Industry View

Risk Assessment: Are You Overlooking Wireless Networks?

The continually changing landscape of wireless technology requires updated security methods...and frequent auditing.

By Chad Kalmes and Greg Hedges

Page 3

And although new technologies and protocols are frequently developed to address the security issues, many of the devices already implemented in an environment (wireless VoIP handhelds, for example) often support only the legacy protocols that provide little to no protection.

Methods to Secure Wireless Technology (While You Audit Frequently)

With so much change in wireless technology, it is clear that senior management, audit committees and internal auditors need to make wireless reviews a part of the scope of their annual risk assessment programs. Despite the many and varied causes and symptoms of wireless insecurity, the problems identified can typically be boiled down to the traditional network issues of authentication, access control, availability and encryption.

Most wireless audits identify that access points are either not uniformly configured or do not have even the most basic security features activated. Generally speaking, the more access points deployed, the more opportunities there are for configurations issues to occur. Banks, retail stores and other businesses with numerous access points may be at particular risk, due to the sensitivity of information passing over their networks and the increased regulatory requirements involved, such as those established for payment card industry compliance.

Due to the variations in wireless networks and the very technical tools required to properly audit and assess their security, effectively testing wireless networks can be a difficult task for internal auditors (and even some very skilled IT departments). With the speed at which wireless vulnerabilities have typically been identified, and the ease with which devices can be purchased and improperly placed onto a network, the risks for a company can change daily.

Although the situation is improving, the lack of management and reporting tools for wireless implementations that provide effective feedback and monitoring continues to complicate matters for auditors and IT departments. Until the ability to monitor and manage wireless threats in real-time gets better, all of the vulnerabilities related to wireless networks point to the need for frequent audits.

Despite the risks of deploying wireless networks, a number of methods to secure wireless technologies exist and, when combined with an effective audit mechanism, can help to better ensure effective controls around wireless implementations. Those methods include:

  • a well-managed wireless strategy and architecture

  • wireless security policy development

  • a documented baseline for configuration of all access points

  • defined minimum wireless architecture, encryption, authentication and monitoring standards

  • communication of wireless risks to end users and responsible parties

  • registration and monitoring of approved access points

  • regular vulnerability and risk assessments that include wireless components

  • periodic reviews to identify unauthorized wireless access points

  • personal firewall software deployment on end-user devices

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors