Wireless Security and Support: Time to Get Nervous

READER ROI

Get tips for safeguarding devices and wireless systems

Understand how to assess risks involved with wireless technology

Learn what questions to ask about your wireless applications

I’m not a hacker. I don’t know the first thing about breaking into corporate information systems. Yet one night recently, I went looking for a wireless network signal. As I walked through downtown Boston’s financial district with my laptop open in my arms, the green light on my 802.11 wireless LAN adapter card stopped blinking, and the network scanner latched on to someone else’s wireless local area network. It was easy–the hardest part of the operation was turning on my computer. For the sake of the company that uses the network I detected standing outside 50 Federal Street (and CIO’s legal counsel), I ended my experiment there. But if I can inadvertently stumble onto a network simply by purchasing a $150 wireless network card designed for any user, just think what an experienced hacker could do.

This isn’t a sensationalized scare story. But the fact is that wireless technology is an important business channel (see “Decidedly Not Gee Whiz,” Page 130). IT executives need to develop a commonsense approach that assesses both the risks and the rewards of the technology, regardless of whether the wireless implementation adds capabilities to an office building LAN or provides mobile device users with Internet access. The latter group will surpass 500 million worldwide by 2002, up from about 100 million now, according to IDC (a sister company to CIO’s publisher, CXO Media).

Iain Gillott, the president of iGillottResearch in Austin, Texas, and a former wireless analyst at IDC, says that wireless has been on CIOs’ hit lists for years. “The problem is that something always [came] in like ’build website’ or ’get e-commerce,’” Gillott says. In the five years Gillott says it has taken wireless to rise to the top of the list, the technology has matured to the point where you can extend Web-enabled applications to wireless devices without creating a lot of unique technical challenges. Ironically, the advanced state of the technology relative to the slow rate of adoption gives the mistaken impression that all security and systems support problems have been solved. They haven’t.

Wireless frees users to roam and still access important information. But there’s an obstacle course awaiting IT executives looking to implement wireless projects. The freedom that comes with allowing roaming users to access information adds security risks–both at company headquarters and with the end users’ portable devices. Wireless service coverage and quality varies by location. And different companies providing wireless service in the United States base their services on an array of standards that are not all compatible with each other. “Frankly, we’re still sorting it out,” says Pat Flynn, CIO of Bellevue, Wash.-based trucking company Paccar. “There’s even the possibility that here in the U.S. we may have to support multiple standards to get the coverage we need.”

To make sense of all this, you need to study both the benefits and risks of any wireless project to see if the pluses win out. And both CIOs and security experts suggest starting out slowly with small-scale pilot projects. Researching your specific situation, your business needs for wireless technology and even your users’ habits in the field will help your company set policies for systems and end users’ mobile devices, and mitigate many of the risks (see “Watching Your Back,” Page 110).

Think Risk

Deciding whether to go wireless is the first step. And it’s important to make the decision by measuring the benefits against the risks. The cost and likelihood of a proprietary process or a customer list falling into the wrong hands (or the wrong handheld) need to be reevaluated for the new environment. “Any time you extend beyond the walls of your company in a network sense you’re opening yourself up to some security risks,” says Steve Matheys, CIO of Schneider Logistics, a domestic transportation company based in Green Bay, Wis.

Craig Friedrich, vice president and CIO of InFocus, a Wilsonville, Ore., projector manufacturer, puts it another way: “The hard part for the CIO is trying to figure out if the benefit that the employees or the customers are going to get outweighs the risk you think you are running. And the fear is you don’t know what you don’t know.”

CIOs and other IT experts say you should be able to answer the following three questions.

Is the device right for the intended use? “The old adage really applies here,” says Ross Patterson, the CIO of Greenville, S.C.-based electronics manufacturer Kemet Electronics. “Just because your new tool is a hammer doesn’t mean that every problem is a nail.” One drawback of mobile devices is their size: A Palm III has a 5.6-square inch screen, for example, that makes access to much more than short text messages impractical. For this reason, Patterson, who does access Lotus Notes e-mail from his Palm handheld, decided against using the device for transactional or data-intensive applications.

Will people use it? InFocus’s Friedrich says that the degree to which a wireless application is adopted by its intended end users (customers, employees, business partners) is a major factor in determining whether it should be offered. “If I assumed it was going to get 150 users, and I got 15, then forget the cost for a minute, but are those 15 people worth the risk that I am running here?” A CIO shouldn’t be afraid to pull the plug on a project that isn’t benefiting enough people and should constantly reevaluate how many people are using it and who they are, Friedrich says.

Is there a business case? Despite the need to gain wireless skills, it’s foolhardy to undertake a wireless project that won’t benefit the company. That’s why Chuck Wodehouse, president of Jacksonville, Fla.-based CSX Technology, the business unit of the Richmond, Va.-based rail shipping company CSX, always asks himself if he is “going to be able to get the value out of this that justifies the expense.” Experimentation is good, but it should be practical experimentation.

To Wireless Or Not?

Here are two cases that present both sides of the risk/cost versus benefit assessment. CSX Technology recently rolled out its first wireless application. According to Wodehouse, the application was a simple extension of the company’s tracking software to any Web-enabled device, with information made available to both employees and customers. The move was more a customer relations effort than the introduction of a new revenue channel. It wouldn’t make the company any money, but then again it didn’t cost much–since the application was already Web-enabled, it took only a few thousand dollars to extend it to wireless devices. “Users find it pretty horrific if they are on the road or at home and a problem occurs, and they can’t get online to use our normal track-and-trace application,” says Wodehouse. This way, a stuck-in-traffic customer watching a storm approach could use a cell phone to check the estimated time of arrival of an expected pig iron shipment and begin looking for another source for the material.

Because the information is already available over the public Internet, no special security measures were taken in developing this application. And with information like train arrival times and order shipment status, the security investment didn’t seem warranted. The experience, which gave Wodehouse’s staff some wireless skills from a “toe-in-the-water project,” convinced CSX Technology to invest in more intensive wireless projects for future deployment, like e-mail access and applications designed to help sales-force field representatives plan and coordinate their work.

At Cambridge Health Alliance in Cambridge, Mass., a consideration of risks and costs versus benefits led to a different outcome. “The ability for physicians to have their own device is compelling,” says Tom Coffey, director of network engineering for the public health-care system that includes two urban hospitals. “And could they provide better care? They probably could.” But, Coffey says, portable devices that routinely leave the office represent significant security challenges.

Patient data, he says, is inherently at risk. Among the many parties financially motivated to obtain patient data are insurance companies, which could use the data to make liability assessments, and marketing companies, which could tailor promotions to patients based on their medical conditions. And there are other privacy concerns. Coffey recalls attending a training class a few years ago with programmers from the Hospital Santa Monica in Southern California and hearing their stories of supermarket tabloids offering thousands of dollars for medical information on celebrity patients.

Safeguarding patient data stored on PDAs is risky, Coffey says. Until secure and affordable systems and devices are available, Cambridge Health Alliance limits its staff’s PDA synchronizations to nonpatient administrative data like basic calendar information.

The Malicious Interloper

CIOs agree that once a wireless project gets the green light, security becomes the most obvious challenge–and potentially the most devastating.

Since conditions are always changing, no system will ever be 100 percent secure, says Mudge, a security expert who has testified before Congress using his single-word nom de guerre. Mudge says security checks are like going to the doctor: You might get a clean bill of health at the end of your visit but then get hit by a bus when you walk out the door. Suddenly you’re no longer healthy. But, by understanding the security risks inherent in every technology and making decisions that take these risks into account, you can greatly reduce your exposure. Mudge, research and development vice president for Cambridge, Mass.-based Internet security consultancy @Stake, suggests imagining a malicious interloper whose sole desire is to attack your company through your latest technology. By discovering the weaknesses yourself, you can better protect against such an attack (see “Roads Hackers Travel,” Page 106).

InFocus’s Friedrich agrees. “The hacker types just love to talk about what they are up to and how they are doing it,” he says. “So we went surfing on hacker sites to find out what are these guys up to. If there is someone bragging about how they are going to break into your house you might as well listen to them.”

Friedrich didn’t just go online to listen to hackers. He also wandered around his company’s Seattle office building attempting to pick up random wireless signals that the company’s network was giving out. With a wireless LAN, transmitters can be placed in any location and cast a signal at varying strengths. Wireless signals also travel through walls. “It is a brick building and the signal didn’t seem to poke through well,” Friedrich says of his stroll around the building. “And where it does you have to be just about next to the building and holding your device up. It wasn’t scientific by any means, but when you think about how someone would intrude, that would be the way.” Friedrich concluded that randomly transmitted signals from the company’s network were not a security threat because InFocus is set on a campus surrounded by lakes and fields. A device-wielding hacker would look pretty foolish.

Friedrich’s is a practical approach. Yet, says Mudge, most companies are content with the first ad hoc installation that they find works. A note of caution: Due diligence requires more than relying on a vendor’s instruction manual designed to get you up and running. Contenting oneself with the first settings that work and not playing the role of the prospective interloper invites risk. As Mudge says, a bewildered smile spreading across his face, “That’s game over.”

Standards

While Europe has nearly universal acceptance of the global system for mobile (GSM) cellular communication technology, the battle in the United States remains wide open. At this point there are four competitors: GSM, code division multiple access (CDMA), time division multiple access (TDMA) and Integrated Digital Enhanced Network (iDEN). (See “How to Speak Wireless,” Page 122.)

Making matters frustrating is that major wireless providers have adopted different standards that are not compatible with each other. Verizon and Sprint PCS use CDMA, while AT&T and BellSouth use TDMA. VoiceStream Wireless uses GSM and Nextel uses iDEN.

While vendors have helped to make an application work with different wireless standards, it is still important for a CIO to know what standard a wireless service provider (such as one of those mentioned above) is using. “One question to ask is, Will their approach allow me to interact with multiple networks?” says Bruce Wootton, a Durham, N.C.-based analyst for the Hurwitz Group. “Most corporations, to fully leverage the benefits of mobility, will need to support a wide geographic reach that covers all the different locations. And given the current state of the wireless carrier environment [in the United States], you can’t guarantee that you are going to get access everywhere.”

With telecommunications heavyweights behind each standard, none is likely to go away anytime soon. Given this, and the reality that some devices and some carriers work better than others in different locations, Wootton says CIOs should make sure that the functions in an application using wireless technology are device- and carrier-neutral.

That’s a powerful idea, but sometimes you have to solve these issues one piece at a time. Greeley Gas, a natural energy company covering Kansas and Colorado, sought in 1997 to streamline its customer service operation as a pilot project for its parent company, Dallas-based Atmos Energy. The company gave ruggedized mobile computers (known as Hammerheads, from WalkAbout Computers in Singer Island, Fla.), to field service technicians so that they could respond to and fill out the forms for a day’s worth of requests without returning to the office. Gary Merritt, an IT manager at Greeley, says only nine of 94 trucks in the two-state area had good enough coverage to allow always-on cellular digital packet data (CDPD) connections. The rest of the trucks relied on circuit-switched cellular technology that often took up to 10 minutes to connect and download information. Merritt says it took him more than a year to find a systems developer–New York City-based Vaultus–to provide connectivity software to solve the problem.

Proceed With Care

The key to avoiding problems–security or otherwise–is understanding how the technology changes your business.

The key, most CIOs agree, is to take incremental steps, learning as much as possible during each pilot and limited rollout. Wireless technology itself doesn’t leave holes that will lead to support or security hassles, but the way you implement the technology could. “My general advice is walk before you run,” says Frank Gillett, a senior analyst with Cambridge, Mass.-based Forrester Research. “Don’t do big projects unless you have the time and the resources to figure it out.”

And the news isn’t all scary, either. Remember my stroll around downtown Boston? I walked up and down a few streets, laptop poised, wireless modem activated, for about 20 minutes. You’ve read about the one strong, clear signal I picked up. But out of the host of office towers, housing banks, law firms and other corporate offices, that signal was the only one I found. Either there’s little going on out there with wireless LANs or someone is doing something right.