February 15, 2011, 2:30 PM — The subject of rogue access points (RAPs) has been on our minds lately, and in our ongoing 2011-2012 benchmark interviews we have been asking folks about their experiences with them.
As it turns out, lots of folks aren't worried. This insouciance comes from either a generally laid-back attitude toward security, or from a sense that it is a problem not of great concern to them, or from a simple admission that with limited resources they simply can't afford to buy a tool to address the problem and so have put it out of mind for now.
MOBILE THREAT: Angry Birds, Monkey Jump apps wrapped with malware
The laid-back folks (who are fewest) still tend to look at security as the "Great Disabler" -- the thing that gets in the way of staff using resources to the fullest and as creatively as possible. For them, "more power to them" is the basic response to the idea of staff plugging in their own access points to expand wireless networks. Some have even been happy that staff are proactively solving reception and capacity issues in this way, and are less concerned that they may be extending access beyond the borders of the building or campus.
This category blurs into the second group, the folks who may worry about security in lots of other ways but who don't think RAPs are of specific concern to them. They may have deep enough security on the network to not sweat too much about the unplanned access; or, as was the case for a couple of the folks I've spoken to so far, they may be isolated enough physically to not worry -- if the nearest neighbors are cornfields and cattle, a little signal bleed is not much concern.
The folks with resource concerns, though, are in a bind. They see the problem, they acknowledge it is a problem for them, but feel unable to address it for lack of resources. For some, scale is the problem: They can afford a tool, just not enough tool to scan their thousands of addresses quickly enough to be of real use. If a full scan takes days and the average rogue is up only during business hours, there is a problem.
One solution is to spend the money on the robust, scaled-up package they know would get the job done. This is hard if they can't well justify the expense because they can't really quantify the risk because they can't tell how many rogue access points are out there because they don't have a good enough tool ...