Wireless Security Gets Serious

While many devices use wired equivalent privacy encryption, or WEP, it’s easy to break the code. “There are hundreds of tutorials for cracking WEP encryption on the Web,” Pfeffer says.

If you don’t have knowledgeable wireless security resources in-house, work with a telecommunications consultant with a background in security to make sure you have appropriate security measures. “We advise our business customers to maximize both the level of encryption available within their wireless network and the level of authentication within their wireless devices,” says John Stanoch, the Minnesota president of Qwest, a provider of telecommunications services.

Besides encryption, businesses should be careful not to broadcast certain information over the wireless network. For instance, guard your service set identifier, or SSID, which is the 32-character alphanumeric key that differentiates one wireless local-area network from another. (All devices that are trying to connect to a given wireless local area network must use the same SSID.) Pfeffer also suggests using a private subnet of a wireless network—a network within the network—that is as small as you can make it while still allowing the appropriate number of users. A subnet can improve the performance and increase security of the network.

Staying up to date on security alerts is another way to stay on top of wireless security. Stanoch recommends checking out www.cert.org, a Web site that examines Internet vulnerabilities and network security issues and is operated by Carnegie Mellon Univer-sity in Pittsburgh.

Policy Points

“Companies need to be at least as serious about wireless security as they are about physical security,” Bult says. Businesses need to follow standards for technology, threat assessment, and threat remediation, including the maintenance of anti-virus, anti-spyware, and firewall software, and keeping application and operating system patches current.

But the best security efforts can be undermined by the end user. More companies are writing policies that address the issues of wireless device security: How do you ensure wireless devices and networks are encrypted and password protected? Can employees set up their own wireless subnet to work from home on the company’s wireless network? What steps should an employee take after a mobile device is stolen? What should be done when an unauthorized person has accessed information on a mobile device or wireless network? Clearly stated protocols protect employees and the company.

Companies should also be wary of spam, phishing, and virus attacks on mobile devices, which could increase as services such as instant messaging on cell phones become more popular. Currently, these attacks are more common in Europe and Asia, where e-mailing and text messaging from mobile devices is well established and thus is more likely to be used as an avenue of attack, Bult says.