PEBBLE BEACH, Calif. – There were 10 million unauthorized attempts last year to get on Marty Colburn's wireless network at the National Association of Securities Dealers. But none was successful.
Technology service provider Electronic Data Systems Corp. of Plano, Texas, manages and monitors NASD's wireless network. Colburn, vice president at NASD, the nation's primary regulator of securities firms, says the network's security measures defended every one. The biggest wireless worry came from a NASD employee who set up an MP3 server, thus potentially opening up the network to unauthorized access for people swapping non-approved files.
Speaking at the CIO Decisions Conference last week, Colburn was among three panelists who shed light on the myths and truths behind wireless security – a lightning -rod issue for many attendees who indicated they're managing or rolling out a wireless network.
While each panelist revealed a security breach, ranging from a rogue access point to other rogue employee behavior, most of the discussion centered on debunking wireless security's bad rap. In fact, a great deal of concern over wireless security has led to smart technology and best practices that lead to some very secure networks.
"To some extent, wireless gets a bad rap because it's implemented a lot of times before being completely understood," says Brad Bourland, director of procurement technology for the Houston Astros baseball team and one of the panelists. "With all the scrutiny around wireless now … people have a tendency to make wireless networks even more secure than some of the wired networks."
Bourland's job touches three wireless networks, including an "open" network or hotspot at the team's stadium that consists of 115 access points spread over 29 acres and serves some 40,000 fans and concession vendors and a "closed" network for ticketing. It's obviously much easier to lockdown the closed network because fewer people need access to it. "There are many layers of security," says Bourland. "It's Fort Knox, as we know how to do it."
Another speaker, Bonnie Hardy, vice president of technology solutions at Slade Gorton & Co., a Boston-based seafood importer and distributor, inherited a 10-year-old wireless network used mostly by warehouse workers. Initially, information flying over airwaves wasn't encrypted. The network has since been upgraded to run on 802.11b and uses the wired equivalent privacy (WEP) scheme to encrypt data.
While Hardy espouses the virtues of WEP, which some have argued has an easily cracked key, many security breaches have little to do with technology and everything to do with policy. Or, in Hardy's case, an incomplete policy. When a consultant came to her offices and tapped into Slade Gorton's wireless network, he brought in a worm. There weren't any rules governing the use of the network for visitors. It took Hardy's entire IT staff to clean up the havoc the worm wreaked.
Everyone agreed that wireless security polices spelled out, for instance rules for employees concerning rogue access points, are a necessary first step. NASD locks down all wireless-enabled laptops and publishes an "appropriate use" policy for employees. Slade Gorton provides clean laptops for consultants to use that are connected to a wired LAN and denies outsiders access to its wireless network. But the panelists conceded that policies by themselves don't govern human behavior. Employees "sign their disclosure statements saying that PCs will only be used for business use, and then they go and download Quicken," Colburn said.
That's why Colburn says monitoring the wireless network, detecting intrusions and measuring the effectiveness of security efforts is vital to ensuring a high level of security. He recommends going with mature wireless vendors and service providers that have a track record of success. Hardy also advises CIOs to think hard about wireless vendors' ability to meet a company's unique needs. For instance, she needed a Wi-Fi hardware vendor that understood the challenges of a cooler warehouse environment. And Bourland points to partnerships with companies experienced in networking as the most important step to achieving wireless security. "Our single key to success was our relationship with Time Warner Cable," he says.