Wireless Wake-up Call

Computerworld - I can't decide what amazes me more about the slow-motion security crisis unfolding around wireless LANs. Is it the cluelessness of users who - by the thousands - are installing unsecured "rogue" wireless access points (AP) inside their company networks? Or is it the stubborn refusal (or just plain inability) of so many IT departments to deal effectively with the problem?
Either way, this train wreck is heading for a station near you. When bad things happen to good corporate data, IT management gets blamed. And wireless networks are the security equivalents of Swiss cheese.
Unfortunately, those clueless users are driving this train. In the past two years, more than 12 million wireless LAN cards and APs were sold. Users are the unstoppable force behind this third wave of uninvited technologies invading the corporate IT space. First came PCs, then Web browsers. Now it's wireless access points.
Over the past several months, we've written many stories about wireless network vulnerabilities uncovered at major airlines, name-brand retailers and government agencies that ought to know better. In nearly every case, the standard defense was to claim that the breach didn't really matter because the exposed data wasn't "sensitive" or proprietary. Bzzzt! Wrong answer.
The real danger of APs, security experts point out, lies in the unwelcome access to your internal networks and how much an intruder can learn about your systems. "Once you're sitting on a corporate network, you can gain universal network-level access and talk to any machine," says Eric Schnack, chief operating officer at Palisade Systems, a security vendor in Ames, Iowa, that specializes in protecting network-level access. "You don't want random people inside your network, sending arbitrary traffic to a mission-critical server or bombarding the ERP server with traffic," adds Sandeep Singhal, CTO at security infrastructure vendor ReefEdge in Fort Lee, N.J.
So, what are you doing about it? Worrying, mostly. In this week's issue and on our Web site, we've published the results of our wireless LAN security survey of 159 IT professionals - nearly half of whom confessed to having no confidence in their own wireless security. Some 46.5% haven't written any policies forbidding employees from installing them in the first place.
So, what should you be doing instead of just worrying? We offer plenty of ideas from your peers in "The Security Action Plan," starting on page 23 and online . But here's a short wireless security to-do list:
? Be the bad cop. Insist that IT maintain total control of all wireless LAN access, and