FUIT: Does the corporate WiFi work? You could just buy a $30 access point and install it yourself...

The Situation: Ken is a remote worker who visits TRI, Inc.'s main office a few times per year. He always has problems connecting to the corporate WiFi.

[Canvas:FUITNote:99ff99]

The Situation

Ken is a remote worker who visits TRI, Inc.'s main office a few times per year. When he gets there, he tries to use the corporate WiFi for both his laptop and his tablet, but it's locked down to domain users and, for whatever reason, it doesn't work. Each visit he tries, fails, and has to plug in a network cable (which doesn't require authentication). That means that he can't use his tablet at all, and when he goes to meetings, he can't be online. Talking to other people in the office, he learns that most of the have the same problem, too, and, instead of going to the IT guy, they just work around it by plugging in or using MiFi's (remember, it only takes one person with a MiFi, and few people know, let alone care what the corporate policy for such things is).

Using MiFi's, though, means that you have to VPN in, and not having the VPN is about the only redeeming feature of visiting the main office for Ken. All in all, it's just a stack of small inconveniences. Added together, it's still pretty annoying for the user, because The Powers have put in place restrictive policies that, when followed, still don't work.

The FUIT

Ken thinks, "At home, all I have to do to make my network a WiFi network is install a $30 access point. What if I get one of those?"

One trip to Office Max and $30 on the corporate card nets Ken a shiny new Linksys wireless access point, which he plugs into his wired network connection. From there, it's only a matter of firing up the laptop, finding the "Linksys" network, and connecting. No authentication, full access to the network, no VPN, no problem.

Remember the FUIT motto: It only takes one? IOTO? Ken tells his coworkers that he's solved the problem, and now they're also accessing the Linksys network. The office is more efficient, people are less annoyed by IT, and the world is happy. 

By "the world," of course, I mean the whole world, inside and out. Ken, much less anyone else, doesn't know that to do this with even the slightest bit of responsibility he needs to secure the network. Now anyone walking by can see the access point, connect to it, and have full access to the TRI, Inc. network that The Powers have tried to secure. All that work for nothing.

The Powers Should

This is a gaping hole in the security of the network, as any admin knows. But really, who's keeping tabs on all the wireless networks in the area? Some organizations do, but not all. Certainly not TRI, Inc. which, remember, is just a fake name for a real company where this is actually happening.

They were on the right track, providing WiFi with authentication to the domain, but it has to work all the time, or people will find another way. Everyone has WiFi at home, and almost everyone set it up themselves. You don't have to know much to set it up elsewhere, too. To Ken, it was a shot in the dark, but to us it's a no-brainer.

So what do The Powers need to do? For starters, they need to get that rogue network turned off. If you have to find them manually with a weekly walkthrough survey, great. If that's not possible or desirable, there are solutions out there that can detect and jam the signals (which I mentioned in a comment to the MiFi FUIT article). It's probably not actually jamming them, but I still can't get that scene from Spaceballs out of my head. 


"There's only one man who would dare give me raspberry..."

There are a number of WIPS (Wireless Intrusion Prevention System) solutions out there, like AirTight Networks, Fluke's AirMagnet, and Motorola's AirDefense (imaginative, eh?). Each of these can be used to mitigate this kind of threat, but they only solve the effect, not the cause.

To eliminate the cause, The Powers still need to provide a working solution. TRI, Inc. doesn't deal in matters of national security, so a working WiFi solution that engages a remote workforce shouldn't be too hard to put together.

This is just another example of one of those things that could very well be happening in your company without your knowledge. The Consumerization of IT isn't just about BYOD or bringing Macs or tablets into the workplace, but if users decide that's what they want, they're going to find a way to do it. 

 

Join the conversation

11 comments

Send me notifications when other members comment.

Please create a username to comment.

Good article Gabe, I'm sure there are lots of open "Linksys" doors because of this.


I have another suggestion that progressive companies do already. Make it easy for the users by providing an isolated guest network that works anywhere in the building / campus. Require these users to access as if they were remote which most most remote users should have. This allows Safe BYOD without too much pain for users that motivate them to find a DIY unsafe work around.


Cancel

Is it worth losing a 150K job to install a $30.00 unsecure WiFi?  You might want to explore the angle of the "Control Principle".  


Companies that take IT security seriously enough to lock down their network to the point it isn't "Easy" to just attach PoE to it or provide alternative access methods probably have very low tolerance for people working around the system.  


The “Rogue consumer IT” runs a risk of running into serious HR issues if it is determined that what they did goes against company policies.


When I hear or see people skirting the system, I always warn them about the "control principle" that is a possible outcome of their nefarious activity.  


To me the Control Principle is something I learned while watching the show House.  Many people if they break the rules think hey can say "I'm sorry to someone in authority and expect or feel entitled to compassion", but in some professions like the medical profession, they operate where they take responsibility for their actions and failures because negligence is treated very harshly.  Generally due to legal consequences.    


Is the goal of your Consumer IT initiative to encourage people to take unnecessary career risks just to prove they can get their IT themselves?  Or is the goal of this article is to point out that organizations planning to secure their network need to take into consideration High Availability “Guest” access with non-company furnished equipment otherwise they might have a mutiny?


Lawrence Lessig points out in his book “Code” that laws tend to be very harsh in the early stages of new technology initiatives.  As the technology matures and addresses possible nefarious use cases with standardized controls to reduce risk, penalties get reduced as well.  Business tend to dispense with their own sense of justice pretty harshly and much slower.


I think a responsible Consumer IT person is one who respects boundaries and when they encounter situations they don’t like “Ask the right people questions”, and “Make suggestions on how to improve the end user experience”.  If they really need access to the network, ask to be assigned to a company workstation and Install a CITRIX Web Client to access their own IT unless of course they are forbidden to.


Consumer IT people need to understand and consider the “Control Principle” if they plan to revolutionize business with the freedom to choose their IT.


Cancel

Who says it's $150k job? My wife was a teacher making $28k/year and stuff like this was going on. It could be a janitor or a VP - it doesn't matter. And we're not talking about fancy technology that require PoE - we're talking about a $30 router or access point from Best Buy that plugs into the ethernet cable and into the power outlet in the wall. I'm betting almost everyone could do this in their cubicle tomorrow.


The goal of the person in this article isn't malicious. He's just trying to do his job. Just like the person that uses SalesForce.com instead of his corporate CRM, or the person that uses dropbox to sync corporate files. They're not doing it to be rogue employees...they're doing it to make their job easier.


Show me in your company policy where it says "Thou shalt not bring in a WiFi access point and plug it into our network." Without being so explicit, it's left up the employee to decide, and that's only if they're paying attention, which they're probably not. I can't remember the last time I saw an IT policy that I had to read and sign. All Ken thinks he's doing is getting himself some easier access to the network, not security issues. Users can't be expected to know those risks.


I understand where people are coming from saying that you have to have a policy against it, but a policy only works for the honest people that have read it. They don't work for the honest people that haven't read it (or that don't know what it means), and if someone actually is rogue, all the policy in the world is worthless without some sort of active system in place to A) eliminate security issues, B) prevent future security issues, and C) enable the user to do what he/she needs to do.


I think it's up to IT and HR to responsibly handle the consumerization of IT. I don't think that the users can be relied upon to act responsibly. Not that they're irresponsible, it's just that they're not paid/trained to know all the implications. A sales person worries about sales and contracts and orders…not IT policies that may not even make sense to them.


The goal of this site is to talk about "what's going on already in organizations, trying to raise awareness by exposing the methods people are using to circumvent IT policies and regulations," as is said at the beginning of every one of these articles.


Does it potentially educate someone? Yes. But it also brings to light a potentially serious situation. I know plenty of companies small, large, public, and private that don't have such policies in place, and even if they did, do you think the employee remembers or has read up on it?


The point of this article and anything else we do as part of the FUIT series is to show what is going on in the world. That this is stuff is actually happening, and that companies need to do something about it. Everything we've written and will write is a true story, only with our fake names and fake company.


I hope this clarifies my points. I love all the comments on these articles, because this is the conversation we need to be having, so keep it coming!


Cancel

two solution switchport portsecurity or 802.1x..  I personaly secure all endpoints with portsecurity, I am not a fan of 802.1x.  The unused port I either shut it down or my favorite is to put it on a bogus vlan which goes to nowhere.


Cancel

The "Powers" need to be introspective about this. Why is it so hard to get a wireless device on the network in the 1st place. Security yes is 1 reason. Chris Fleck suggested a Guest WLAN for example. Many enterprise grade AP's (and even some cheapo Linksys APs do too)  support multiple WLANs. Why not have a simple Guest network that just gives them Internet access which pass through corporate filters? Security is appeased and  Ken gets to use his whatever device on WLAN.  Going further the Powers can use their expensive AP's to monitor for "rogue" AP's like Ken's and use it as an opportunity to show Ken how easy it is to join the Guest WLAN.


FUIT evolved from heavy handed policies. Dropping the hammer on people doesn't solve Ken's problem and long term doesn't prevent the next Ken from doing the same thing.  


Cancel

@Gabe, losing your job due to perceived negligence of creating unnecessary risk on your companies property both physical and virtually would affect the victims wellbeing.  Arguing over the dollar amount isn’t productive.  I used the dollar amount as a metaphor to illustrate personal risk and cost.  All the sudden a $30.00 router cost you a lot more.  Is it right? / like I said, you have to consider the control principle and boundaries when applying the FUIT model otherwise a lot of well meaning people will get themselves into trouble if what they do leads to exposure.  


WiFi access is one of the access methods for FUIT because of…. spotty coverage, lack of guest access, not highly available, not managed well, etc.


You are correct, nefarious people don’t follow policy, that is why systems are adopting intrusion detection and other security means to detect and eliminate threats.  If your $30.00 router leads back to a system creating mayhem, some people might not understand.


When you use the FUIT model, you have to do more then what is easy, you need to use sense.  I would put forth the following as FUIT common senses.  We are driven by our natural bias and sense of doing what is easy AND right.  To us this is “Common sense”, but sometimes control, not rocking the boat, and having fun are drivers of our desire to FUIT.  We need a balanced personality when executing FUIT otherwise our egos might get us into hot water.  If you are smart enough to use a device on the the network, you are smart enough to find out the rules of the pool so to speak, and if you disagree seek avenues to change or abstain.  FUIT isn’t a entitlement, especially when it is poorly executed.


Cancel

@Matt, I disagree, FUIT evolved due to cheap access to powerful  personal IT equipment.


Cancel

@toddler Let me clarify. Part of FUIT is the FU part. Cheap well performing technology isn't all of it (certainly part of it yes).  Why didn't Ken ask his IT service provider to simply setup his device wirelessly for him? Shouldn't have that been the easiest course of action? Why would a user rather expense a cheap access point and set it up themselves (admittedly not hard for anyone these days) then get it setup by pros for nothing more than an email or phone call. Is he putting his company at risk? Probably.  Is he violating company policy? Likely. None of that prevented it from happening in the scenario. If the point is to "control" the user the powers have failed epically. Consumerization forces a rethink.


Cancel

I feel like the disconnect might be the difference between consumerization and FUIT. FUIT is users taking it upon themselves to do things, regardless of IT and policies. Like I mentioned before - it's not necessarily malicious. It's just that users actually have that ability now.


Consumerization is the thing that organizations will open up for, or implement. The Control Principle that @toddler mentions applies there more than with FUIT. FUIT sort of implies that users are either ignorant to or ignoring policy and the implications.


These are all great conversations to be had because it helps us refine that message, and it helps us focus FUIT for what it is - informing people how IT is being circumvented so that appropriate actions can be taken. Sometimes those actions amount to so-called active policies (where IT is physically doing something to prevent these things), passive policies (where they just say "you're not allowed to do it"), or embracing it as a facet of consumerization. Usually that is done in conjunction with one of the first to, though.


Cancel

@Gabe and Matt - Thanks for clairfying your points.  I apprechiate the effort.  


One thing to consider is that FUIT is probably going to fall under Tacit Knowelege when it is learned and executed,  You might consider a series on how to FUIT and use video to demo things to seek out when looking to purchase a FUIT equipment and integrate it.


Cancel

I ran into a situation where someone (and by someone I mean a "state-sponsored" H1-B spy) had attached a cell-phone as a wireless bridge and was slowly penetrating our entire international network. This was years ago. You should see the devices they sell at Pwnie Express today and how far this type of penetration has come.


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close