The increasing deployment of wireless networks and wireless devices has given rise to security concerns on a number of levels. Concerning wireless networks -- firstly, how secure is the technology itself? Secondly, how does it impact the security of the company's IT infrastructure? And, lastly, how should mobile devices making use of public access hot spots be secured? Patrick Evans, regional manager, Symantec Africa, says there are three areas of concern when it comes to mobile devices: open operating systems utilized on many mobile devices; the mass distribution of mobile devices; the fact that many users leave devices connected to the Internet at all times. Add to that the fact that many users merely press the 'next' key when installing software, automatically enabling NetBIOS in MS Windows, for example, and the fact that many companies run wireless networks without even basic security enabled, and you have a huge potential problem.
"Malicious code aimed at mobile devices is expected to increase in number and severity, as these devices become more sophisticated in the number and types of applications they offer, and as the number of groups investigating mobile vulnerabilities increases," says Evans. "At the end of the last Symantec Internet Security Threat Report reporting period (June to December 2004), there were 21 known samples of malicious code for mobile applications, up from one -- the Cabir worm -- in June 2004. Among the new threats were the Duts virus, the first threat to Windows CE; and the Mos Trojan, which was discovered in a Symbian game. " Further, the number of devices in use within the market is increasing exponentially, and as usage grows and moves beyond voice services to include peer-to-peer messaging and file transfer, the industry can expect to see a concurrent increase in the number of threats. This is particularly concerning when one considers the personal nature of information, such as contact databases, stored on these devices. "What is not generally realized," he adds, "is that mobile devices face similar threats as their PC counterparts including information theft, denial of service (DOS) attacks, malicious code fraud, unsuitable content and spam. In addition, they are susceptible to threats which do not apply to hard-wired devices, such as Blue-snarfing.
Additionally, there are a variety of techniques currently being utilized to access and hack into wireless networks and exploit mobile devices -- particularly those with Bluetooth capabilities."
Target the user
People are the weak link in any security chain, and user education has to become a priority for any company that has users who have wireless devices, irrespective of whether or not the company network has wireless access points. Says Intel business development manager for South and sub-Saharan Africa, Danie Steyn: "IT departments need to educate users in terms of the risks they are taking if they connect in an environment where they are not secure -- a public access hotspot for example. Users should know not to disable the personal firewall, however irritating it might be.
Firewalls are as important as antivirus products in the wireless world. "It is vital that a culture change and education process takes place with corporate users to educate them on the risks, to themselves and the company, of not adhering to security policies and procedures," he emphasizes.
It is equally vital that both network and device be correctly configured. "The reality is that with the basic set of security features, typically involving the setting up of WEP 128 and preventing SSID broadcasting, your network is not safe. Such basic security mechanisms can be compromised with the use of sniffing software," says Grant Eksteen, product manager for LAN and hosted services at T-Systems SA.
"There are now ways of ensuring the security of the network though, and this can include leveraging the benefits of the new 802.11i wireless LAN security standard. In the case of small wireless LAN implementations, MAC address authentication with WEP should be utilized as a minimum, to prevent unauthorized access to the LAN. In large organizations, campuses and corporate networks, it is necessary to implement a secure wireless network, which can be accomplished with the use of the 802.11i standard. 802.11i makes use of 802.1x port-based security, Temporal Key Integrity Protocol (TKIP) or Wireless protected access version 2 (WPA2) and must be configured for encryption, as well as some type of Extensible Authentication Protocol (EAP) enabling mutual authentication between the network and the wireless client." Management is yet another crucial consideration. Adds Eksteen: "Implementing a management solution allows for rogue access point detection -- rogue access points are generally access points set up and attached to the corporate network without the knowledge of IT personal, and which result in the network being vulnerable to attack." Billy Schmidt, manager of connectivity at arivia.kom, concurs: "You need to ensure that you implement a manageable system, so that you can manage access to that system and control it. For example, if a user wants to dial in, you can manage the time the user wants to sign in for, and break the link once the time has elapsed. You can also, for example, ensure that guest users accessing the network have limited access through the network to the Internet, or, if guests need to access information inside the network, you can automatically check their machines to ensure that they have at least basic protection, including up to date antivirus protection, in place."
A basic issue
Anyone driving around Johannesburg with a program like Network Stumbler installed on a laptop will know how easy it is to access unsecured networks, and how many of these there are. Getting back to basics, particularly for small companies without IT departments, is critical. Says Eric McGee, information security consultant at Business Connexion's Networks Competency: "IT departments should try and tighten up basic Microsoft software security - things like removing default shares, which can be exploited." Notes BMI-TechKnowledge analyst, Roy Blume: "You have to be a relatively sophisticated user to hack into a network. But if a network is not secured in even basic fashion, it is very easy to log into the network, and hog all the bandwidth, for example." Many companies do not think that their data is important enough for anyone to bother trying to hack into their systems. What many do not realize is that unsecured servers and bandwidth are very valuable to hackers, who use compromised machines to launch attacks on other networks.
"Wireless best practices are very similar to those that should be implemented in the wired environment, and users should be wary of opening unknown files or files downloaded from unknown Web sources. Users should also be aware that they place themselves at risk when installing software that has been downloaded from an unfamiliar Web site," Evans says. "Mobile users can also undertake the following to better protect their wireless devices and confidential information:
-- Use 'strong' passwords. These are passwords which include ten or more alpha-numeric keys.
-- Remove or deactivate unnecessary applications and services, as these can provide avenues of attack. This also limits the number of services that need to be maintained through patch updates.
-- Ensure that Bluetooth visibility is set to 'hidden', to prevent other devices from scanning it."
Symantec's Patrick Evans says Bluetooth devices face the following types of attacks:
Bluesnarfing: Allows settings on standard Bluetooth-enabled devices to be changed, and allows the hacker access to information without the targeted user's knowledge. It can also be used to launch a DOS attack, and allows an attacker to copy data from a device.
Bluebug: A particularly concerning threat, as it enables attackers to turn certain mobile phones into bugging devices, capable of transmitting conversations taking place near the phone being attacked.
Bluesniper rifle: Allows an attacker to access exploitable devices from further than the general 30-foot limit. A recent demonstration of one of these devices indicated that the range of a standard class two Bluetooth radio could be enhanced to encompass one mile.
Bluejack: Refers to the process by which hackers send anonymous messages to a single device, or broadcast a message to all visible devices within range.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.