Risk Assessment: Are You Overlooking Wireless Networks?

The growth of wireless technology has been explosiveso fast that most audit teams and IT departments have fallen behind in making it a part of the scope of their annual risk assessments. Unfortunately, there are numerous potential abuses of wireless technologies and very few rock-solid control mechanisms available to mitigate the associated risks. Likewise, as wireless security has rapidly grown and evolved, the underground community has continued to discover new ways to circumvent the available controls. When referring to wireless here, we refer primarily to the issues identified regarding the 802.11 a/b/g standards (a.k.a. Wi-Fi), and do not necessarily address additional layers of insecurity introduced by the growing prevalence of Bluetooth or other personal area network technologies. Well save that for a later issue.

Internal auditors, security managers and IT departments face a number of unique challenges regarding wireless. Corporate executives and members of the board of directors and audit committees are right to be concerned about how to protect the integrity, confidentiality and availability of critical business information on wireless systems. And unfortunately for these stakeholders, the security features developed and the vulnerabilities discovered are still evolving and changing more rapidly than other technologies. There are no perfect wireless solutions.

Companies with wireless networks, or those considering implementing them, need to ensure that they are effectively managed and audited. They must appropriately plan their deployments, evaluate their specific security needs, establish appropriate policies and standards, and regularly conduct audits to ensure that their continually changing security needs are addressed and that all of their policies are current, accurate and, most importantly, followed.

Common Issues and the Need for Effective Control

One of the goals of most commercial operating systems in use today is to make computers as user-friendly as possible. Laptops with built-in wireless can be configured to join any access point they see automaticallywith little or no intervention by the end user. This may allow machines to connect to untrusted networks, even without the user’s knowledge. A malicious user running or using such a network may be able to access information on the unsuspecting user’s laptop if it is not adequately protected via personal firewall software. This is commonly known as “accidental association.” More advanced wireless attackers may even try to force devices to connect to falsified or impersonated networks to attempt to access information, a technique known as “malicious association.”

As unfortunate as it may be from a security standpoint, local coffee shops are popular and convenient places for users to log on. However, whenever a public hot spot (which typically requires little or no encryption) is used, end users must be cautious of the sites they visit and information they access. If they are visiting a bank website that is secured via SSL, they are probably safe. Many e-mail systems and instant-messenger programs, however, are not encrypted, and corporate messages may be inadvertently broadcast to anyone on or near that hot spot.

For corporate networks, one of the most basic forms of security implemented for their wireless networks is a hidden service set identifier (SSID). The SSID is a sequence of up to 32 letters or numbers that is essentially the name of a wireless network. Hiding the broadcast of the SSID requires end users to know and manually enter the correct SSID in order to access the network. However, almost all wireless scanners and software available today can very easily discover the SSID of networks, even if it is not overtly broadcast. This enables easy access to the network if this “security through obscurity” technique is the only form of control in place. In addition, the SSID used may leak unintended information about the company or wireless network in use. Likewise, companies may unknowingly disclose sensitive information, including the company name or department, street address, domain name or even the encryption key in use, if this information is contained in the SSID.

Further, as all wireless communication occurs within a known spectrum of radio waves, unauthorized users can monitor those channels to see any of the network traffic passing by. Many internal auditors and IT managers can think back to the issues related to using hubs on corporate networks, which broadcast network traffic in a manner similar to wireless networks, and immediately recognize the risks and issues associated with that practice that eventually led to the deployment of switched networks. In wireless terms, though, imagine those hubs also take away all of your walls and physical security controls.

While the most basic forms of wireless encryption (including WEP, LEAP, etc.) were initially broken using brute-force methods, newer shortcuts can cut the time it takes to decipher wireless traffic down to a matter of hours. In a typical corporate network, the time to defeat encryption can be even shorter due to higher traffic volumes. In terms of how easy this can be, one must only look to the numerous headlines highlighting hackers with wireless-enabled devices who have obtained retail customer records and other information while sitting in cars parked hundreds of feet away from retail stores.

Wireless enthusiasts and members of the underground community are also using the availability of wireless to gather information regarding the wireless networks cropping up around the world. Nowadays, there are even handheld devices for sale, roughly the size of a pack of gum, that allow users to determine a networks security scheme, signal strength and wireless standard (802.11b or 802.11g) without the use of a laptop. Several websites are also dedicated to mapping the wireless networks via these war driving techniques. One such informational site, WifiMaps.com, lists access points virtually everywhere in the United States. Malicious as well as legitimate users can use this information for virtually any purposefrom research to reconnaissance. If you think your network is small and private, try looking it upyou may be surprised by what is publicly known about your company just based on your wireless network.

And although new technologies and protocols are frequently developed to address the security issues, many of the devices already implemented in an environment (wireless VoIP handhelds, for example) often support only the legacy protocols that provide little to no protection.

Methods to Secure Wireless Technology (While You Audit Frequently)

With so much change in wireless technology, it is clear that senior management, audit committees and internal auditors need to make wireless reviews a part of the scope of their annual risk assessment programs. Despite the many and varied causes and symptoms of wireless insecurity, the problems identified can typically be boiled down to the traditional network issues of authentication, access control, availability and encryption.

Most wireless audits identify that access points are either not uniformly configured or do not have even the most basic security features activated. Generally speaking, the more access points deployed, the more opportunities there are for configurations issues to occur. Banks, retail stores and other businesses with numerous access points may be at particular risk, due to the sensitivity of information passing over their networks and the increased regulatory requirements involved, such as those established for payment card industry compliance.

Due to the variations in wireless networks and the very technical tools required to properly audit and assess their security, effectively testing wireless networks can be a difficult task for internal auditors (and even some very skilled IT departments). With the speed at which wireless vulnerabilities have typically been identified, and the ease with which devices can be purchased and improperly placed onto a network, the risks for a company can change daily.

Although the situation is improving, the lack of management and reporting tools for wireless implementations that provide effective feedback and monitoring continues to complicate matters for auditors and IT departments. Until the ability to monitor and manage wireless threats in real-time gets better, all of the vulnerabilities related to wireless networks point to the need for frequent audits.

Despite the risks of deploying wireless networks, a number of methods to secure wireless technologies exist and, when combined with an effective audit mechanism, can help to better ensure effective controls around wireless implementations. Those methods include:

• a well-managed wireless strategy and architecture
• wireless security policy development
• a documented baseline for configuration of all access points
• defined minimum wireless architecture, encryption, authentication and monitoring standards
• communication of wireless risks to end users and responsible parties
• registration and monitoring of approved access points
• regular vulnerability and risk assessments that include wireless components
• periodic reviews to identify unauthorized wireless access points
• personal firewall software deployment on end-user devices

Conclusion

Wireless implementations can be a safe and effective method for quickly expanding corporate networks or leveraging employee mobility for increased productivity, but effective security protocols must always be in place to ensure that the expansion of corporate networks does not come at a detrimental impact to the security and privacy of sensitive corporate or customer information.

Greg Hedges is a managing director and Chad Kalmes is a senior manager of Protiviti, a provider of independent risk consulting and internal audit services.