Either way, this train wreck is heading for a station near you. When bad things happen to good corporate data, IT management gets blamed. And wireless networks are the security equivalents of Swiss cheese.

Unfortunately, those clueless users are driving this train. In the past two years, more than 12 million wireless LAN cards and APs were sold. Users are the unstoppable force behind this third wave of uninvited technologies invading the corporate IT space. First came PCs, then Web browsers. Now it's wireless access points.

Over the past several months, we've written many stories about wireless network vulnerabilities uncovered at major airlines, name brand retailers and government agencies that ought to know better. In nearly every case, the standard defense was to claim that the breach didn't really matter because the exposed data wasn't "sensitive" or proprietary. Bzzzt! Wrong answer.

The real danger of APs, security experts point out, lies in the unwelcome access to your internal networks and how much an intruder can learn about your systems. "Once you're sitting on a corporate network, you can gain universal network-level access and talk to any machine," says Eric Schnack, chief operating officer at Palisade Systems, a security vendor in Ames, Iowa, that specializes in protecting network level access. "You don't want random people inside your network, sending arbitrary traffic to a mission-critical server or bombarding the ERP server with traffic," adds Sandeep Singhal, CTO at security infrastructure vendor ReefEdge in Fort Lee, NJ.

So, what are you doing about it? Worrying, mostly. In this week's issue and on our Web site, we've published the results of our wireless LAN security survey of 159 IT professionals - nearly half of whom confessed to having no confidence in their own wireless security. Some 46.5% haven't written any policies forbidding employees from installing them in the first place.

So, what should you be doing instead of just worrying? We offer plenty of ideas from your peers in "The Security Action Plan," starting on page 23 and online [QuickLink: k16001. But here's a short wireless security to-do list:

* Be the bad cop. Insist that IT maintain total control of all wireless LAN access, and implement policies that make network lawbreakers eligible for immediate termination.

* Make sure all wireless network cards and base stations are registered and secured, and upgrade everything to 128-bit session encryption.

* Investigate the myriad wireless security products arriving in an increasingly competitive market.

* Require the use of a VPN to access critical resources.

* Enforce periodic re-authentication for all users, and restrict LAN access rights by job role.

* Scan and sniff internal networks regularly to ferret out rogue APs. Most important, accept that wire

less networks are the Borg and that resistance is indeed futile. Aggressively manage the problem now. This is one wake-up call you can't afford to sleep through.

FIXING VULNERABILITIES

The CTO at ReefEdge lists 10 ways to plug the holes in your wireless network.

QuickLink: 31267 www.computerworld.com

MARYFRAN JOHNSON is editor in chief of Computerworld. You can contact her at maryfran_johnson@ computerworld.com.