Deutsche Bank tries to marry wireless and security

A company looking to increase the security of its wireless operations should start with its own policies and standards, according...

A company looking to increase the security of its wireless operations should start with its own policies and standards, according to Ken Newman, director of security and risk management at Deutsche Bank.

For example, employees need to understand that something as simple as setting up a wireless access point can pose a threat to company security. 

Deutsche Bank needed a system that provides confidentiality and data integrity that would meet government-imposed security considerations. But fears that advances in technology meant the entire security programme would only have a life span of 12 to 18 months complicated the issue, Newman said.

After strengthening its policies and standards, the next step in the process was "hardening" PCs and laptops from security breaches with personal firewalls, updates and patches for existing software, upgrades to security software, the use of low-level encryption and the prevention of simultaneous wireless/wired connections, he said. 

After taking those steps, Newman said a company should set out to go after its own network with the same tools attackers would use. That way, Deutsche Bank could determine what information could be detected, what could be accessed and from where could it be accessed. 

A company's physical security force must also be brought into the operation, with security guards regularly patrolling corporate offices at night with special carts looking for rogue access points employees might have set up on their own.

A company should also monitor websites where attackers regularly post discovered access points, such as www.netstumbler.com and www.wigle.net, to see if any Deutsche Bank access points are listed. 

The bank also limits connectivity to the network by placing access points in a de-militarised zone outside the company firewall and limits the types of applications and data available via firewall rules. 

The bank sweeps for malicious code and viruses, provides for two-layers of encryption - Leap and IPSec VPN Tunnel. 

He said the bank is commited to being a one-vendor shop to eliminate problems associated with using multiple encryption protocols and standards and builds-in strong user-based authentication, such as systems that require secure ID tokens.

The bank has also looked into setting up fake access points to confuse would-be attackers and to make it harder for them to distinguish between what is real and what is not.

The bank may also create "honey pots" designed to find out what potential attackers are using and to discover trends and innovations the bank could use down the road.

Newman also urged businesses to take a close look at their company's Service Set Identifier, a 32-character identifier that is attached to data packets sent over wireless Lans.

He said many of these codes allow attackers to learn the names of companies, what the company does and other sensitive data that could attract more attackers if it were published.

It would be better, he said, if a company used something generic that would not draw attention.

 

Read more on IT risk management

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close