SAN FRANCISCO (10/03/2003) - Warning: While you're hanging around the IT water cooler fretting about wireless security, critical corporate data could be walking out the door hanging from someone's keychain. The smiling stranger in the hallway you just asked for the time should have responded, "It's 10 a.m. Do you know where your data is?"
Recently, I moderated a wireless security conference panel discussion in Chicago sponsored by the MIS Training Institute about the pros and cons of wireless deployment. The panel's catchy title was "Wicked Wireless," reflecting some of the general fear circling around 802.11b -- the rogue networks, war-driving, and weakness of WEP (wired equivalent privacy) security. The panel was supposed to focus on issues specific to wireless security, but the discussion kept veering back towards general security practices. As the moderator, I tried to steer the focus back to things like WEP, MAC address filtering, and SSID broadcasts, but those topics were of limited use to the discussion. I realized something that I've known but have often forgotten: Although new technologies require adjustments in security handling, security is largely driven by common sense and the personal relationships between people, not computers, because technology changes constantly.
Even within a particular realm of technology like wireless, certain standards get more attention in the security realm than others. When was the last time you heard someone talk about Bluetooth security, for example? Eric Maiwald of Bluefire Security Technologies, the author of two books and an expert on handheld security, noted that most Bluetooth devices have longer range than advertised. To promote ease of use, most of those devices are set to communicate as default, allowing any Bluetooth client within range to pull or push contact information, e-mail, and other information from another Bluetooth device.
Towards the end of the discussion, Ian Poynter, an independent security consultant, held up a device that he described as security's "worst nightmare" -- a small USB thumb drive. They're cheap, small, and incredibly mobile. Frankly, I had known about them, but hadn't considered them a security risk. Poynter noted that easily used operating systems such as Windows XP and Mac OS X allowed for near-instant installation of such a device on almost any computer in a matter of seconds, and with such devices capable of holding 64MB or more of information, an intruder (or an insider) in your organization could stealthily make off with key corporate data while you're refilling your coffee. One person in the audience pointed to his watch as a USB storage device. I did some research after the panel, and yes, you can now buy the DiskGO! watch in 128MB and 256MB models. IT could conceivably set a policy against USB thumb drives, but what do you do about watches that double as storage devices?
After we talked about Bluetooth and thumb drives, wireless didn't seem quite so wicked. Despite concern about the proliferation of wireless devices, the panel was in complete agreement about one thing: IT departments that think they can say no to wireless and handhelds are in a state of denial -- it's already there (as I've noted before in "The Battle for Decentralizaion"). The benefits of wireless are too compelling to put the technology genie back into the bottle.