|Wireless Security : X-Force Magazine : Blog : Home|
First Published: X-Force Monthly Magazine
As the number of wireless access points dotted along the high-street and within airport terminals around the world continue to grow and propagate a “connect-anywhere-anytime” philosophy, similar to that of the mobile phone phenomenon in the early ‘90’s, organizations are struggling to understand the latest security implications for their mobile workforce.
Whilst most organizations are familiar with the security flaws associated with the original Wireless Encryption Protocol (WEP) built in to IEEE 802.11b and have tried mandating best use practices for their employees, they have encountered difficulties as they seek a better balance between connectivity and data integrity without sacrificing usability.
For today’s mobile workforce, the ability to connect to the Internet and exchange e-mails while traveling has become critical. Any technical issue that prevents the worker from achieving network access in a timely manner can quickly result in frenzied calls to the helpdesk, or the worker “tinkering” with their network settings – seeking any network connection they can.
Ask any salesman when it comes to crunch-time, when they really need to e-mail that multi-million dollar invoice to the customer on the last day of the month, it doesn’t matter where they are or how often they’ve been told that security is important, they’ll turn on or off anything and connect to any network they can in order to send that critical e-mail – security will always play second fiddle to business continuity.
There are additional problems associated with wireless networks that corporate security teams now need to contend with as well. While e-mail is certainly a concern, they now have to deal with secure access to intranet applications (e.g. inventory databases and timesheets) and voice communications such as Voice over IP (VoIP). Each additional networked service represents additional security threats and opportunities for users to “adjust” settings.
From an attacker’s perspective (or even a casual eavesdropper), wireless networks are fantastic. Consider a few of the more common methods being used by attackers around the world:
When you combine these newer wireless attack vectors with an already security-agnostic mobile work force (consider the annual security studies in which employees will tell strangers their email password in exchange for a chocolate bar), the situation is ripe for both opportunistic and organized electronic crime.
While there have been various studies relating to war-driving (i.e. driving around a city and cataloging wireless access points) and the use of wireless at various technology or security tradeshows, there has been very few public studies about the current exploitation trends that target the end user wireless device. Certainly the talk on the underground, and within the various hacking communities, is buzzing with new techniques and hacking success stories. Since these attacks are targeted at individual hosts, and the success of the attack may not be immediately apparent, it is often the case that the victims have no idea that their security failed and the consequences may not appear for several days or weeks.
The ability to protect the mobile workforce from the threats they will encounter when using wireless access points or hotspots around the world is incredibly important, and legacy protection technologies such as firewalls and anti-virus are largely irrelevant. In order to provide good security, the mobile workstation or laptop has to be made secure against both an external attacker and the user themselves.
Like most areas of security, common sense plays a vital role in ensuring corporate communication integrity, however user education is vital if an organization is to be successful in raising its mobile security status. It is important that users be educated in the methods attackers use to compromise wireless networks so that they are capable of spotting rogue installations and do not fall for the most common social engineering vectors. In addition, an understanding of what security mechanisms have been installed on their mobile devices is important and what steps they must undertake in order to connect securely to the corporate network or send emails is vital. Quarterly or half-yearly refreshers are to be recommended.