Following the theft of its key customer contact lists, NCTPTI, Inc. (Name Changed To Protect The Innocent) hired our company (CQUR IT) to perform a security assessment. We found the client's wireless local area network (WLAN) unsecured and accessible from any area within 500-plus feet of its office building. Undetected, we successfully "hacked" its network and retrieved a copy of key customer contact lists. Our next task was to take this information to the client and tell the client what was wrong and how to fix it. Hack and tell
Once we identified the WLAN vulnerabilities, we immediately alerted the senior management team (SMT) to their significance. The following day, five of the six members of the SMT held a meeting at their facility to discuss the security assessment. The CEO excluded the CIO to ensure that the findings could be discussed openly. After introductions, we pulled a notebook PC from a briefcase, opened it on the conference room table, and posed the rhetorical question, "Would you allow any individual with a notebook to walk in off the street and plug it into your network?" The SMT sat around the conference table with amused faces, until the CEO smiled knowingly and replied, "Of course not, but I don't suspect you would have kicked off the presentation with that question without a reason." We smiled back and rotated the notebook to demonstrate our ability to access the client's content, including the customer contact lists that had been exploited. We sat through several seconds of silence until the director of business operations said, "Somehow, I think this meeting is going to get worse before it gets better." The halfhearted laughs and serious faces indicated that we had accomplished our initial goal of getting their attention and relaying our concerns regarding their current network security. The balance of the meeting with the SMT focused on "reasonable and appropriate" uses for WLAN technology. The SMT agreed that there were compelling business reasons--cost and mobility--to continue using WLAN technology in their facility, but they would only do so if they could secure their data. To address the vulnerability as quickly as possible, we were asked to work with the information technology group to properly secure the WLAN. Building bridges
As is often the case when conducting a senior management-initiated security assessment, the review was as much about the key members of the IT team as it was about network security. In this case, the CIO, an SMT member, was kept distant by the CEO to ensure that the proper level of separation and control was applied. While this was in the best interest of the client, it made the situation potentially difficult for us as consultants. According to members of the IT staff, the severity of the findings, coupled with the CIO's exclusion, resulted in an unpleasant meeting between the CIO and the CEO. In the wake of that clash, we met with the CIO and his staff to initiate the WLAN vulnerability remediation. The meeting proved to be painful for both parties, but was surprisingly productive. Without building trust, however, that productivity wasn't guaranteed to last. After the meeting, we requested a one-on-one with the CIO to discuss the assessment, with the intent of transforming our relationship from antagonistic to advantageous. (Having led a software development organisation in the past that was often the subject of FDA audits, I have a significant appreciation for the "violated and exposed" feelings one can experience during an audit review with senior management.) The CIO was pleased to learn that a considerable amount of my discussion with the SMT positioned the WLAN problem as indicative of broader organisational issues, including insufficient IT governance by the SMT and the lack of a formal IT steering committee. Because he had recently raised the same issues, the CIO felt validated in his opinion: His IT organisation wasn't consistently being put in a position to succeed. Over time, we continued to build our relationship with the CIO and established our team as a key asset and regular contributor to the client's information security efforts. Had we not taken steps to help bring the CIO along, it's doubtful that the client would have adopted most of our recommended changes. WLAN security 101
The actual remediation efforts necessary to correct the WLAN vulnerabilities were fairly straightforward. We provided the client with some very basic guidelines for optimal WLAN deployment. Reposition the access point or use a directional antenna
The access point (AP) had been placed toward the southeast corner of the building, where it broadcast a quality signal to the local interstate and a neighboring office building. Depending on the building's physical structure, additional walls can significantly reduce the distance the AP broadcasts beyond the building. Directional antennae can also be used on the AP to further restrict broadcasting. Add an additional low-end firewall between the AP and the network
Using a firewall can provide basic authentication to WLAN users. Test the perimeter
Identify locations, and their distances from the AP, where someone can connect to the network. Five hundred feet away in the middle of a cornfield is preferable to 100 feet away in a neighboring office building. In the case of NCTPTI, moving the AP successfully eliminated the ability to access the network from a neighboring building, but only minimally reduced the distance from which someone could connect on the interstate.