Home » Data Protection » Wireless/Mobile

Industry View

Risk Assessment: Are You Overlooking Wireless Networks?

The continually changing landscape of wireless technology requires updated security methods...and frequent auditing.

By Chad Kalmes and Greg Hedges

May 10, 2006 — CSO —

The growth of wireless technology has been explosiveâ¬so fast that most audit teams and IT departments have fallen behind in making it a part of the scope of their annual risk assessments. Unfortunately, there are numerous potential abuses of wireless technologies and very few rock-solid control mechanisms available to mitigate the associated risks. Likewise, as wireless security has rapidly grown and evolved, the underground community has continued to discover new ways to circumvent the available controls. When referring to â¬Swirelessâ¬ here, we refer primarily to the issues identified regarding the 802.11 a/b/g standards (a.k.a. Wi-Fi), and do not necessarily address additional layers of insecurity introduced by the growing prevalence of Bluetooth or other â¬Spersonal area networkâ¬ technologies. Weâ¬"ll save that for a later issue.

Internal auditors, security managers and IT departments face a number of unique challenges regarding wireless. Corporate executives and members of the board of directors and audit committees are right to be concerned about how to protect the integrity, confidentiality and availability of critical business information on wireless systems. And unfortunately for these stakeholders, the security features developed and the vulnerabilities discovered are still evolving and changing more rapidly than other technologies. There are no perfect wireless solutions.

Companies with wireless networks, or those considering implementing them, need to ensure that they are effectively managed and audited. They must appropriately plan their deployments, evaluate their specific security needs, establish appropriate policies and standards, and regularly conduct audits to ensure that their continually changing security needs are addressed and that all of their policies are current, accurate and, most importantly, followed.

Common Issues and the Need for Effective Control

One of the goals of most commercial operating systems in use today is to make computers as user-friendly as possible. Laptops with built-in wireless can be configured to join any access point they see automaticallyâ¬with little or no intervention by the end user. This may allow machines to connect to untrusted networks, even without the user's knowledge. A malicious user running or using such a network may be able to access information on the unsuspecting user's laptop if it is not adequately protected via personal firewall software. This is commonly known as "accidental association." More advanced wireless attackers may even try to force devices to connect to falsified or impersonated networks to attempt to access information, a technique known as "malicious association."

As unfortunate as it may be from a security standpoint, local coffee shops are popular and convenient places for users to log on. However, whenever a public hot spot (which typically requires little or no encryption) is used, end users must be cautious of the sites they visit and information they access. If they are visiting a bank website that is secured via SSL, they are probably safe. Many e-mail systems and instant-messenger programs, however, are not encrypted, and corporate messages may be inadvertently broadcast to anyone on or near that hot spot.