Rogue Networks Stir Trouble for Firms of All Sizes
It is disconcerting to hear that a recent audit of the Internal Revenue Service's computer security posture revealed that some field offices were operating wireless networks accessible to anyone lurking nearby with a laptop.
The IRS inspector general's office scanned 20 IRS buildings in 10 cities. It found unauthorized wireless networks in at least four instances. The audit noted that one of the networks required no authentication at all, potentially exposing the IRS's internal network and taxpayer data to unauthorized access.
The IRS has one authorized wireless network, located in its Bloomington, Ill., field office. But auditors found that one of that network's access points was operating in a default configuration. That means it was set up with well-known user names and passwords used to change the router's network settings. It also found that there was limited monitoring being done that would alert the IRS if someone tried to join, tamper with or attack the network.
The idea of the IRS, which harbors mountains of personal data, using unauthorized wireless networks is jarring. But the reality is that these "rogue wireless networks" are a common security problem for organizations of any size.
Even companies that have a security staff periodically scanning for rogue networks set up by employees can miss wireless access points operating in "stealth mode," said security researcher Josh Wright with Aruba Networks, a Sunnyvale, Calif., firm. For instance, a free software tool called "Wknock" enables its user to set up a wireless router so that it responds only when it is given a predetermined sequence of data, presumably a string or sequence of network signals known only to the individual who set it up on the network.
Wright, whose firm sells wireless monitoring services, has audited dozens of companies for rogue wireless networks. Companies that have strict "no wireless" policies are usually those firms that have the most problems with rogue networks.
"A lot of times employees want wireless access and figure if their organization isn't going to provide it to them in a managed and hopefully secure deployment, often times those users will go off and decide to implement their own," Wright said.
The IG's report found that the IRS was attempting to detect unauthorized access points on an ad hoc basis, with limited success. As of May 2006, the IRS had scanned fewer than 6 percent of its nationwide locations, concentrating mainly on offices in the Washington area.
"We believe this scanning is of limited value, considering wireless access points can be set up easily anywhere in the nation and can place the confidentiality of the data at risk," the inspectors wrote. The report calls on the IRS to begin using available tools to continuously monitor its offices for rogue networks, a recommendation that the IRS said it planned to implement.
Posted by: A | April 20, 2007 6:10 PM | Report abuse
Posted by: A2 | April 21, 2007 8:47 AM | Report abuse
Posted by: TJ | April 21, 2007 2:59 PM | Report abuse
Posted by: Britny Bears | April 21, 2007 4:48 PM | Report abuse
Posted by: WW | April 23, 2007 1:34 PM | Report abuse
Posted by: Jon | April 24, 2007 9:33 PM | Report abuse
Posted by: Mqwuyera | May 8, 2007 9:19 AM | Report abuse
Posted by: Hazjqera | May 8, 2007 2:33 PM | Report abuse
The comments to this entry are closed.