Industry View
Risk Assessment: Are You Overlooking Wireless Networks?
The continually changing landscape of wireless technology requires updated security methods...and frequent auditing.
By Chad Kalmes and Greg Hedges
May 10, 2006 — CSO —
The growth of wireless technology has been explosive⬠so fast that most audit teams and IT departments have fallen behind in making it a part of the scope of their annual risk assessments. Unfortunately, there are numerous potential abuses of wireless technologies and very few rock-solid control mechanisms available to mitigate the associated risks. Likewise, as wireless security has rapidly grown and evolved, the underground community has continued to discover new ways to circumvent the available controls. When referring to â¬Swireless⬠here, we refer primarily to the issues identified regarding the 802.11 a/b/g standards (a.k.a. Wi-Fi), and do not necessarily address additional layers of insecurity introduced by the growing prevalence of Bluetooth or other â¬Spersonal area network⬠technologies. Weâ¬"ll save that for a later issue.
Internal auditors, security managers and IT departments face a number of unique challenges regarding wireless. Corporate executives and members of the board of directors and audit committees are right to be concerned about how to protect the integrity, confidentiality and availability of critical business information on wireless systems. And unfortunately for these stakeholders, the security features developed and the vulnerabilities discovered are still evolving and changing more rapidly than other technologies. There are no perfect wireless solutions.
Companies with wireless networks, or those considering implementing them, need to ensure that they are effectively managed and audited. They must appropriately plan their deployments, evaluate their specific security needs, establish appropriate policies and standards, and regularly conduct audits to ensure that their continually changing security needs are addressed and that all of their policies are current, accurate and, most importantly, followed.
Common Issues and the Need for Effective Control
One of the goals of most commercial operating systems in use today is to make computers as user-friendly as possible. Laptops with built-in wireless can be configured to join any access point they see automatically⬠with little or no intervention by the end user. This may allow machines to connect to untrusted networks, even without the user's knowledge. A malicious user running or using such a network may be able to access information on the unsuspecting user's laptop if it is not adequately protected via personal firewall software. This is commonly known as "accidental association." More advanced wireless attackers may even try to force devices to connect to falsified or impersonated networks to attempt to access information, a technique known as "malicious association."
As unfortunate as it may be from a security standpoint, local coffee shops are popular and convenient places for users to log on. However, whenever a public hot spot (which typically requires little or no encryption) is used, end users must be cautious of the sites they visit and information they access. If they are visiting a bank website that is secured via SSL, they are probably safe. Many e-mail systems and instant-messenger programs, however, are not encrypted, and corporate messages may be inadvertently broadcast to anyone on or near that hot spot.
$firstKeyword
Privacy and Data Protection Practices
In this Webcast, Larry Ponemon and Compuware will present the results of their benchmark study and discuss what these organizations are doing to safeguard their information assets and comply with the plethora of industry regulations.
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
- IDC Web Seminar on Web Application Security - New Decade, New Threats, New Rules
- Privacy and Data Protection Practices in the Financial Services Industry
- Simplifying Risk Management: Is Your Company Measuring Up?
- Insight from an Auditor: Ensuring a Successful PCI Audit
- All in the Prep...Protecting Data with DLP
- A 2010 Priority - The Real Value of Application Security
- Windows Phones and Unified Communications
- Complimentary 2010 Online Fraud Report from RSA
- How to Develop Your Strategy for Business and Compliance
- 8 Steps to Holistic Database Security
- IBM Global CIO Study - Implications for IT Managers
- Enterprise Authentication: Increasing security without breaking the bank
Stay current with insightful news and analysis on information security, business continuity, physical security, loss prevention and more with CSO newsletters!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
