WOULD YOU LIKE THAT DATA TO GO?

Rough Notes, May 2005 by Chivvis, John

Wireless access without proper security opens agencies up to greater risk

It may be happening right now.

A competitor, maybe even a former employee, is accessing your network, your management system-your data. That individual is running a report, and getting contact names and numbers, as well as expiration dates on policies, to begin "reaching out" to a new group of prospects.

This person may have never set foot in your agency, never touched your computers; he or she sat comfortably outside in the car in the parking lot, or in a nearby office or the coffee shop next door, getting all that data because you didn't secure your network, your data and, most important, your wireless connection.

Brian Bartosh, president of Alpena, Michigan-based Top O' Michigan Insurance (www.tomia247.com) and Tim Woodcock, president and CEO of the Davie, Florida-based Courtesy Computers, Inc. (www.courtesy computers.com), know what open wireless connections and poor security practices can cost an agency. Both contributed to the Agents Council for Technology's (ACT's) newly released report, "The Independent Agent's Guide to Systems security: What Every Agency Principal Needs to Know." (www. independentagent .com/act/).

Having been hacked once in the past, Bartosh knows the importance of security but knows others may not think the same way. "As part of the security working group [of ACT]," says Bartosh, "I've come to realize that there are so many security issues that insurance agents ignore, and if network security is open, then wireless opens it up even more."

Bartosh, Woodcock, and ACT, as well as Gartner, Inc., a provider of research and analysis on the global IT industry, concur that network security and wireless security must work hand in hand. Gartner's White Paper, "Winning in the Mobile and Wireless World," suggests a three-pronged strategy for wireless security-protect the enterprise, protect the data, and protect the devices.

Protect the enterprise

According to Gartner, "Through 2006, 70% of successful WLAN (wireless local area network) attacks will be due to misconfiguration of WLAN access points and client software."

It's easy for Woodcock to believe the statistic because he has seen agencies that are statistics. "Not too long ago, we had an agency call us. They were noticing a big degradation and slowness in the network, and their tape drive was full to the point they needed two tapes." He learned that the agency had recently bought wireless equipment and configured it themselves.

The problem? Woodcock says that the agency's wireless access point was near the hallway so the business next door was using the agency's network, servers, and tape drives to store and back up its files.

ACT's first suggestion to agents who want to secure their wireless network is to simply position the access points in the center of the office so that the signal will radiate to the walls or windows, but not beyond. ACT follows that up with a recommendation that agents purchase equipment that can be updated as security flaws or holes are found. On both accounts, Woodcock suggests finding qualified professionals to help configure wireless access points, software and related equipment in order to customize the wireless solution specifically to the agency and the agency's needs.

"Wireless, like any other access, needs to be utilized only where there is a legitimate business use," says Woodcock. For example, Bartosh has wireless access in each branch location's conference room so producers can connect when in the office. He also uses wireless to attach some scanners to the network because of where the scanner is located. However, wireless is not deployed throughout the building or for any of the desktops.

Woodcock says that "out-of-thebox" wireless solutions should be avoided. Instead, agents should take advantage of basic security features like enabling "wired equivalent privacy" (WEP) which is usually turned off as a default. Simply enabling WEP is not enough because default WEP keys are well known and easy to find on the Internet. Woodcock recommends changing WEP keys once a month.

An additional level of security is to change the default wireless network ID, called the service set identifier (SSID). As default SSIDs are also easy to crack, ACT recommends that agencies choose a new one with little or no meaningand not the agency name. To help hide access points from snoopers, agencies can also disable the automatic "broadcast SSID" feature making wireless networks less accessible to those devices not entering the correct SSID.

"Basically, people like to poke around, Bartosh says, reminding us of the proverbial bathroom medicine cabinet. (Who hasn't been tempted to take an uninvited peek?) As an example, Bartosh points out that when he visits his daughter at college, he will pull into a local hotel parking lot and "poke around" to see if he's able to access their wireless network to check his e-mail or take care of a few business matters.

Similarly, using a "sniffing" device that can cost as little as $10 or just walking around with a wireless-enabled laptop, growing numbers of people "war-chalk" or "war-drive." This means they travel around checking for available wireless connections and then marking distances, signal strength, and access notes in chalk on the road or sidewalk outside the wireless access point.