A company looking to increase the security of its
wireless operations should start with its own policies and
standards, according to Ken Newman, director of security and risk
management at Deutsche Bank.
For example, employees need to understand that something as
simple as setting up a wireless access point can pose a threat to
company security.
Deutsche Bank needed a system that provides confidentiality and
data integrity that would meet government-imposed security
considerations. But fears that advances in technology meant the
entire security programme would only have a life span of 12 to 18
months complicated the issue, Newman said.
After strengthening its policies and standards, the next step in
the process was "hardening" PCs and laptops from security breaches
with personal firewalls, updates and patches for existing software,
upgrades to security software, the use of low-level encryption and
the prevention of simultaneous wireless/wired connections, he
said.
After taking those steps, Newman said a company should set out
to go after its own network with the same tools attackers would
use. That way, Deutsche Bank could determine what information could
be detected, what could be accessed and from where could it be
accessed.
A company's physical security force must also be brought into
the operation, with security guards regularly patrolling corporate
offices at night with special carts looking for rogue access points
employees might have set up on their own.
A company should also monitor websites where attackers regularly
post discovered access points, such as
www.netstumbler.com and
www.wigle.net, to see if any
Deutsche Bank access points are listed.
The bank also limits connectivity to the network by placing
access points in a de-militarised zone outside the company firewall
and limits the types of applications and data available via
firewall rules.
The bank sweeps for malicious code and viruses, provides for
two-layers of encryption - Leap and IPSec VPN Tunnel.
He said the bank is commited to being a one-vendor shop to
eliminate problems associated with using multiple encryption
protocols and standards and builds-in strong user-based
authentication, such as systems that require secure ID tokens.
The bank has also looked into setting up fake access points to
confuse would-be attackers and to make it harder for them to
distinguish between what is real and what is not.
The bank may also create "honey pots" designed to find out what
potential attackers are using and to discover trends and
innovations the bank could use down the road.
Newman also urged businesses to take a close look at their
company's Service Set Identifier, a 32-character identifier that is
attached to data packets sent over wireless Lans.
He said many of these codes allow attackers to learn the names
of companies, what the company does and other sensitive data that
could attract more attackers if it were published.
It would be better, he said, if a company used something generic
that would not draw attention.