Advertisment

Understanding Wireless Access and Mobile Technologies for Enhanced Security

author-image
Voice&Data Bureau
New Update

Only 25 years ago, the use of cell phones along with the plethora of other mobile devices commonly found today was mostly reserved for science fiction writers and a few VIPs. While it is impossible to imagine a world without
Blackberries, iPhones, or the latest Bluetooth device today, many IT departments are still playing catch up in terms of IT security policies surrounding the use of wireless technologies and mobiles devices in the work place. In fact, according to a 2007 study conducted by research firm Coleman Parkes, more than 60 percent of chief information officers interviewed reported an increased use in company-supplied mobile devices, which they believed led to more work productivity. However, these organizations also were having a hard time managing the use of these applications.

Advertisment

Currently, a recent whitepaper entitled “
Wireless network security landscape of India” released by Deloitte in conjunction with the Data Security Council of India suggests that as of December 2008, 86% of wireless networks in India may be vulnerable to serious security risks with little to no protection. Covering 12 major cities throughout India, the testing indicated potentially vulnerable 802.11 networks ranging from a low of 69% in Nagpur to a high of 93% in Ahmedabad. The survey looked for simple misconfiguration of options which are commonly overlooked by the majority of people setting up wireless access points, and which are addressed in many of the easily available “best practices” recommendations available on the internet.

Consequently, as the use of wireless networks and mobiles devices continues to rise in the work place, it is important for all IT auditors to have a general understanding of the science supporting these technologies, as well as how they operate, their common risks, and the industry-recognized controls that can be implemented to address these risks. This will enable auditors to understand the broad risks organizations now face with the use of wireless mobile devices and provide them with information that can help them evaluate the current threat landscape.

How Wireless Access works

Advertisment

Nowadays, there are many different ways to connect to the Internet and its various interconnected business and personal networks wirelessly - from using low-frequency radio waves and high-frequency microwaves to fixed and mobile deployments, such as satellite transceivers as well as infrared (IrDA), Bluetooth, 802.11 Wi-Fi, 3G, and Worldwide Interoperability for Microwave Access (
WiMax) technologies. While each of these methods have their own benefits, they also have their own weaknesses, associated protocols (i.e. standard procedures for regulating the transmission of data between devices), and requirements for operation.

In general, access to the wireless
spectrum is regulated by government agencies in most countries. For instance, in the United States the U.S. Federal Communications Commission (FCC) is responsible for licensing the use of the wireless spectrum (radiated wave frequency bandwidth). However most computer and Internet-related wireless access (which primarily use 802.11) takes place in a few relatively small slices of the spectrum set aside by regulating bodies for unlicensed, free-to-all access, as opposed to cellular and satellite communications, which occur in highly regulated segments of the spectrum (refer to figure 1). This can lead to potential interference between two or more devices when trying to use the same slice of the spectrum without awareness of each other. For example, early 802.11 devices frequently lost connectivity if used too close to microwave ovens, and cordless phones can still cause network connections to drop for home users.

About Mobile Devices

Advertisment

Mobile devices include equipment such as laptops, smartphones and personal digital assistants (PDAs), aircards, cellular handsets, pagers, and other specialty electronic devices that can be used to transmit and receive data wirelessly such as SatPhones and walkie-talkies. These devices use a variety of operating systems - from full-blown Microsoft,
Apple, and Linux installations, to scaled-down versions of the same systems (e.g. Windows Mobile 6 and the iPhone OS X 1.0) or customized vendor-specific versions (e.g. PalmOS, Blackberry, and Symbian). This dizzying array of devices and platforms and their various permutations is one of the reasons why security for mobile devices is such a difficult task.

In addition, this diversity also increases complexity since each technology combination requires its own unique set of solutions. For example, a user could use Bluetooth or IrDA to connect a laptop to their smartphone, which is typically known as a personal area network (PAN) in order to:

*Obtain a network connection using dial-up to connect directly to a corporate analog modem.

Advertisment

*Use "always-on" cellular transmission technology, also known as high-speed downlink packet access (HSDPA), to gain Internet access to their company e-mail server.

*Use an existing 802.11 "hotspot" connection to participate in a Voice over Internet Protocol (
VOIP) based conference call with co-workers.

Each of these activities has a different set of risks and security solutions, and they all traverse a variety of network types with different security risk levels, even though each can appear to be the same to a casual observer. As a result, the more variation in devices and operating systems used in an organization, the more variety in configuration and application use there is and the higher the risk faced by the organization.

Advertisment

Remote Access Security vs. Wireless Access

Many people frequently confuse the term remote access with wireless access. The term wireless access refers to when a user connects a device (e.g., a laptop, PDA, or desktop) to a local network access point (e.g., in an airport lounge) without the need to physically “plug in” to the network. The user could then perform remote access activities, such as logging into their corporate customer service application to update a customer sales record. In this example, the user is obviously not locally connected to the corporate network, and hence the term remote access.

Wireless connectivity also is used for connections between local area networks, as in the case of two corporate buildings in the same city that are linked by microwave dishes or via satellite between cities or continents. Because wireless communication is a broadcast medium, anyone within range of the transmitting device can access the data transmission stream. As a result, organizations can face a number of common risks for various connectivity methods and application activities as well as unique risks for each use. Potential risks include legal, regulatory, compliance, reputational, intellectual property, competitive, and operational concerns. Some common risks include:

Advertisment

*Eavesdropping (i.e., the unauthorized interception and viewing of communications, also commonly called intercepting, sniffing, tapping, and snarfing).

*Impersonating (i.e., assuming the identity or copying the account and characteristics of an authorized user or device, also commonly called spoofing, cloning, and hijacking).

*Rogue or spoofed access points (i.e., the deployment of network connection devices intended to fool legitimate users into using the device for access to view and control traffic or to gain unauthorized access to a network).

Advertisment

*Cracking (i.e., the unauthorized access and use of a network or control of a device typically for malicious purposes, sometimes called jacking or hacking).

*Denial-of-Service or DoS (i.e., the prevention of access by authorized users to a network resource, typically resulting from overwhelming or consuming all available device capacity).

A little Internet research on each technology or device will easily turn up voluminous lists of weaknesses, mitigating controls, and audit considerations. One of the most significant remote access risks is the visibility of data as it traverses various networks. For example, the common 802.11 encryption schemes - WEP, WPA and WPA2 - protect the link between a user and the wireless access point, but not across subsequent network segments on the Internet between the WAP and the ultimate endpoint of the connection. For this, users need to use additional security measures such as a virtual private network (VPN) which is capable of providing end-to-end encryption of a communication session.

Audit recommendations

There are a number of resources on the Internet such as ISACA, the U.S. National Institute of Standards and Technology (NIST), and AuditNet.org among others, that provide guidance and audit work programs relevant to current wireless technologies for free, either to their members or to the public. Because of the complexity and diversity of today's wireless environment, no one source will have a toolset entirely relevant to a specific environment. Therefore, all risk assessment templates, automated tools and scripts, work programs, and related audit tools need to be thoroughly vetted against the organization's IT environment to make sure they are current, comprehensive, and relevant. Questions to ask during the vetting process include: “How well does the template or tool mirror corporate policy and requirements”, “What environment specific elements need to be added to fully address our specific risk profile”, and “Are the recommendations/requirements proposed by the guidance realistic for our company”? It may be necessary to coordinate closely with both technology and business unit management to understand the concerns and capabilities of the company as well as ensure a thorough understanding of how all of the various interdependencies of the technology of remote and/or wireless access support business functions.

A listing of best practices common to all access methodologies and uses, as well as items to include in any wireless audit work program, include performing the following:

1.Ensuring there are well-documented, clearly communicated, up-to-date policies and procedures to help mobile users and support staff understand corporate expectations and requirements.

2.Ensuring the latest software patches and updates are applied to mobile devices, preferably automatically, and that default vendor settings have been modified, as guided by corporate policy which should be an element of, or closely related to, a comprehensive Software Development Lifecycle (SLDC) process.

3.Making sure antivirus, anti-spyware, and personal firewalls are used on all mobile devices.

4.Managing all mobile devices from a centralized, enterprise-wide console.

5.Prohibiting and monitoring for unauthorized access points and connections.

6.Using policy management tools to ensure compliance of mobile devices with corporate policies.

7.Encrypting and authenticating all connections, both users to access points and access points to users.

8.Encrypting communication sessions via a VPN or secure sockets layer (SSL) to protect data in transit.

9.Using full media encryption (i.e., hard disks, secure digital or SD cards, universal serial bus or USB drives, etc.) or encrypting file systems to protect data at rest.

10.Hardening operating systems and access points based on industry-recognized standards, such as those published by NIST, industry organizations, or in vendor-specific recommendations.

11.Terminating all inbound wireless and remote access connections in a restricted, secured subnet, aka demilitarized zone (DMZ) for additional inspection and monitoring.

12.Considering the purchase and distribution of mobile devices to employees to minimize diverse support requirements and retain ownership and control, similar to laptops and desktops.

CONCLUSION

When an auditor begins to identify the scope of the remote and wireless access universe prior to developing an audit plan, the proliferation and diversity of devices and solutions may be surprising. It is important to understand the underlying technologies being used and the business needs they meet in order to assess the inherent risks, effectively evaluate the controls in place, and develop appropriate recommendations for improvement. When the variety becomes too large to manage in a single audit, the best approach is to break the work down into a number of smaller audits and ensure that enough time is available for each specific audit to fully understand the environment before moving on to the next audit. And given the rapid pace of change and adoption in the wireless world, it is important to stay abreast of the current technologies in use and research new and emerging issues on a continuous basis.

ADDITIONAL RESOURCES

*For sample wireless use policy example, visit the Computer Technology Documentation Project Web site.

*For articles about the growing use of mobile and wireless technology read CNN's "Wireless Technology Changing Work and Play" and Digital Healthcare's "Use of Mobile and Wireless Technology Jumps in Hospitals."

Nelson Gibbs is a Senior Manager with Deloitte & Touche Overseas Services LLC on assignment in Hyderabad, India.

Advertisment