Protecting Organizations From Prying Wi-Fi Crackers

Computerworld - Suddenly, Wi-Fi is everywhere. In New York, McDonald's restaurants offer Wi-Fi with your burger and fries. Bookstores, hotels and airports have also started to offer wireless Internet access points.
The technology is hot right now, with good reason. Wi-Fi lets employees connect to the Internet or tap into their office computer networks from just about anywhere -- a conference room, home or hotel. No more fuss with phone lines, jacks and cables. Plus, with wireless LANs, businesses can quickly and easily expand their computer networks at a low cost.
But there's a downside. Although Wi-Fi is cheaper to install and implement than its wired counterpart, the technology is newer and more vulnerable to unauthorized access. In addition, the cost of properly securing and maintaining a high security level for Wi-Fi can add as much as 30% to the cost of the initial hardware and implementation.
The lack of good security can be even more costly. An organization could be held liable if a third party gains unauthorized access to its computer network. Customers could suffer losses and sue for invasion of privacy, credit card theft, identity theft or breaches in contracted performance. Although the costs associated with credit card theft are borne by the credit card issuer, civil liability for privacy violations are not.
It's not hard for someone to gain access to an unsecured network through a Wi-Fi access point. A computer security analyst proved that point last year to officials in Harris County, Texas. Using a laptop computer and a WLAN card, the analyst broke into the district clerk's office in front of the head of the county's Central Technology Department and a newspaper reporter. The incident showed that organizations are often unaware of how insecure their networks are.
Consider some other possible scenarios:

• A cracker gains access to your enterprise through a wireless access point, calls up a file containing customer health records and publicly discloses them. Several customers are later denied insurance because of the disclosure. They could sue you for public disclosure of private facts.


• Your organization's WLAN is breached, and the crackers have gained access to hundreds of customer credit card numbers and other customer information. The crackers demand an extortion payment and your organization refuses to capitulate, so they release 20,000 names with personal information. If the customers sue for public disclosure of private facts, your organization could be liable.


• You're in the business of hosting Web sites or another service that's dependent on the real-time availability of your computer network. A cracker breaches your WLAN and gains access to the Web servers you manage for one of your customers. The cracker renders the customer's site inoperable. The customer subsequently sues for revenue lost during the time the Web site was off-line. Your organization could be liable for the financial injury your customer suffers as a result of an unauthorized access to your system.