News from research and analysis company Gartner that up until 2006, 70% of successful wireless local area network (WLAN) attacks will be because of the misconfiguration of WLAN access points and client software is disquieting on a number of levels.
Extending the perimeter of the organisation through mobilisation is a key requirement for many companies to stay competitive and mobile computing will inevitably be one of the top technological issues affecting your business.
A survey of Computer Weekly’s InfoSecurity User Group (CWIUG) in March revealed that 50% of companies have or will implement wireless technology to access the corporate networks by the end of this year. A further 20% will do so by the end of 2005.
It must be hard for those companies still reluctant to allow their workers to access corporate resources using wireless technology. The pressure to go wireless is immense and the benefits of operating in such a way can be huge.
These are summed up very elegantly by Gartner’s vice president and research director Nigel Deighton who says: "Wireless mobility is the greatest change to occur in corporate data collection and distribution in the past decade. Wireless enables a real-time enterprise in a connected society: responsive, collaborative, flexible, connected and informed."
There are probably not many IT directors or heads of IT that could construct compelling reasons against technologies that deliver such benefits. Yet you really have to look at the Gartner announcement and wonder how many attacks are likely and why?
A Gartner Wireless & Mobile Summit in March found that that while users are implementing more wireless technologies in their daily lives, many are not taking the proper precautions to ensure they are working in a secure environment. Gartner found that 90% of mobile devices could lack the protection to ward off hackers.
As companies feel a need to engage with wireless technology and extend the perimeter of their businesses, the question follows: could going wireless actually detract from the business and are those who have said no to wireless in fact the ones with wisdom? Could they be right?
Another CWIUG survey has shown that four in five companies say that they are concerned about the security capabilities of wireless mobile products and services.
Wireless security attracts a lot of column inches, mainly from the received wisdom that wireless technology is inherently insecure. But is it true that wireless technology is insecure? Is it better to ask how securely those who have wireless technology are using it rather than if the technology itself is flawed?
Robert Duncanson, a security consultant at Unisys argues that the problems start because, fundamentally, wireless LANs are unbounded. He comments: “Some people and organisations deploy open Wireless LANs with no [data] encryption and the standard, WEP, is easily compromised. Businesses need better security.”
Yet looking at the Gartner analysis more deeply, the call to action is very much centred on working practices and culture rather than the technology itself. The company concludes that security for WLANs and wireless products needs to be driven by updated security policies that address the unique demands of the mobile workplace.
The bottom line is to institute sound management policies to contain costs and to protect mobile information assets and not just rashly install WLAN technologies. One popular emerging technology is wireless intrusion detection systems as monitoring the flow of information across the wireless network, and over all the technology that you have, is essential.
This point is supported by John Walker, head of operational Security, specialist services and corporate services for Experian. Walker fundamentally believes that wireless technology can be used in a secure way, but only in concert with strong security practices.
He cautions that achieving this security level involves a fair degree of work “To maintain security, it is essential to track security vulnerabilities and exposures and map them into a process that deploys best levels of security assurance. [But] this may be easier said than done with an extended perimeter environment,” he cautions.
Walker says that you should be smart in your assessment and that another main challenge in identification of security vulnerabilities and exposures is how you cut out the noise from the real issues. He says that it is essential that sources of information are credible.
In order to provide an assured position for analysis of the extended perimeter, Walker insists, you have to consider some very key points, namely: what do you test - everything, or selected areas of interest; when do you need to have a testing method and at what agreed levels; by whom, how and with the service run; and why you may need to make changes after deployment.
There’s no such thing as the perfect security system and let’s not forget that wireless networks are relatively new. Yet just like with traditional closed networks, securing the extended perimeter means getting the right systems and procedures in place rather than throwing technology at the problem. With all of these you may begin to reassess your attitudes towards the security of wireless.