|
|
|
|
 |
| Tech Update Security |
|
Wireless security: not an oxymoron
By John Verry
TechRepublic
September 27, 2002
[an error occurred while processing this directive] |
Following the theft of its key customer contact lists, NCTPTI Inc. (Name Changed To Protect The Innocent) hired my company to perform a security assessment. We found the client's wireless local area network (WLAN) unsecured and accessible from any area within 500-plus feet of its office building. Undetected, we successfully "hacked" its network and retrieved a copy of key customer contact lists.
Our next task was to take this information to the client and tell the client what was wrong and how to fix it.
Once we identified the WLAN vulnerabilities, we immediately alerted the senior management team (SMT) to their significance. The following day, five of the six members of the SMT held a meeting at their facility to discuss the security assessment. The CEO excluded the CIO to ensure that the findings could be discussed openly.
After introductions, we pulled a notebook PC from a briefcase, opened it on the conference room table, and posed the rhetorical question, "Would you allow any individual with a notebook to walk in off the street and plug it into your network?"
The SMT sat around the conference table with amused faces, until the CEO smiled knowingly and replied, "Of course not, but I don't suspect you would have kicked off the presentation with that question without a reason."
| [an error occurred while processing this directive] |
We smiled back and rotated the notebook to demonstrate our ability to access the client's content, including the customer contact lists that had been exploited. We sat through several seconds of silence until the director of business operations said, "Somehow, I think this meeting is going to get worse before it gets better."
The halfhearted laughs and serious faces indicated that we had accomplished our initial goal of getting their attention and relaying our concerns regarding their current network security.
No laughing matter
The balance of the meeting with the SMT focused on "reasonable and appropriate" uses for WLAN technology. The SMT agreed that there were compelling business reasons--cost and mobility--to continue using WLAN technology in their facility, but they would only do so if they could secure their data. To address the vulnerability as quickly as possible, we were asked to work with the information technology group to properly secure the WLAN.
As is often the case when conducting a senior management-initiated security assessment, the review was as much about the key members of the IT team as it was about network security. In this case, the CIO, an SMT member, was kept distant by the CEO to ensure that the proper level of separation and control was applied. While this was in the best interest of the client, it made the situation potentially difficult for us as consultants.
According to members of the IT staff, the severity of the findings, coupled with the CIO's exclusion, resulted in an unpleasant meeting between the CIO and the CEO. In the wake of that clash, we met with the CIO and his staff to initiate the WLAN vulnerability remediation. The meeting proved to be painful for both parties, but was surprisingly productive. Without building trust, however, that productivity wasn't guaranteed to last.
TechRepublic provides insight, advice, and technical information written by IT professionals for IT professionals.
Have the top IT experts by your side today--FREE!
![]() |
|
[an error occurred while processing this directive] |
![]() |
 |
![]() |
[an error occurred while processing this directive]
|
|
[an error occurred while processing this directive]
|
|
|
|
