Wireless technology is increasingly used by companies that want to enhance
their agility and increase productivity by enabling mobile, remote and flexible
working. However, BT's business continuity, security and governance practice
believes that a vast number of organisations and their users do not fully
understand the associated security implications and are leaving themselves very
vulnerable.
To make matters worse, wireless capability is being added to more and more
devices, and the tools to locate and hack wireless networks are easy to find and
download from the Internet - so this situation can, and will, only get worse.
The first and most important step to using wireless technology securely is to
find out exactly what equipment is in use. Ian Hughes at BT says: “In our
experience companies who believe they have 100 per cent control of all wireless
technology always have something unaccounted for. Even businesses that believe
they don't have any wireless connectivity at all are usually wrong. These
'rogue' devices can put the entire network at risk. It is, therefore, essential
they secure the wireless network they know they have — as well as monitor for
and identify the one(s) they don't yet know about.”
The reason there is often so little knowledge about the actual number of
wireless devices in the enterprise is that nearly all new laptops and PDAs come
with WiFi, infra-red or Bluetooth capabilities enabled and turned on as
standard, which many users are unaware of. Individuals can also use devices
with the wireless capability deliberately turned on, or add wireless
connectivity through USB ports, which are relatively cheap, readily available
and easy to install, without fully appreciating the risks this entails.Â
Ian Hughes says: “Most large organisations find they have a number of
unofficially installed pieces of equipment that are outside the control of the
IT department, which represents a major security risk. People like wireless
because it is easy — but it's not so easy when a hacker brings down your entire
network. We have seen plenty of examples of employees taking company laptops
home and connecting to wireless broadband, and then leaving that connection open
when they return to the office, or use their laptop or PDA on the train, in a
hotel room, and even when parked in a motorway service station. The device
continues to look for a base station or other wireless-enabled appliance to
connect to, thus advertising its presence to any scanning apparatus within a
fairly wide radius — often many hundreds of metres or more. It's then relatively
straightforward for an unscrupulous individual to intercept those connections
and hack into the device. Some products can connect directly to others, without
needing a base station, so direct device-to-device transfers can occur without
either user being aware.”Â
Hughes continues, “At the very least, organisations have got to run some form
of wireless intrusion detection system (WIDS) to identify and locate rogue
devices. No security policy can be effective if there are unknown elements on
the network, so security teams need to remain on constant look out for new
devices, and ensure that users follow policies on how they should, and should
not, be used.”
Companies also need to ensure that specific measures for wireless networking
are included in the wider security policy. Focussing on protecting the virtual
and physical boundaries of an organisation is no longer sufficient. Mobile
devices, by their very nature, have effectively broken down these borders and
created an open environment that is more vulnerable to attack. The previously
accepted “Inside/Outside” (or “Redside/Greenside”) model, relying on physical
security and firewalls to protect the network, do not work when wireless is
added. Everything becomes “Oneside” and is accessible to all within range of the
wireless signal.
Authentication and identity management are also essential — from both sides
of the connection. Hughes says: “With wired networks the onus is on the user to
prove their identity to the server — usually through a username and password. Â
The physical connection has traditionally been accepted as providing a
sufficient guarantee that the network is what it claims to be. However, in the
wireless world, the user and the network now need to prove their mutual
identities to each other, without divulging any sensitive credentials in the
process.”
Ian Hughes concludes: “Establishing connectivity to wireless networks no
longer requires a great deal of expertise, but neither does hacking them. It is
obvious that wireless security needs to be taken seriously. The technology may
be there in terms of data encryption and user authentication, and the
development of standards such as IEEE 802.11i. But for these to be effective,
all devices need to be fully identified and must be used in accordance with a
policy that is specifically designed for that purpose.”
© CIOL Bureau