In the world of Internet security, experts say, one of the greatest astonishments is the number of Wi-Fi networks completely open to the world.
"You've got to know something about Wi-Fi to protect yourself," says David Perry, global director of education at Trend Micro. "Turning on network security would be a good start," he adds drily.
"People know of the risk that someone in the company parking lot can nail you through your Wi-Fi network, but you've also got to think about the risks when you travel," says Frederick Felman, marketing vice president at San Francisco-based Zone Labs, a provider of Internet security solutions.
Example: "I recently stayed in a hotel and left my computer on overnight," Felman says. "While I slept, my computer went out on a visit to meet its friends all around the world. In the morning, I counted 75 discrete individuals trying 275 different ways to get into my PC." (His company's ZoneAlarm Pro package stopped them all, he says.)
So-called Wi-Fi "war driving"-wandering around and tapping into wireless networks-has evolved into a well-established practice with user-friendly software, notes Perry. While many war drivers are just looking for free Internet access, some have darker designs.
Experts suggest taking the following steps to protect your company:
1. Set up WEP properly. While Wi-Fi's basic WEP encryption is very far from perfect, setting it up properly on the wireless access point and on each PC cuts your risk. Wi-Fi security is evolving quickly; the latest version of Windows XP supports a WPA (Wi-Fi Protected Access) standard that is much improved.
2. Guard your overall network against improper Wi-Fi access. Hook the wireless access point to an appropriate security gateway rather than directly to the network, and make sure individual PCs are properly protected. Consider third-party software, devices and/or services specialized for wireless security.
3. On the road, use VPN software when connecting your laptop to your office network. In fact, it's a good idea to do this from any remote location-whether or not you are wireless.
As handheld computers get more powerful and as the variety of Wi-Fi connections grows, it's more and more important to keep an eye on the potential threats. Zone Lab parent Check Point Software Technologies already offers the VPN-1 SecureClient product for Pocket PCs. -E.B.
"If you receive an e-mail from one of your friends about a virus, it is almost always a hoax," says Perry. "If you're asked to send it to a friend, it is 100 percent a hoax. We have never found an e-mail chain letter, ever, that was anything real at all."
Of course, there are some chain letters that do pose real trouble. Some carry worms or viruses. Others aim to grab your passwords or credit information by posing as messages from companies such as eBay. "Those are especially nasty; they strike people at all levels of sophistication," comments Frederick Felman at Zone Labs.
Other malignant messages can include a link that sends you to a rogue site-one that may look like, say, eBay but be something quite different.
Then there are the get-rich-quick schemes such as "Help me store my gold," notes Vincent Weafer at Symantec Security Response group. "Hoaxes will always be there."
While content-filtering technology can tackle much of this infected spam, "education is a big part of the response," Weafer says. "The human aspect is often the weakest link. Anything that seems too good to be true is."
Employees who are in doubt about something they receive via e-mail or see on a Web site should check with the go-to person in the company, Weafer notes, or visit valid Web sites such as those run by Microsoft and the security software companies.
"No matter how sophisticated your technology barriers are, the human element can be absolutely critical," says security expert W. David Stephenson of Stephenson Strategies, a security consulting firm in Medfield, Massachusetts. That means not only keeping employees informed, but also empowering them to make the right decisions, he emphasizes.
"While you must continuously keep on top of security advances, at the same time, you must understand that everyone in the company may be the last line of defense," Stephenson advises. "Don't just tell them what the rules are; explain them."
And make sure that everyone gets it. The Human Firewall Counciloffers advice and resources that can help you make sure all employees have gotten the word. -E.B.
Passwords are a pain-and they often foul up their jobs.
We pick passwords that are easily guessed. We use the same passwords over and over again-in places where they are absolutely critical and in other places where we don't even bother to guard them. We share passwords inappropriately, forget them, blast them out via e-mail for all the world to see, or even set up our computers to ignore them altogether.
Make no mistake about it, that's a huge problem when people all over the world are constantly-and quietly-trying to waltz into your computers to grab control of customer information or the computers themselves.
And that huge problem is driving the spread of biometric security measures, based on individual physical characteristics that are distinctive and reliably quantifiable. The main techniques include fingerprint, hand, iris and face scanning. Fingerprint scanning is the leading approach, accounting for about half of the $1.5 billion market, according to biometric consulting and services firm International Biometric Group. Leading player AuthenTec shipped its millionth fingerprint scanner last year.
Biometric devices can be directly integrated into computer hardware. For instance, MPC Computers builds fingerprint scanners into its TransPort notebook line, which the company says sells briskly to small and midsize businesses. And unlike the case with smart cards (any plastic card with an embedded microchip where data can be stored), you can't lose or leave behind your means of access.
As slick as these devices are, however, they add cost and potential inconvenience, and some techniques (such as iris scanning) may make users uneasy. Also, it's often possible to fool the devices, experts say. Finally, according to Eric Ogren at The Yankee Group, due to accuracy and expense issues, biometrics is still not for everyone at this point.
"We do believe there is a need for better identification, and the technologies are getting better each year," says Mark Bouchard at META Group. "But we continue to see some pretty dramatic shortcomings. You have to balance keeping the right people in and the wrong people out. We're seeing a 2 to 3 percent error rate, which is pretty high."
According to Bouchard, "Overall, we're skeptical on biometrics but [are] keeping an eye out." -E.B.