Ken is a remote worker who visits TRI, Inc.'s main office a few times per year. When he gets there, he tries to use the corporate WiFi for both his laptop and his tablet, but it's locked down to domain users and, for whatever reason, it doesn't work. Each visit he tries, fails, and has to plug in a network cable (which doesn't require authentication). That means that he can't use his tablet at all, and when he goes to meetings, he can't be online. Talking to other people in the office, he learns that most of the have the same problem, too, and, instead of going to the IT guy, they just work around it by plugging in or using MiFi's (remember, it only takes one person with a MiFi, and few people know, let alone care what the corporate policy for such things is).
Using MiFi's, though, means that you have to VPN in, and not having the VPN is about the only redeeming feature of visiting the main office for Ken. All in all, it's just a stack of small inconveniences. Added together, it's still pretty annoying for the user, because The Powers have put in place restrictive policies that, when followed, still don't work.
Ken thinks, "At home, all I have to do to make my network a WiFi network is install a $30 access point. What if I get one of those?"
One trip to Office Max and $30 on the corporate card nets Ken a shiny new Linksys wireless access point, which he plugs into his wired network connection. From there, it's only a matter of firing up the laptop, finding the "Linksys" network, and connecting. No authentication, full access to the network, no VPN, no problem.
Remember the FUIT motto: It only takes one? IOTO? Ken tells his coworkers that he's solved the problem, and now they're also accessing the Linksys network. The office is more efficient, people are less annoyed by IT, and the world is happy.
By "the world," of course, I mean the whole world, inside and out. Ken, much less anyone else, doesn't know that to do this with even the slightest bit of responsibility he needs to secure the network. Now anyone walking by can see the access point, connect to it, and have full access to the TRI, Inc. network that The Powers have tried to secure. All that work for nothing.
The Powers Should
This is a gaping hole in the security of the network, as any admin knows. But really, who's keeping tabs on all the wireless networks in the area? Some organizations do, but not all. Certainly not TRI, Inc. which, remember, is just a fake name for a real company where this is actually happening.
They were on the right track, providing WiFi with authentication to the domain, but it has to work all the time, or people will find another way. Everyone has WiFi at home, and almost everyone set it up themselves. You don't have to know much to set it up elsewhere, too. To Ken, it was a shot in the dark, but to us it's a no-brainer.
So what do The Powers need to do? For starters, they need to get that rogue network turned off. If you have to find them manually with a weekly walkthrough survey, great. If that's not possible or desirable, there are solutions out there that can detect and jam the signals (which I mentioned in a comment to the MiFi FUIT article). It's probably not actually jamming them, but I still can't get that scene from Spaceballs out of my head.
"There's only one man who would dare give me raspberry..."
There are a number of WIPS (Wireless Intrusion Prevention System) solutions out there, like AirTight Networks, Fluke's AirMagnet, and Motorola's AirDefense (imaginative, eh?). Each of these can be used to mitigate this kind of threat, but they only solve the effect, not the cause.
To eliminate the cause, The Powers still need to provide a working solution. TRI, Inc. doesn't deal in matters of national security, so a working WiFi solution that engages a remote workforce shouldn't be too hard to put together.
This is just another example of one of those things that could very well be happening in your company without your knowledge. The Consumerization of IT isn't just about BYOD or bringing Macs or tablets into the workplace, but if users decide that's what they want, they're going to find a way to do it.