News from research and analysis company Gartner that up
until 2006, 70% of successful wireless local area network (WLAN)
attacks will be because of the misconfiguration of WLAN access
points and client software is disquieting on a number of
levels.
Extending the perimeter of the organisation through mobilisation
is a key requirement for many companies to stay competitive and
mobile computing will inevitably be one of the top technological
issues affecting your business.
A survey of Computer Weekly’s InfoSecurity User Group (CWIUG) in
March revealed that 50% of companies have or will implement
wireless technology to access the corporate networks by the end of
this year. A further 20% will do so by the end of 2005.
It must be hard for those companies still reluctant to allow
their workers to access corporate resources using wireless
technology. The pressure to go wireless is immense and the benefits
of operating in such a way can be huge.
These are summed up very elegantly by Gartner’s vice president
and research director Nigel Deighton who says: "Wireless mobility
is the greatest change to occur in corporate data collection and
distribution in the past decade. Wireless enables a real-time
enterprise in a connected society: responsive, collaborative,
flexible, connected and informed."
There are probably not many IT directors or heads of IT that
could construct compelling reasons against technologies that
deliver such benefits. Yet you really have to look at the Gartner
announcement and wonder how many attacks are likely and why?
A Gartner Wireless & Mobile Summit in March found that that
while users are implementing more wireless technologies in their
daily lives, many are not taking the proper precautions to ensure
they are working in a secure environment. Gartner found that 90% of
mobile devices could lack the protection to ward off hackers.
As companies feel a need to engage with wireless technology and
extend the perimeter of their businesses, the question follows:
could going wireless actually detract from the business and are
those who have said no to wireless in fact the ones with wisdom?
Could they be right?
Another CWIUG survey has shown that four in five companies say
that they are concerned about the security capabilities of wireless
mobile products and services.
Wireless security attracts a lot of column inches, mainly from
the received wisdom that wireless technology is inherently
insecure. But is it true that wireless technology is insecure? Is
it better to ask how securely those who have wireless technology
are using it rather than if the technology itself is flawed?
Robert Duncanson, a security consultant at Unisys argues that
the problems start because, fundamentally, wireless LANs are
unbounded. He comments: “Some people and organisations deploy open
Wireless LANs with no [data] encryption and the standard, WEP, is
easily compromised. Businesses need better security.”
Yet looking at the Gartner analysis more deeply, the call to action
is very much centred on working practices and culture rather than
the technology itself. The company concludes that security for
WLANs and wireless products needs to be driven by updated security
policies that address the unique demands of the mobile
workplace.
The bottom line is to institute sound management policies to
contain costs and to protect mobile information assets and not just
rashly install WLAN technologies. One popular emerging technology
is wireless intrusion detection systems as monitoring the flow of
information across the wireless network, and over all the
technology that you have, is essential.
This point is supported by John Walker, head of operational
Security, specialist services and corporate services for Experian.
Walker fundamentally believes that wireless technology can be used
in a secure way, but only in concert with strong security
practices.
He cautions that achieving this security level involves a fair
degree of work “To maintain security, it is essential to track
security vulnerabilities and exposures and map them into a process
that deploys best levels of security assurance. [But] this may be
easier said than done with an extended perimeter environment,” he
cautions.
Walker says that you should be smart in your assessment and that
another main challenge in identification of security
vulnerabilities and exposures is how you cut out the noise from the
real issues. He says that it is essential that sources of
information are credible.
In order to provide an assured position for analysis of the
extended perimeter, Walker insists, you have to consider some very
key points, namely: what do you test - everything, or selected
areas of interest; when do you need to have a testing method and at
what agreed levels; by whom, how and with the service run; and why
you may need to make changes after deployment.
There’s no such thing as the perfect security system and let’s
not forget that wireless networks are relatively new. Yet just like
with traditional closed networks, securing the extended perimeter
means getting the right systems and procedures in place rather than
throwing technology at the problem. With all of these you may begin
to reassess your attitudes towards the security of wireless.