A report by research and analysis company Gartner
statating that up until 2006, the misconfiguration of wireless
local area network (WLAN) access points and client software will
attribute for nearly three quarters of successful attacks is
disquieting on a number of levels.
Extending the perimeter of the organisation through
mobilisation, is a key requirement for many companies to stay
competitive and mobile computing will inevitably be one of the top
technological issues affecting your business.
A survey of Computer Weekly’s InfoSecurity User Group
(CWIUG) in 2004 revealed that 50% of companies have or will
implement wireless technology to access the corporate networks by
the end of this year, and a further 20% will do so by the end of
2005.
It must be hard for those companies still reluctant to allow
their workers to access corporate resources using wireless
technology. The pressure to go wireless is immense and the benefits
of operating in such a way can be huge. These are summed up very
elegantly by Gartner’s vice president and research director Nigel
Deighton who says: "Wireless mobility is the greatest change to
occur in corporate data collection and distribution in the past
decade.
"Wireless enables a real-time enterprise in a connected society:
responsive, collaborative, flexible, connected and informed."
There are probably not many IT directors or heads of IT that
could construct compelling reasons against technologies that
delivered such benefits. Yet you really have to look at the Gartner
announcement and wonder how many attacks are likely and why?
A Gartner Wireless & Mobile Summit in March found that that
while users are implementing more wireless technologies in their
daily lives, many are not taking the proper precautions to ensure
they're working in a secure environment. Gartner found that then
that 90% of mobile devices could lack the protection to ward off
hackers.
As companies feel a need to engage with wireless technology and
extend the perimeter of their businesses, the question follows:
could going wireless actually detract from the business and are
those who’ve said no to wireless actually the ones with wisdom?
Could they be right?
Another CWIUG survey has shown that over four companies in five
say that they are concerned about the security capabilities of
wireless mobile products and services.
Wireless security attracts a lot of column inches mainly from
the received wisdom that wireless technology is inherently
insecure. But is it really true that wireless technology is
insecure? May it be better to ask not whether the technology is
flawed, but how securely are those who have wireless technology
using it?
Robert Duncanson, a security consultant at Unisys argues that
the problems start because fundamentally wireless LANs are
unbounded. He comments: “Some people and organisations deploy open
Wireless LAN with no [data] encryption and the standard, WEP, is
easily compromised, businesses need better security.”
Yet looking at the Gartner analysis more deeply, the call to action
is very much centred on working practices and culture rather than
the technology itself. The company concludes that security for
WLANs and wireless products needs to be driven by updated security
policies that address the unique demands of the mobile
workplace.
The bottom line is to institute sound management policies to
contain costs and to protect mobile information assets and not just
rashly install WLAN technologies. One popular emerging technology
is wireless intrusion detection systems. Monitoring the flow of
information across the wireless network, and over all the
technology that you have is essential.
This point is supported by John Walker, head of operational
security, specialist services and corporate services of Experian
who fundamentally believes that wireless technology can be used in
a secure way but only in concert with strong security
practices.
He cautions that achieving this security level involves a fair
degree of work “to maintain security, it is essential to track
security vulnerabilities and exposures, and map them into a process
that deploys best levels of security assurance — [but] this may be
easier said than done with an extended perimeter environment, ” he
cautions.
Walker says that you should be smart in your assessment and that
another main challenge in identification of security
vulnerabilities and exposures is how you cut out the noise from the
real issues.
He says that it is essential that sources of information are
credible. In order to provide an assured position for analysis of
the extended perimeter, Walker insists, you have to consider some
very key points, namely: what do you test — everything, or selected
areas of interest; when do you need to have a testing method and at
what agreed levels; by whom, how and with the service run; and why
you may need to make changes after deployment.
There’s no such thing as the perfect security system and let’s
not forget that wireless networks are relatively new. Yet just like
with traditional closed networks, securing the extended perimeter
means getting the right systems and procedures in place rather than
throwing technology at the problem. With all of these you may begin
to reassess your attitudes towards the security of wireless.