los angeles information security consultants
The DigiTrust Group: Los Angeles Information Security Consultants
The DigiTrust Group: Los Angeles Information Security Consultants

Wireless Assessment Frequently Asked Questions For Executives

A wireless assessment can dramatically improve the security of your organization by exposing security problems anywhere in your wireless network. These vulnerabilities jeapordize more than just the wireless portion of your network: they can lead to a complete compromise of your internal information. We have created the following Frequently Asked Questions to address questions commonly asked by executives.

1. What are some of the risks of having a wireless network?
2. Have there been any recent wireless break-ins that I should know about?
3. Can having wireless worsen the security of our wired networks?
4. My office uses state-of-the-art wireless equipment so I'm secure, right?
5. An employee has brought in his own wireless equipment, is that a security risk?
6. Can a Wireless PC Card (Wireless Broadband/EVDO card) be a security risk?
7. What steps have other companies taken to improve their wireless security?
8. Can I have a wireless network even if my information needs to be protected?

What are some of the risks of having a wireless network?

Wireless networks are based on the same technology as walkie-talkie and ham radio systems – think about the distance that users of these systems can be apart and still communicate with each other. Your wireless network is essentially broadcasting all of your information to anyone who cares to listen. In fact, there is readily available equipment that would allow an attacker to access your corporate wireless network from over five miles away1! Organizations must design wireless networks with wireless threats in mind.

Have there been any recent wireless break-ins that I should know about?

TJ Maxx recently suffered the largest customer data breach on record. Following a breach of the company’s wireless network, over 45 million credit card numbers were stolen from its IT systems over an 18-month period. TJ Maxx has reported that the company had to absorb a $118 million charge2 because of the attack.

Can having wireless worsen the security of our wired networks?

Yes. Before wireless networks, a malicious attacker seeking to get inside of your perimeter would have needed to walk into your office and plug in their computer manually. With wireless technology and insufficient security measures, that same attacker can sit comfortably in a coffee shop several blocks away and enjoy the same level of access.

The most effective way to determine whether or not your level of security has been lowered is through an independent third-party assessment using a proven, time-tested methodology.

My office's expensive new wireless router uses state-of-the-art encryption and authentication so my wireless network is secure, right?

Not so fast! Your IT department may have utilized state-of-the-art encryption and documented best practice to create and configure your wireless network, but these actions aren’t enough as they are focused on server and network level settings. These security measures don’t even begin to address the security risks present on the client side (computers connecting to wireless networks are referred to as clients). Specifically, technology is readily available that attacks client computers and obtains their credentials to your wireless network, invalidating all of the security measures you’ve put in place. A complete wireless security solution accounts for both the server and the client side of the equation.

An employee has brought in his own wireless equipment, is that a security risk?

This is a major pain point experienced by organizations of all sizes, even in organizations where wireless security is tightly controlled. Allowing an employee to bring in a wireless access point and install it at their desk provides a means for a remote intruder to have easier direct access to your corporate network. This is due to the small-office-home-office (SOHO) design and weak security measures of the wireless access points that an employee would purchase. Think about it from a hacker’s perspective: would you find the least path of resistance in attacking a wireless network designed and installed by professionals or the wireless network set up by a non-technical employee?

All organizations must have a comprehensive strategy and security policy in place in order to deal with the rogue introductions described above.

Can a Wireless PC Card (Wireless Broadband/EVDO card) be a security risk?

Yes. While broadband cards from wireless service providers (such as Sprint or Verizon) can be a tremendous value to organizations in terms of added employee accessibility and productivity, this added value must be measured against the increase in the risk your organization will face.

Specifically, adding a broadband card to a laptop directly exposes the computer to the dangers of an always-on, direct internet connection3. If a user is using a broadband card and also connects to the corporate network, it is feasible for a malicious individual to use the combination of the user and the broadband card to enter the corporate network with the intention of stealing or disabling resources.

What steps have other companies taken to improve their wireless security?

Many organizations have finally recognized the risks posed by insufficiently protecting their wireless network. While carefully balancing the amount of security controls against actual threats and other organizational considerations, companies are now investing in enterprise-level wireless security hardware that provides:

  • Strong Encryption
  • Centralized Authentication
  • Advanced Intrusion Detection
  • High Availability

Furthermore, in addition to purchasing best-in-class wireless equipment, every organization can benefit from proper wireless network design, comprehensive configuration and continuous security testing.

Can I have a wireless network even if my information needs to be protected?

With proper preparation and evaluation, yes. If designed by security professionals with industry best practice in mind, wireless networks can enjoy a level of security that is even higher than the security typically found on a wired network.

The most important takeaway as an executive is to ensure that any new wireless products you decide to use have strong security measures integrated and enabled. If you have already deployed a wireless network, consider having it assessed by an independent third-party.


References:
1 http://www.oreillynet.com/pub/a/wireless/2001/05/03/longshot.html
2 http://www.informationweek.com/management/showArticle.jhtml?articleID=201800259
3 http://www.infoworld.com/articles/hn/xml/02/01/28/020128hnport.html

 


Wireless Assessment FAQ