technologies. Many sites I have reviewed don’t have policies that touch on wireless. As technology changes, so must your policies.

When possible, don’t allow laptops on your network. While laptops are convenient, often they are not necessary. Because laptops bring a huge level of additional risk including viruses, lost data, and unlicensed software, they should only be permitted on a need-to-have basis.

If you are an employee who may have become a little creative in gaining access to the Internet on your company’s network, I encourage you to stop. I realize that having complete access to the Internet is nice, but you could be putting your computer, your company’s network, and even your job at risk. If you’re the IT manager implementing the security restrictions, I encourage you to talk with the employees and find out what is needed and what can be blocked. Sometimes, giving just a little extra access may not increase network security risks. This, in turn, may be the difference between an employee working within the system rather than working against it.