1. Rogue Access Not Only
CIO Security Headache
BY J. SHARPE SMITH
Security threats in the wireless space are so plentiful In fact, according to research done by J. Gold
it is no wonder that some companies throw up their Associates, fewer than 10 percent of companies deploy
hands and cut back on wireless access to their mobile security software suites. In its White Paper,
computers. When we think of security risks, we usually “10 Steps to Mobile Security,” J. Gold suggests several
think of someone stealing credit card information, actions that are key to mobile security. These 10 Steps
but there is so much more to be wary of in today’s to Mobile Security include:
enterprise in terms of threats, including rogue
wireless access to company networks, denial of service • End users
attacks on web sites and the introduction of crippling – Set policies, document, and get user buy-in
viruses into the wireless space. – Enforce policies on mobile devices for all users
• Devices
But it doesn’t have to be that way. Companies today are – Make sure password protection is always set to
finding plenty of ways of strengthening their security “ON”
with a growing array of defenses to protect both – Include updated personal anti-virus (AV) and
customer data and company data. For today’s telecom firewall on devices
director or IT manager, if sensitive information is being – Encrypt sensitive files on all devices
transmitted or can be accessed over the air, security is – Enable device lockdown and kill
just as important as connectivity. • Infrastructure
– Determine what file types can be
Many corporate executives, however, are not aware downloaded/synced by which users, when, how
of the risk and consequences of unsecured wireless, and to which devices
according Kevin Beaver, an independent information – Log device usage for compliance where
security advisor with Principle Logic, LLC. Working with appropriate
today’s enterprises, Beaver sees many people – Enforce connection security/virtual private
overlooking the task of testing for wireless security network (VPN) standards
vulnerabilities during standard security assessments • Organization
and audits. – Review and update policies regularly, as things
change often
VOL. 3, ISSUE 2, 2007 EWM 18
2. Over the Air Encryption Too VPN must be deployed that includes data encryption,
authentication and data encapsulation.”
Often Overlooked
Authentication of the mobile user can be achieved
Beaver sees several quot;security frontsquot; or points of through the use of a user/password, biometrics, such
vulnerability. The first one is people who carelessly use as a fingerprint, and the use of a token key or
wireless networks at work, at home and when smartcard, which is inserted into the computer’s USB
traveling. He finds many major corporations with port. It creates an additional layer to confirm the user.
laptops, PDAs and other mobile devices that have no
security protection such as device-specific firewalls,
power-on passwords or VPNs.
Even 802.11 communications with Wired Equivalent
Privacy (WEP) or the Wi-Fi Alliance specification, Wi-Fi
Protected Access (WPA) are vulnerable, according to
Beaver. “These encryption keys can be hacked using a
number of free tools such as Aircrack,” he says,
“which can lead to the capture of confidential
information, denial of service attacks, and more.”
Mobile VPNs
One security measure is to make a wireless laptop’s
transmissions more secure through the use of a virtual Authentication of the mobile user can be achieved
private network. While most VPNs are created for the through the use of biometrics, such as a fingerprint.
wired networks, it is critical for a wireless user to use a
mobile VPN, which is designed particularly for wireless
networks. A mobile VPN allows for data encryption, “Authentication tokens are an essential component in
encapsulation and authentication for each individual PC and data security solutions for they provide strong
mobile user. user authentication, ensuring that individuals accessing
data are who they claim to be,” according to a White
“There is increased Paper by Aladdin, makers of Etoken authentication and
market demand for password management. “Furthermore, certain kinds of
security in mobile VPNs. authentication tokens – such as USB smart-card-based
Users are expressing the tokens – can provide significant extended support for
need for security in their strong PC and data security by offering secure
data transmissions,” generation and storage of encryption keys.”
says David Torres,
director of business Not only must the user be authenticated, but the
development, Radio IP wireless laptop must be guaranteed that it too is the
Software, Inc., which correct mobile device for accessing the corporate
offers mobile VPN as a network. To do this, the corporate server gateway has
feature of its Radio IP David Torres, a certificate and the laptop receives a certificate.
MTG software suite. Radio IP Software Together they can mutually authenticate. “Certificate
authentication further validates your devices and
“Government agencies, utilities and others are protects your system from intrusions,” says Torres.
becoming more careful about transmitting sensitive
information over the air.” The problem, according to User authentication attempts can only be made if Radio
Torres, is that most VPN solutions are created for the IP MTG has validated the device and opened an
wired networks. To protect a wireless laptop, a Mobile encrypted tunnel. This process protects the username,
VOL. 3, ISSUE 2, 2007 EWM 19
3. domain and password information from being
intercepted. The data is then compressed to protect it
from being intercepted and encrypted.
Today’s encryption has been enhanced, making it
increasingly difficult to break. There are several levels of
encryption possible, from the 56 bit Data Encryption
Standard (DES), which many feel is too easy to hack, to
the Advanced Encryption Standard, which comes in
128, 192, and 256-bit key sizes. “To ensure your data is
transmitted securely with high-level encryption,” says
Torres, “your data should be encrypted with either AES
(256-bit) or Triple DES (168-bit) methodologies, using
FIPS [Federal Information Processing Standard] 140-2
certified technology.” The username, domain and password information in
over the air transmissions are targets for interception.
Mobile VPN Helps Northeastern
Utility Secure Communications acceptance of wireless LAN technology comes ample
possibility for leakage of corporate information or the
Security plays a critical role in the wireless system of introduction of malware, malicious software designed
EnergyEast, a diversified energy provider that serves 3 to damage a computer system. As a result, analysts
million people in the Northeast, which deployed Radio suggest that more than half of the security breaches
IP’s Mobile VPN early in 2006. come from within the walls of company headquarters
through rogue wireless access to the network.
Highly encrypted, secure transmissions to and from
mobile devices in the field through the use of a Mobile “Guarding against denial of service attacks plays a big
VPN are essential to protect the customer information, role in our security plan,” says EnergyEast’s Nistane.
employee confidential information and details “It’s our most stringent criteria in combating wireless
concerning the utility’s overall electrical infrastructure, security issues.” The utility is using Radio IP’s Access
according to Shrikant Nistane, project lead for mobile Defender, which scrutinizes and quarantines all
data at Energy East. In additional to the Mobile VPN, he incoming communication attempts, allowing the LAN to
adds additional passwords to ensure user give access to the mobiles rather than the mobiles
authentication. initiating the access to the LAN.
“When there are mobile devices out in the field, there Access Defender is an example of central management
is always the possibility that some one will gain access software that protects the host network from outside
to the device. We are here to minimize and contain the attacks such as the DOS attacks and buffer overrun
risk,” says Nistane. “It is a constant battle. At the same attacks. Rogue access must be detected and shut down
time, we have to do everything that is absolutely before sensitive information is lost or an attack on the
necessary to serve the customer.” network ensues.
Vulnerable access points can occur for many reasons:
Rogue Access to IT Systems Can a wireless system set up by an employee, a mis-
Cause Security Breeches configured access point or one that is running default
configurations. Additionally, a breech can be as
More than just over-the-air security was needed at malicious as a hacker setting up an access point or it
EnergyEast. The utility also required a way to guard can be as innocent as a neighboring WLAN accessing
against denial of service (DOS) attacks in the form of the strongest signal through a poorly configured access
rogue access to its data system. With the increasing point. And there’s more. A hacker can also gain access
VOL. 3, ISSUE 2, 2007 EWM 20
4. using hybrid network bridging through WiFi, AirMagnet. Mobile Manager detects rogue APs by
Bluetooth, Modems or infrared links to a PC while it is comparing data from the APs and wireless laptops
connected to the wired corporate LAN. reporting on the wireless side of a network with what
Mobile Manager detects on the wired side.
The key to network management is visibility of port
access, knowing who is connecting what devices to Safend’s hybrid network bridging prevention feature is
every single endpoint in the network –– from USB to designed to block access to WiFi, Bluetooth, modems
WiFi and Bluetooth –– enterprise-wide, according to or infrared links while a laptop is connected to the
Hay Hazama, VP of research and development for wired corporate LAN. “Concerning Wifi, most
Safend, which produces endpoint security solutions. manufacturers have concentrated on the
infrastructure, providing more secure protocols, higher
“While most organizations adequately protect encryption, authentication and remaining compatible
Internet connections via TCP/IP ports with firewalls, with 802.11,” says Safend’s Hazama. “But the
endpoints are often overlooked,” says Hazama. problem is that the laptop can log on to a rogue
“Given that there are 26,000 different USB products access point and believe it is on the correct network
available today and WiFi use is on the rise, the and expose its data to unauthorized personnel.”
problem of securing company laptops and PCs from
data theft, data leakage and malicious attacks Encrypting the Hard Drive
continues to challenge IT administrators.”
Covers Another Vulnerability
“The answer for IT managers deploying Wireless
LANs is to effectively detect and block wireless access But what about the data after it is stored on the
points and client stations automatically and in real- computer? The security threats caused by stolen laptop
time,” according to a White Paper by AdventNet, computers have been well documented. University of
provider of network management solutions for California, Berkeley had a laptop stolen that contained
enterprises. personal information on more than 98,000 of the
school's graduate students. In the last year, wireless
According to AdventNet, rogue activity can be laptops containing hundreds of thousands of personnel
detected by regularly doing the rounds of the records have been stolen from U.S. Department of
facility with a mobile device using software such as Veterans Affairs staff, ING's U.S. Financial Services
AirSnort or NetStumber that sniffs the air for wireless hoffice in Washington, D.C., Deloitte Accountants,
activity. These solutions are well known for being able Electronic Data Systems and Equifax, the credit-bureau
to detect unrecognized access points, but it is company. Mercantile Potomac Bank, General Electric,
irregular in its approach to security. Full time RF Aetna, Hewlett-Packard and Fidelity Investments.
sensors such as products by AirMagnet and
AirDefense can be installed to continuously monitor Analyst Kevin Beaver
all Wi-Fi traffic to detect, disable and document notes, “Hard drive
rogue access. encryption is an
especially big issue.
In what is known as a background probe, Wavelink When a hard drive is not
Rogue AP Detection and Identification Software can encrypted, practically
enable the mobile devices in the company to scan the anyone can use
airwaves for rogues during idle time. Additionally, legitimate security tools
the AP detection can actually be integrated into the such as Ophcrack's
access points, such as the ORiNOCO made by LiveCD or Elcomsoft
Proxim Corp. System Recovery to
maliciously break into
Wavelink Mobile Manager and Airwave Management a system within minutes
Platform (AMP) both depend on wired side inputs for of obtaining it by Kevin Beaver,
AP detection and both support sensors from stealing it or finding it.” Principle Logic, LLC
VOL. 3, ISSUE 2, 2007 EWM 21
5. Securing data on laptops is a new area of focus for organization can utilize a Radio IP Mobile VPN, and use
today’s corporations, brought about by these well- iAnywhere's Afaria as another layer of security,” says
publicized security problems and new regulations that Radio IP’s Torres.
have also pointed a spotlight on security on the laptop,
according to Shari Freeman, director of product Disaster Recovery, Business
management for Sybase iAnywhere.
Continuity and Data Security
“For a long time, companies have been focused on over
the air security, how wireless laptops get authenticated One way to reduce the risk involved in losing a wireless
and how they connect with the corporate network with laptop is ensure that no company files reside on the
VPN technology,” Freeman says. “The increase in hard drive; therefore, no possibility exists of have a
security breeches has raised companies’ awareness of laptop full of critical information fall into the wrong
the security issues surrounding laptops.” hands. Technology now exists that allows an employee
to access the network remotely but is not allowed to
In one example, in response to the theft of an download information. For example, Citrus and
unencrypted laptop computer containing the personal Chemical Bank, a community bank in Central Florida
information of 26.5 million people, the U.S. Department with $850 million in assets, was looking for a device to
of Veterans Affairs moved to encrypt all computers support business continuity in the event of a disaster
across the entire VA system, more than 300,000 such as a hurricane but found a new way to keep its
laptops, desktops, smart phones and PDAs. Using the corporate data safe.
GuardianEdge Data Protection Platform and Trust Digital
Security's Mobile Device Solution, the V.A. targeted “We wanted a secure method for our employees to be
laptops first for data security programs and then able to work from home if they were unable to come to
followed with desktop PCs and portable media like work due to some disaster,” says Render Swygert,
flash drives and compact discs. executive vice president of information systems and
technology, Citrus and Chemical Bank. “We have a staff
Another option to protect the laptop hard drive is that supports the bank 24/7/365. We are always on call
Sybase Ianywhere’s Afaria product, which is designed to wherever we are.”
manage applications and data and provide security on
wireless devices. To protect the data in case the
computer is stolen, The Afaria 5.5 Security Manager
component uses an AES cryptographic module
(currently undergoing FIPS 140-2 certification) to
encrypt the hard drive and a pre-boot authentication
password.
“We see an increasing amount of interest in managing
and securing mobile devices from companies with a lot
of field workers, such as utilities and telecom providers,
and companies with large sales forces, such as
pharmaceutical companies and financial services,”
Freeman says.
No single solution will protect against all of the threats.
As a matter of course, Sybase iAnywhere has partnered
with Radio IP to combine hard drive encryption and
The MobiKEY from Route1 is a cryptographic USB token
mobile VPN, which are compatible and complementary device that uses two-factor authentication to enable
technologies. “We frequently see installations where an secure remote access. (Photo courtesy Route1)
VOL. 3, ISSUE 2, 2007 EWM 22
6. What the financial institution found To do this, Enterprises should take managed. Every data transmission
was the Route1 MobiKEY, a concrete steps to protect data, using should be monitored and verified to
cryptographic USB token device that a variety of techniques in areas of ensure against a security breach.
uses two-factor authentication to exposure. Starting with securing Employees must be educated on
enable secure remote access. The every mobile device, all methods of security procedures and policies to
device operates on a access to the corporate network protect corporate data.
communications platform called need to be evaluated, approved and
MobiNET, which authenticates the
user, certifies the device and
encrypts the transmission, while
ensuring no residual data files are
left behind on the remote
computer. Swygart purchased the
MobiKEYS and the administration
portal to manage the devices,
reporting on who is accessing the
computer network and when the
connections are made. IT staff,
commercial loan officers, executive
management team, risk
management team and finance all
received the devices.
“I like the fact that once the
MobiKEY is unplugged from the
computer no residual files are left
on the unit,” says Swygert. “It is an
excellent solution to the problem of
people getting their computers
stolen.”
The laptop computer is used as a
slave to the host computer. Since no
data resides on the unit and the
user manipulates software on the
host computer, Swygert has decided
that in the future employees will
only need a thin client, or dummy
laptop, running Windows® OS and
with internet connectivity.
Wireless security is a must for
today’s Fortune 500 company.
Personal information of employees,
as well as the social security
numbers, credit card numbers, and
other personal information of its
customers, must be safe and secure.
VOL. 3, ISSUE 2, 2007 EWM 23