1


                                                 Table of Contents
TABLE OF FIGURES......................................
2

   2.10.2 REGULATIONS AND LOST EMPLOYEE PRODUCTIVITY ............................................................ 39
  ...
3



                                               TABLE OF FIGURES
FIGURE 1-WIRELESS TECHNOLOGY IN USE ....................
4



                 List of Tables
Table 1…..………………………………………………………………………………16
Table 2…………………………………………………………………………………...2...
5


                                CHAPTER 1
                              INTRODUCTION


1.1 Background

Information is ...
6


communications medium, the airwave, is open to intruders, making it the logical
equivalent of an Ethernet port in the ...
7


   •   Interlopers, from inside or out, may be able to gain connectivity to network
       management controls and the...
8


conclusions drawn in this study can help us understand how wireless networks
are being deployed, managed and used in w...
9


1.3.2 Research questions

  •   What are the information security risks in using a wireless network?


  •   What woul...
10


       •    H3: An important consideration in enterprise use of wireless networks
            is whether the wireless...
11


1.6 Limitations
   •   The findings are based entirely upon the research conducted in India and
       hence may not ...
12


The researcher has tried to collect several examples from within the country or
across the globe which are on similar...
13




                                CHAPTER 2

                            Literature Review




2.1.0 Introduction
   ...
14


become a major driver for enterprise applications including Wireless networks on
and off the shop-floor, in the campu...
15




2.3.0 Classification of Wireless LAN
4
In wireless LANs with infrastructure, there is a high-speed wired or wireles...
16


networks reliable. Since hackers are getting smarter, it is imperative that wireless
security features must be update...
17


Mohali, February 15 2005.
Anti-virus software developers might never be able to catch up with hackers. You
have secur...
18



'Live life wirefree', 'productivity with no strings attached'; those were just some of
the taglines pushing the Wire...
19


the data travels through air and not over wires. This is not a technology problem,
but one of perception,quot; said S...
20


                  transmissions on a LAN between two workstations or tuning into
                  transmissions betw...
21




Figure 5- Message Modification Attack
      3


      •    Message modification: The attacker alters a legitimate m...
22


      •   Denial-of-service: The attacker prevents or prohibits the normal use or
          management of communicati...
23



Table 2-Report: quot;Sidejackingquot; session information over WiFi easy as pie6


Users may think that their person...
24


courtesy to its clients, offers wireless access through its network. NitroSoft is
visiting AdEx for a presentation of...
25


2.7.0 Management Countermeasures
Management countermeasures for securing wireless networks begin with a
comprehensive...
26




2.8.0 The Essential Security Evaluation
  For an existing WLAN, or one in the planning stages, a number of key fact...
27




2.9.0 Remedial Actions: Layered Architecture




Figure 8 - Firewall
       7


       2.9.1 Firewall: In the near ...
28


      users access the Wireless network. Prevention and containment are
      essentials; precision to do this, place...
29


      learns what normal traffic looks like, then notes changes to the norm that
      would suggest an intrusion or ...
30


  modeling and anomaly detectors look for behavior that deviates from normal
  system use. Hence this type of detecti...
31


            •   User profiles are updated periodically, it is possible for an insider to
                slowly modif...
32


The user’s Prevention is invariably a better approach than treatment for both
living beings and computer networks. Ju...
33



   2. Minimal Resources: Honeypots require a minimal resource that is any
   Pentium graded machine is good enough t...
34




Figure 12- MAC Layer

WEP (wired equivalent privacy) is 802.11's optional encryption standard
implemented in the MA...
35


WPA is wireless security with greater protection than WEP. Most wireless
networks should use either WEP or WPA. WPA-P...
36

                                                                                     11
Table 3-Cafe Latte attack stea...
37




2.9.5 Virtual Private Network (VPN)

quot;A virtual private network is like your own encrypted tunnel from your com...
38


significantly more speed, less overhead and less complexity. The purpose of Wi-
Fi security is to give an user equal ...
39


Surprisingly, most estimates agree on this cost to be around $50 per record. This
cost has increased slightly over pr...
40


Ponemon study, for example, puts opportunity cost at $98 per record, a 31%
increase from 2005. This number is expecte...
41



Table 5-Mobile Workers
Globally, two-thirds of employees are cognizant of security risks when working
remotely on co...
42




2.11.0 The Scenario in India
Table 6- Techscope 2003: e-Security14
India Inc has finally woken up to the security t...
43


2.12.0 Security Protections for Organization

If organization wants to establish proper security protections, here ar...
44


Table 7-The PWC-CII survey 2002-03
The PWC-CII survey 2002-03 illustrates the lack of framework of comprehensive
secu...
45


                                   CHAPTER 3
                                METHODOLOGY


3.1 Introduction
This chap...
46


   •   What will be cost of ISRMS implementation?




3.3 Data Collection / Collected
Primary data collection is done...
47




                      Data Collection




    Longitudinal research               Cross-Sectional




             ...
48


objective of this study, a cross-sectional research is considered to be adequate in
order to provide the required inf...
49


use of structured questionnaires that included detailed respondent instructions
automatically diminished the risk of ...
50


3.7      Analysis to be performed on the Data
              Different statistical methods were used for the data anal...
51



                              References
1. Faria, D. B. and Cheriton, D. R. 2002. DoS and authentication in wireles...
52


15. http://www.sigmobile.org/phd/2000/theses/heinzelman.pdf (10-Dec-08)

16. http://www.itechnote.com/2006/10/26/publ...
53


33. http://wbt.sys-con.com/read/471261_p.htm (10-Dec-07)

34. http://www.acmqueue.org/modules.php?name=Content&pa=pri...
54



                             Glossary of Terms


ActiveX Controls
These controls link to any object--traditionally d...
55


An Internet robot, shortened to quot;bot,quot; is an automated program that performs a
specific timesaving function i...
56


Traditional modems use a program called a dialer to connect a computer to the
Internet, but dialers are perhaps most ...
57


tinker with computer programs with no malicious intent, such as computer
programmers or security researchers, as well...
58


Like phishing, pharming preys on socially conditioned patterns of human
behavior to coax sensitive information from v...
59


Originally, the unsolicited bulk messages that inundate a user's account took the
form of e-mail messages (mostly adv...
60


Trojan horses slip into an individual's system and run without the user's
knowledge. They can have many functions. Fo...
Upcoming SlideShare
Loading in...5
×

Litrature Rewiew Old 2

1,717

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,717
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
45
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Litrature Rewiew Old 2"

  1. 1. 1 Table of Contents TABLE OF FIGURES...................................................................................................................... 3 LIST OF TABLES............................................................................................................................ 4 1.1 BACKGROUND ........................................................................................................................ 5 1.2 PURPOSE OF THE STUDY...................................................................................................... 7 1.3 IMPORTANCE OF THE STUDY ............................................................................................... 8 1.3.1 STATEMENT OF THE PROBLEM ............................................................................................... 8 1.3.2 RESEARCH QUESTIONS ......................................................................................................... 9 1.4 RESEARCH HYPOTHESES..................................................................................................... 9 1.5 RESEARCH METHODOLOGY............................................................................................... 10 1.6 LIMITATIONS.......................................................................................................................... 11 1.7 OVERVIEW OF THE PAPER.................................................................................................. 11 2.1.0 INTRODUCTION .................................................................................................................. 13 2.2.0 WIRELESS LAN OVERVIEW .............................................................................................. 14 2.3.0 CLASSIFICATION OF WIRELESS LAN ............................................................................. 15 2.4.0 WIRELESS IN INDIA ........................................................................................................... 16 2.5.0 SECURITY REQUIREMENTS AND THREATS .................................................................. 19 2.5.1 PASSIVE ATTACK: ............................................................................................................... 19 2.5.2 ACTIVE ATTACK: ................................................................................................................. 20 2.5.3 MALICIOUS WIRELESS SERVICE PROVIDER (WSP)............................................................... 23 2.6.0 RISK MITIGATION............................................................................................................... 24 2.7.0 MANAGEMENT COUNTERMEASURES ............................................................................ 25 2.8.0 THE ESSENTIAL SECURITY EVALUATION ..................................................................... 26 2.9.0 REMEDIAL ACTIONS: LAYERED ARCHITECTURE ........................................................ 27 2.9.1 FIREWALL:.......................................................................................................................... 27 2.9.2 INTRUSION DETECTION SYSTEM (IDS): ................................................................................ 28 2.9.2.1 Limitations of SBID ................................................................................................... 30 2.9.3 HONEYPOTS ....................................................................................................................... 31 2.9.3.1 Limitations of Honeypot ............................................................................................ 33 2.9.4 WEP (WIRED EQUIVALENT PRIVACY) AND WPA (WI-FI PROTECTED ACCESS)........................ 33 2.9.4.1 Advantages of WPA.................................................................................................. 35 2.9.4.2 Disadvantages of WPA............................................................................................. 35 2.9.5 VIRTUAL PRIVATE NETWORK (VPN) .................................................................................... 37 2.10.0 THE COST OF DATA BREACHES: LOOKING AT THE HARD NUMBERS ................... 38 2.10.1 TANGIBLE COSTS .............................................................................................................. 38
  2. 2. 2 2.10.2 REGULATIONS AND LOST EMPLOYEE PRODUCTIVITY ............................................................ 39 2.10.3 STOCK PRICE.................................................................................................................... 39 2.10.4 OPPORTUNITY COST ......................................................................................................... 39 2.10.5 REGULATORY REQUIREMENTS AND FINES ........................................................................... 40 2.10.6 BOTTOM LINE.................................................................................................................... 40 2.11.0 THE SCENARIO IN INDIA ................................................................................................. 42 2.12.0 SECURITY PROTECTIONS FOR ORGANIZATION......................................................... 43 2.13.0 SUMMARY ......................................................................................................................... 44 3.1 INTRODUCTION .............................................................................................................. 45 3.3 DATA COLLECTION / COLLECTED .............................................................................. 46 3.4 LOCATION OF THE DATA.............................................................................................. 49 3.6 METHOD OF INQUIRY ........................................................................................................ 49 3.7 ANALYSIS TO BE PERFORMED ON THE DATA....................................................... 50 3.8 SUMMARY ................................................................................................................... 50 REFERENCES .............................................................................................................................. 51 GLOSSARY OF TERMS............................................................................................................... 54
  3. 3. 3 TABLE OF FIGURES FIGURE 1-WIRELESS TECHNOLOGY IN USE ........................................................................................ 14 FIGURE 2 – TYPES OF WIRELESS CONNECTION.................................................................................. 14 FIGURE 3 - TAXONOMY OF SECURITY ATTACKS ................................................................................. 19 FIGURE 5- MESSAGE MODIFICATION ATTACK..................................................................................... 21 FIGURE 6 – DENIAL OF SERVICE ATTACK........................................................................................... 21 FIGURE 7 – MAN IN THE MIDDLE ATTACK ........................................................................................... 22 FIGURE 8 - FIREWALL ....................................................................................................................... 27 FIGURE 9 – INTRUSION DETECTION SYSTEM ...................................................................................... 28 FIGURE 11- HONEYPOTS .................................................................................................................. 31 FIGURE 12- MAC LAYER .................................................................................................................. 34 FIGURE 13 - VPN ............................................................................................................................ 37 FIGURE 14: SELECTION OF DATA COLLECTION METHOD ................................................................... 47
  4. 4. 4 List of Tables Table 1…..………………………………………………………………………………16 Table 2…………………………………………………………………………………...23 Table 3……………………………………………………………………………...……36 Table 4…………………………………………………………………...………………40 Table 5…………………………………………………………………………...………41 Table 6…………………………………………………………………………...………42 Table 7…………………………………………………………………………...………44
  5. 5. 5 CHAPTER 1 INTRODUCTION 1.1 Background Information is one of the key assets of any business. Information is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, Information is now exposed to a growing number and a wider variety of threats and vulnerabilities. Information can exist in many forms. It can be printed or written on paper, stored electronically, and transmitted by post or by using electronic means. Whatever form the information takes, or medium by which it is shared or stored, it should always be appropriately protected. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. Information theft has become a concern due to the increase in usage of Wireless communication. Wireless communications offer organizations and users many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless local area network (WLAN) devices; allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity. Risks are inherent in any wireless technology. Some of these risks are similar to those of wired networks; some are exacerbated by wireless connectivity; some are new. Perhaps the most significant source of risks in wireless networks is that the technology’s underlying
  6. 6. 6 communications medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot. The loss of privacy and integrity and the threat of denial of service (DoS) attacks are risks typically associated with wireless communications. Unauthorized users may gain access to organization systems and information, alter the organization’s data, consume network bandwidth, degrade network performance, and launch attacks that prevent authorized users from accessing the network, or use organization resources to launch attacks on other networks. All the vulnerabilities that exist in a conventional wired network apply to wireless technologies. • Malicious entities may gain unauthorized access to an organization’s computer network through wireless connections, bypassing any firewall protections. • Sensitive information that is not encrypted and that is transmitted between two wireless devices may be intercepted and compromised. • DoS attacks may be directed at wireless connections or devices. • Malicious entities may steal the identity of legitimate users and impersonate as them on internal or external corporate networks. • Sensitive data may be corrupted during improper synchronization. • Malicious entities may be able to violate the confidentiality of legitimate users and be able to track their movements. • Malicious entities may deploy unauthorized equipment (e.g., client devices and access points) to surreptitiously gain access to sensitive information. • Viruses or other malicious code may corrupt data on a wireless device and subsequently be introduced to a wired network connection. • Malicious entities may, through wireless connections, connect to other agencies or organizations for the purposes of launching attacks and concealing their activities.
  7. 7. 7 • Interlopers, from inside or out, may be able to gain connectivity to network management controls and thereby disable or disrupt operations. • Malicious entities may use third-party, untrusted wireless network services to gain access to an organization’s or other organization’s network resources. 1.2 Purpose of the study There are still a lot issues that hamper the enterprise use of wireless technologies, such as security issues, appropriate applications, connection stability and transmission capacity. A study by Internet Security Systems (ISS) identified the following security problems related to WLAN implementations • Insertion attacks • Interception and unauthorized monitoring of wireless traffic • Jamming (DOS) • Client-to-Client attacks • Brute force attacks against access point passwords • Encryption attacks WLAN implementation is even more complex because of breach in security in existing and commonly used security protocols. The purpose of this study is to understand current business practices with respect to WLAN deployment and security management. It is expected that the
  8. 8. 8 conclusions drawn in this study can help us understand how wireless networks are being deployed, managed and used in what areas, meanwhile offer perspectives that will help the design and development of wireless. 1.3 Importance of the Study The number and nature of threats is increasing at a faster pace than organization ability to evade them. This is primarily driven by the endemic imperfections in wireless technology, the continuous emergence of devices with ever more technical wizardry and their increasing affordability. All of these factors are just what the doctor ordered for certain people itching to exploit those flaws. Wireless is best the example of latest communications technologies. Though they have got the advantage of accessing information remotely, it also has its share of danger with hackers waiting to intercept the data and use it for their own nefarious designs. Organizations have to be always ready with security plans with regards to emerging technologies and that is very demanding task. 1.3.1 Statement of the Problem Based on the problem definition, the objectives of the research will be: • To identify and examine the current IS landscape pertaining to Wireless networks prevailing in various organizations. • To identify the information risks and security concerns threatening organizations. • To determine the cost in the IRSMS implementation pertaining to Wireless network.
  9. 9. 9 1.3.2 Research questions • What are the information security risks in using a wireless network? • What would be the ideal characteristics of Information security management system to manage wireless network? • What functions must ISRMS fulfill to support users? • What will be cost of ISRMS implementation? 1.4 Research hypotheses The following hypotheses have been developed based on above discussions: • H1: IT-related businesses are more likely to have wireless networks than other types of businesses. • H1a: Financial Services would be least likely to implement wireless network. • H2: The main concern in deploying wireless networks would be security concerns. • H2a: Those wireless networks that have AP self-broadcasting feature enabled would be less likely to have encryption implemented.
  10. 10. 10 • H3: An important consideration in enterprise use of wireless networks is whether the wireless network is used for business or for non- business activities. • H3a: Many companies will prefer to deploy a wireless network for non- critical or non business applications. • H4: If an organization wants to restrict network access, it would be more likely to have one or more authentication methods implemented. • H5: If a business was monitoring its wireless usage, it would be more likely to track the wireless users. • H5a: A wireless network should have security equivalent to wired networks to be considered for critical business applications. 1.5 Research methodology The method of inquiry involved both primary as well as secondary data collection. Questionnaire was prepared taking into account the necessity of qualitative as well as quantitative analysis. Primary data collection is done by inviting responses through means of a questionnaire, from the IS Officers/ IT officers, Certified Information Systems Auditors, Certified Information Systems Managers, Compliance officers, etc., with a minimum of 1-3 years of experience in the ‘IS Risk Management’ field. Secondary data was gathered from various published sources, authentic journals, past research papers, newspapers, magazines and articles.
  11. 11. 11 1.6 Limitations • The findings are based entirely upon the research conducted in India and hence may not be applicable to other countries of the world on counts of technological diversity and contextual forces. • These kind of researches need to be done periodically to gauge the authenticity of the wireless security risk management program designed in an sensitive organization such as banks, due to the constant changing technology and its vulnerabilities. • The research may not be able to provide the exact financial figures or the financial impact due to the occurrence of the IS Threats and the Risk that is followed because of the reputation risk involved in it. The respondents might not provide complete, incomplete, partial or authentic information regarding the questions posed for the survey. 1.7 Overview of the Paper An introduction to the topic of research “IS Risk Management in wireless network” is provided in Chapter 1. The introduction focuses on aspects such as: • Background of the Research Study, • Purpose and Importance of the Study, • Problem Statement, • Research Questions With Certain Assumptions, • Research Methodology. It also throws light on the limitations of the study research. In the Literature Review, the research provides a close look and feel of the similar incidents in the past and in the present amongst various organizations across the country and the globe. The basic intention of this academic report is to spread awareness regarding Wireless Threats and the Risk which follows them.
  12. 12. 12 The researcher has tried to collect several examples from within the country or across the globe which are on similar lines. Chapter 1 This chapter also highlights the method of inquiry and the method of analysis when the data is collected. Chapter 3 is dedicated to the methodology of the research. It points towards to sources of the data and information collection through surveys, questionnaires, personal interviews, authentic articles on the web, magazines, etc. This chapter re-visits the research questions, research hypotheses, etc. mentioned in chapter 1 .
  13. 13. 13 CHAPTER 2 Literature Review 2.1.0 Introduction This chapter provides further insights regarding the history of Wireless security. The focus would be at the emerging trends in use of Wireless and changes made to secure the Wireless network. The chapter also defines the scope of Information Security in Wireless Network. The literature review shows how the IS and Risk Management is applicable to organizations using Wireless networks. Why is it essential to take the responsibility and subdue the threats causing the financial losses to the business sector? In order to achieve this feat it becomes even more important to understand what kinds of attacks are possible and the manner in which they should be dealt with? Due to the scope and limited constraint, this academic research is unable to throw light on all the threats or mention the remedies for them. But, even so, a wide range of threats have been mentioned with some actual facts. The literature also covers an earlier research conducted in India with the objective to understand the state of adoption of Wireless among enterprise users. India is growing as a world-class manufacturing hub, geared to produce for both local and global markets. Shop-floor automation and work-flow, inventory and material handling are expected to be fully automated with computer controlled special purpose machines and enterprise Wireless networks managing production schedules and assembly lines. Experts expect that these facilities will
  14. 14. 14 become a major driver for enterprise applications including Wireless networks on and off the shop-floor, in the campus and across the offices. 2.2.0 Wireless LAN Overview WIRELESS technology and the WIRELESS industry date back to the mid-1980s when the Federal Communications Commission of the U.S (FCC) first made the RF spectrum available to industry. During the 1980s and early 1990s, growth was relatively slow. Today, however, WIRELESS technology is experiencing tremendous growth. The key reason for this growth is the increased bandwidth made possible by the IEEE 802.11 standard. Figure 1-Wireless Technology in use Figure 2 – Types of Wireless connection
  15. 15. 15 2.3.0 Classification of Wireless LAN 4 In wireless LANs with infrastructure, there is a high-speed wired or wireless backbone. Wireless nodes access the wired backbone through access points. These access points allow the wireless nodes to share the available network resources efficiently. Prior to communicating data, wireless clients and access points must establish a relationship, or an association. Only after an association is established can the two wireless stations exchange data. Issues over Wireless LAN: Since wireless devices need to be small and wireless networks are bandwidths limited, some of the key challenges in wireless networks are: a. Data Rate Enhancements: Improving the current data rates to support future high speed applications is essential, especially, if multimedia (voice and video) service are to be provided. b. Low power networking: The complexity and the power consumption of wireless devices vary significantly depending on the kind of wireless spectrum technology being used to implement the wireless. c. Security: Big concern in wireless networking, especially in mcommerce and e- commerce applications. Mobility of users increases the security concerns in a wireless network. Current wireless networks employ authentication and data encryption techniques on the air interface to provide security to its users. The IEEE 802.11 standard describes wired equivalent privacy (WEP) that defines a method to authenticate users and encrypt data between the PC card and the wireless LAN access point. In large enterprises, an IP network level security solution could ensure that the corporate network and proprietary data are safe. Virtual private network (VPN) is an option to make access to fixed access
  16. 16. 16 networks reliable. Since hackers are getting smarter, it is imperative that wireless security features must be updated constantly. d. Radio Signal Interference: Interference can take on an inward or outward direction. A radio-based LAN, for example, can experience inward interference either from the harmonics of transmitting systems or from other products using similar radio frequencies in the local area. Microwave ovens operate in the S band (2.4GHz) that many wireless LANs use to transmit and receive. These signals result in delays to the user by either blocking transmissions from stations on the LAN or causing bit errors to occur in data being sent. Newer products that utilize Bluetooth radio technology also operate in the 2.4GHz band and can cause interference with wireless LANs, especially in fringe areas not well covered by a particular wireless LAN access point. The other issue is the outward interference, with wireless network’s disrupting other systems, such as adjacent wireless LANs and navigation equipment on aircraft. e. System Interoperability: With wireless LANs, interoperability is taken as a serious issue. There are still pre-802.11 (proprietary) wireless LANs, both frequency-hopping and direct sequence 802.11 versions, and vendor-specific enhancements to 802.11- compliant products that make interoperability questionable. To ensure interoperability with wireless LANs, it is best to implement radio cards and access points from the same vendor, if possible. 2.4.0 Wireless in India Table 1- Tribune News Service1 1 http://www.tribuneindia.com/2005/20050216/cth1.htm 14-Dec-07
  17. 17. 17 Mohali, February 15 2005. Anti-virus software developers might never be able to catch up with hackers. You have secured your computer from information theft and criminal hacking but in the end it just might be your mobile phone that lets you down. A new breed of criminal hackers called the quot;war driversquot; is becoming a serious threat to wireless network users. quot;Anyone with a notebook computer, an inexpensive wireless network card, freely downloaded software and an antenna made from something as simple as a can of packed food can hack into wireless networks in homes and companies from hundreds of feet away,quot; warned Mr Ravinder Singh Zandu, a senior scientist with the Centre for the Development of Avanced computing (CDAC), Mohali today. War driving is more than just a prank that makes your private conversation public. quot;Some intruders seek to access files and damage systems. Most wireless networks are completely unsecured. The easiest way to avoid mobile telephone hacking is encryption but manufacturers of wireless devices leave encryption turned off by default and give no information to the users about wireless encryption or any other added security measures. This makes it an easy task for anyone with a wireless setup to find and exploit the connection,” he said. Talking to a set of IT professionals who had gathered from all over the country to participate in the skill and technology upgradation seminar held at CDAC today, Dr Zandu said that for PC users, however, ensuring internet security remained the biggest challenge. quot;Most of the hacking server attacks are from dedicated amateur attackers known as script kiddies, who, without much knowledge, use tools that are freely available on the internet to probe networks for weaknesses. These tools scan the internet randomly looking for vulnerable systems, then exploit any weaknesses they find. With such tools available, a small anonymous company is potentially as much at risk as a well-known multinational corporation. Taking sensible precautions in general, and using up-to-date software in particular, would have easily prevented the attack,quot; he told The Tribune.
  18. 18. 18 'Live life wirefree', 'productivity with no strings attached'; those were just some of the taglines pushing the Wireless enterprise LAN a couple of years ago. However, the fact remains that Wireless deployment in Indian enterprises is still immature when compared to its counterpart in Europe and U.S. When examined closely, it can be seen that a majority of organizations that have Wireless in place belong to the hospitality and travel (airports) verticals. In these cases, it is a simple case of providing additional value to their clients by providing Wireless access. quot;Wireless adoption in India is still at a primary level although organizations have started adopting wireless technology selectively. Early adopters are organizations for whom it's business critical to have Wireless, such as hotels and airports,quot; said Satish Pendse, CIO, Kuoni Travel Group, India. Apart from these verticals where Wireless is of 'cosmetic appeal' or a factor providing competitive advantage, Wireless implementations have been need- specific. For instance, many Indian manufacturers use Wireless on the shop floor to avoid strewing cabling across the work area while ensuring that users are mobile. quot;Wireless solutions are more feasible for organizations where the network infrastructure is already in place and there is no buffer for extra cabling. It can also be helpful for the campus LAN kind of environment where line of sight is not an issue,quot; said Hilal Khan, Manager Information Systems, Honda Siel Cars India Ltd. Concerns about security have also hampered widespread Wireless adoption. The first 802.1x standard, 802.11b, is better known for its lack of security than anything else. With 802.11b vulnerabilities emerging every other week, enterprises have become doubtful about just how secure Wireless truly is. quot;The key reasons behind organizations not deploying Wireless could be due to investment in existing infrastructure. Another reason is security concerns, since
  19. 19. 19 the data travels through air and not over wires. This is not a technology problem, but one of perception,quot; said Shrikant Patil, Director (Solutions), South Asia, Intel. 2.5.0 Security Requirements and Threats 5 Attack Passive Attack Active Attack Traffic Denial Eavesdropping Masquerade Replay Message Analysis Of Modification Service Figure 3 - Taxonomy of Security Attacks Network security attacks are typically divided into passive and active attacks. These two broad classes are then subdivided into other types of attacks. All are defined below. 2.5.1 Passive Attack: An attack in which an unauthorized party gains access to an asset and does not modify its content (i.e., eavesdropping). Passive attacks can be either eavesdropping or traffic analysis (sometimes called traffic flow analysis). These three passive attacks are described below. • Eavesdropping: The attacker monitors transmissions for message content. An example of this attack is a person listening into the
  20. 20. 20 transmissions on a LAN between two workstations or tuning into transmissions between a wireless handset and a base station. • Traffic analysis: The attacker, in a more subtle way, gains intelligence by monitoring the transmissions for patterns of communication. A considerable amount of information is contained in the flow of messages between communicating parties. • Replay: The attacker monitors transmissions (passive attack) and retransmits messages as the legitimate user 2.5.2 Active Attack: An attack whereby an unauthorized party makes modifications to a message, data stream, or file. It is possible to detect this type of attack but it may not be preventable. Active attacks may take the form of one of four types (or combination thereof): masquerading, replay, message modification, and denial-of-service (DoS). These attacks are defined below. 2 Figure 4 - Masquerading • Masquerading: The attacker impersonates an authorized user and thereby gains certain unauthorized privileges. 2 http://www.smallnetbuilder.com/images_old/myimages/howto/wepcrack_pt1/wepcrack.png (05/01/2008)
  21. 21. 21 Figure 5- Message Modification Attack 3 • Message modification: The attacker alters a legitimate message by deleting, adding to, changing, or reordering it. Figure 6 – Denial of Service Attack 4 3 http://i47.photobucket.com/albums/f185/hinhup/13-10-7.gif (05/01/2008)
  22. 22. 22 • Denial-of-service: The attacker prevents or prohibits the normal use or management of communications facilities. • Rogue Access Points: A more sophisticated sniffer can setup a rogue access point (evil twin) to intercept all data and relay it back and forth to the legitimate network without user’s or organization’s knowledge. In this process, even more data can be extracted from organization’s network user. The “phishing” attack starts with a fake web site that mimics legitimate site to capture login credentials. The attacker can also try to force software on your PC to re-connect to services that require passwords and extract them when they are sent. Figure 7 – Man in the Middle Attack 5 4 http://www.ristinet.com/artikel/Keamanan%20WLAN%204.gif (05/01/2008)
  23. 23. 23 Table 2-Report: quot;Sidejackingquot; session information over WiFi easy as pie6 Users may think that their personal data is safe when they use a secure login page online, but that's quite far from the truth. In fact, everything from the contents of your e-mail, who your friends and acquaintances are, and almost anything else you can think of could be easily exposed by hackers if browsed via WiFi network, security firm Errata Security pointed out in a recent paper presented at this year's Black Hat 2007 and seen by Ars Technica. The method by which this data could become exposed is nothing new, but it is simpler than most quot;man-in-the-middlequot; attacks, says Errata. Many web services, such as Gmail, BlogSpot, Facebook, MySpace, LinkedIn, and Google Adsense use cookies to identify session information after the user has already logged in. Using a basic packet sniffer over a WiFi network and a proxy server to pass the information through, a determined hacker can easily quot;sidejackquot; the session information as his own by stealing session IDs straight out of the WiFi signal. He could then use that session ID to represent himself as the original user, says Errata, which would allow him to do things like make blog posts, unfriend all of your Facebook friends, and read or send e-mails. The risks associated with wireless are the result of one or more of these attacks. The consequences of these attacks include, but are not limited to, loss of proprietary information, tarnished image, and loss of network service. 2.5.3 Malicious Wireless Service Provider (WSP) They are in the business of providing wireless services, so performing any untoward activity would be counterproductive. However, consider the following example, based on the office complex scenario suppose that AdEx Inc., as a 5 http://www.itechnote.com/2006/10/26/public-wi-fi-network-threats/ - 05-Jan-08 6 http://arstechnica.com/news.ars/post/20070801-report-sidejacking-session-information-ov... 11-Dec-07
  24. 24. 24 courtesy to its clients, offers wireless access through its network. NitroSoft is visiting AdEx for a presentation of a proposed new marketing campaign. During breaks in the presentation, the NitroSoft representative sends and receives e- mail via his wireless PDA. This information is related to the campaign, including price limits and current bids from other representatives attending similar presentations around the country. The connectivity is much appreciated by the Nitro- Soft representative because he can discreetly communicate the current status to his NitroSoft co-workers to ensure that NitroSoft receives the best marketing campaign for the money. What the NitroSoft representative doesn’t know is that someone from the AdEx IT staff is monitoring the NitroSoft representative’s communications and relaying any pertinent information to AdEx’s marketing staff so that they will be well informed of her feelings about the presentation, any misgivings she may have, what NitroSoft’s bottom line will be, and possibly what the bids are from other marketing firms. In this example, is AdEx just doing smart business? After all, AdEx owns the wireless connectivity hardware, and by extension, everything it transports. Or is AdEx a malicious WSP? Unless AdEx had the NitroSoft representative sign an agreement to access its wireless network and this agreement contained a waiver granting AdEx access to anything transmitted over the network, we would vote for the latter. Therefore, personal data transmitted by the device may be vulnerable to a malicious WSP. 2.6.0 Risk Mitigation Management countermeasures combined with operational and technical countermeasures can be effective in reducing the risks associated with WLANs. The following guidelines will not prevent all adversary penetrations, nor will these countermeasures necessarily guarantee a secure wireless networking environment. This section describes risk-mitigating steps for an agency, recognizing that it is impossible to remove all risks. Additionally, it should be clear that there is no “one size fits all WIRELESS NETWORK SECURITY solution” when it comes to security.
  25. 25. 25 2.7.0 Management Countermeasures Management countermeasures for securing wireless networks begin with a comprehensive security policy. A security policy and compliance therewith, is the foundation on which other counter measures, the operational and technical should be rationalized and implemented. A WLAN security policy should be able to do the following: • Identify who may use WLAN technology in an organization. • Describe who can install access points and other wireless equipment. • Provide limitations on the location of and physical security for access points. • Describe the type of information that may be sent over wireless links. • Describe conditions under which wireless devices are allowed. • Define standard security settings for access points. • Describe limitations on how the wireless device may be used, such as location. • Describe the hardware and software configuration of all wireless devices. • Provide guidelines on reporting losses of wireless devices and security incidents. • Provide guidelines for the protection of wireless clients to minimize/reduce theft. • Provide guidelines on the use of encryption and key management. • Define the frequency and scope of security assessments to include access point discovery. • Agencies should ensure that all critical personnel are properly trained on the use of wireless technology. • Network administrators need to be fully aware of the security risks that WLANs and devices pose. They must work to ensure security policy compliance and to know what steps to take in the event of an attack. • Finally, the most important countermeasures are trained and aware users.
  26. 26. 26 2.8.0 The Essential Security Evaluation For an existing WLAN, or one in the planning stages, a number of key factors must be evaluated before deciding the security approaches that are needed. These factors include: • Network topology and infrastructure • Types of users and requirements • Applications to be supported • Value of the data (and financial impact if compromised) • Existing security management solutions and policies across the organization • Existing standards support • Building structure and other devices in use or transmissions occurring in the vicinity (for potential of interference and to determine required bandwidth) Cost analysis is a key element. The value of the data, and the financial impact if compromised, must be balanced against the price of combinations of security measures. User convenience and speed of access must also be evaluated. Clearly, a major goal in creating a WLAN is the freedom and flexibility of mobile access to enhance business productivity. Some very stringent security measures could be self-defeating if users fail to cooperate because they are complex or time-consuming.
  27. 27. 27 2.9.0 Remedial Actions: Layered Architecture Figure 8 - Firewall 7 2.9.1 Firewall: In the near future, organizations will be even more interconnected, leading to an increase in security vulnerabilities. While maintaining firewall and other perimeter defenses, focus on security where 7 http://oriol.joor.net/article_fitxers/1574/wpa-eaptls.gif -6th Jan 08
  28. 28. 28 users access the Wireless network. Prevention and containment are essentials; precision to do this, placement of different security components is of utmost importance. Firewalls are typically implemented using a dedicated or a non-dedicated firewall hardware and system platform. The dedicated firewall hardware and software provide protection mechanisms built in by the manufacturer. But security means more than screening out via firewalls It means guarding against illicit data access and preventing users from misusing resources. Figure 9 – Intrusion Detection System 8 2.9.2 Intrusion Detection System (IDS): IDS accounts itself to be a second line of defense. Designed to watch either a system for filesystem changes or traffic on the network, this system, with the help of a human, 8 http://www.skullbox.net/ids.php- 6 January 2008
  29. 29. 29 learns what normal traffic looks like, then notes changes to the norm that would suggest an intrusion or otherwise suspicious traffic. Notification can be via e-mail or a Mobile SMS. Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous activity. An ID is a system that detects burglary attempts. Firewalls perform the role of door and window locks. These types of locks will stop the majority of burglars but sophisticated intruders may circumvent security devices that protect an intended target. Therefore, most people use a combination of sophisticated locks with alarm systems. An IDS performs the role of such an alarm system and adds the next preventive layer of security by detecting attacks that penetrate IT systems. Network-based IDSs monitor an entire, large network with only a few well- situated nodes or devices and impose little overhead on a network. Network- based IDSs are mostly passive devices that monitor ongoing network activity without adding significant overhead or interfering with network operation. They are easy to secure against attack and may even be undetectable to attackers; they also require little effort to install and use on existing networks.9 Recently Intrusion detection has received considerable attention and the Intrusion detection is being performed with respect to the Internet as well as wireless mobile networks. There are basically two types of existing threat detection strategies: anomaly detection and misuse detection. Anomaly detection approach analyzes the user’s current session and compares them to the profile representing the user’s normal behavior. Since it catches sessions which are not normal, this model is referred to as an ‘anomaly’ detection model. A typical anomaly detection system takes in audit data for analysis. The audit data is transformed to a format statistically comparable to the profile of a user. Thresholds are normally always associated to all the profiles. any comparison between the audit data and the user’s profile results in deviation from a set threshold, an alarm of intrusion is declared. This type of detection system is well suited to detect unknown or previously not encountered attacks. Anomaly detection bases its idea on statistical behavior 9 http://manageengine.adventnet.com/products/wifi-manager/images/home_zoomed.gif 6 Jan 2008
  30. 30. 30 modeling and anomaly detectors look for behavior that deviates from normal system use. Hence this type of detection is also known as Statistical Based Intrusion Detection Approach (SBID) 2.9.2.1 Limitations of SBID There are costs associated with creating audit trails and maintaining user profiles, there are several risks and limitations associated with SBID technology: Figure 10
  31. 31. 31 • User profiles are updated periodically, it is possible for an insider to slowly modify his behavior over time until a new behavior pattern has been established within which an attack can be safely mounted. • Determining an appropriate threshold for quot;statistically significant deviationsquot; can be difficult. If the threshold is set too low, anomalous activities that are not intrusive are flagged as intrusive (false positive). If the threshold is set too high, anomalous activities that are intrusive are not flagged as intrusive (false negative). • Defining user profiles may be difficult, especially for those users with erratic work schedules/habits. 2.9.3 Honeypots Figure 11- Honeypots 10 10 http://www.securitylab.ru/_article_images/farms.jpg - 7 Jan 2008
  32. 32. 32 The user’s Prevention is invariably a better approach than treatment for both living beings and computer networks. Just as it is with living beings, it is impossible to prevent all maladies from occurring on a computer network. But unlike the human body, computer networks do not have an autonomic immune system that differentiates self from non-self and neutralizes potential threats. Security engineers have to establish what behavior and attributes are quot;selfquot; for networks and deploy systems that identify quot;non-selfquot; activities and neutralize them. Thus the old phrase stands very true: information is the power. Panacea could be proactive approach leading to better understanding the threats. Knowledge delivered out of this helps administrators to use arsenal with full strength against hackers. Honeynet is technology, which uses proactive approach, based on military doctrine. Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in- depth examination of adversaries during and after exploitation of a honeypot. Honeypots are a highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering. Honeypots all share the same concept: a security resource that should not have any production or authorized activity. In other words, deployment of honeypots in a network should not affect critical network services and applications. A honeypot is a security resource and its value lies in being probed, attacked, or compromised. Honeypots are simple concept, which gives them following powerful strengths. 1. Small data sets of high value: Honeypots collect small amounts of information. Instead of logging huge data they only log information of high value, as it is only the hacker community, which interacts with them. This means it is much easier and cheaper to analyze the data and derive value out of it.
  33. 33. 33 2. Minimal Resources: Honeypots require a minimal resource that is any Pentium graded machine is good enough to handle entire network of 256 users. 2.9.3.1 Limitations of Honeypot Deploying honeypots to fool attackers, it will have to perfectly simulate reality. Many counter papers have recently been released on the Internet because hackers want to prove that they are not afraid of honeypots and that they are stronger than their creators. New paths of research have been drawn to resolve the stealth problems. Wireless honeypots suffer from the same stealth problems that classic honeypots do, and also from specific, additional ones related to this environment. Skilled attackers may be afraid of quot;too openquot; networks. The better simulated reality, the more skilled attackers (but in this case, intrusions rarely occur) get caught; Lesser the stealth, users observe successful attacks (but they are often done by inexperienced attackers). 2.9.4 WEP (wired equivalent privacy) and WPA (Wi-Fi Protected Access) The security of a wireless LAN is very important, especially for applications hosting valuable information. For example, networks transmitting credit card numbers for verification or storing sensitive information are definitely candidates for emphasizing security. In these cases and others, proactively safeguard wireless network against security attacks.
  34. 34. 34 Figure 12- MAC Layer WEP (wired equivalent privacy) is 802.11's optional encryption standard implemented in the MAC Layer that most radio network interface card (NIC) and access point vendors support. When deploying a wireless LAN, be sure to fully understand the ability of WEP to improve security. WEP specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data. Some vendors also include 128 bit keys (know as quot;WEP2quot;) in their products. With WEP, the receiving station must use the same key for decryption. Each radio NIC and access point, therefore, must be manually configured with the same key. Despite the flaws, WEP is better than nothing, and user should enable WEP as a minimum level of security. Many people have taken to the streets to discover wireless LANs in neighborhoods, business areas, and colleges using protocol analyzers, such as AiroPeek and Airmagnet. Most of these people are capable of detecting wireless LANs where WEP is not in use and then use a laptop to gain access to resources located on the associated network. By activating WEP, however, user significantly minimizes this from happening, especially if users have a home or small business network. WEP does a good job of keeping most people out, at least those that are honest. WEP is not a deterrent to a real hacker.
  35. 35. 35 WPA is wireless security with greater protection than WEP. Most wireless networks should use either WEP or WPA. WPA-PSK is not much more difficult to configure than the older WEP, but is not available on some older products. All computers, access points, and wireless adapters must use the same type of security. WPA operates in either WPA-PSK mode (Pre-Shared Key or WPA-Personal) or WPA-802.1x mode (WPA-Enterprise). In the Personal mode, a pre-shared key or password is used for authentication. In the Enterprise mode, which is more difficult to configure, the 802.1x RADIUS servers and an Extensible Authentication Protocol (EAP) are used for authentication. The enhanced WPA2 uses Advanced Encryption Standard (AES) instead of Temporal Key Integrity Protocol (TKIP) to provide stronger encryption mechanism. 2.9.4.1 Advantages of WPA WPA adds authentication to WEP's basic encryption. It is backward compatible WEP support for devices that are not upgraded. It integrates with IDS to allow administration and auditing. 2.9.4.2 Disadvantages of WPA • Complicated setup is required, unsuitable for average users. • Network Administrator has to spend valuable time in setting up the system. • Wireless link works slower than in WEP and require more network resources. • WPA remains vulnerable to Denial of Service attacks.
  36. 36. 36 11 Table 3-Cafe Latte attack steals credentials from Wi-Fi clients Hackers have refined a new technique for breaking into Wi-Fi networks protected by the aging Wired Equivalent Privacy (WEP). The so-called 'Cafe Latte' attack aims to retrieve the WEP keys from the PCs of road warriors. The approach concentrates its attack on wireless clients, as opposed to earlier attacks that cracked the key on wireless networks after sniffing a sufficient amount of traffic on a network. An attacker can then present his machine as a bridge to the internet towards prospective victims, inspecting their traffic and potentially installing files on compromised PCs. Despite this, WEP remains widely used in consumer, small business and retail environments. WPA (Wi-Fi Protected Access) system replaced WEP years ago but an estimated 41 per cent of businesses continue to use WEP, Infoworld reports. Early Wi-Fi technology fitted in retail point-of-sale terminals, and warehouses reportedly support only WEP. Hackers who obtained millions of credit card records from TJX, the giant US retailer, are thought to have used these shortcomings to break into its systems. quot;This presentation debunking the age-old myth that to crack WEP, the attacker needs to be in the RF (radio) vicinity of the authorised network,quot; Ramachandran and Ahmad explain 11 http://www.theregister.co.uk/2007/10/18/cafe_latte_wi-fi_attack/ - 7 Jan 2008
  37. 37. 37 2.9.5 Virtual Private Network (VPN) quot;A virtual private network is like your own encrypted tunnel from your computer to the computer you're trying to reach,quot; said Marc Rotenberg, director of the Electronic Privacy Information Center. quot;Using VPNs is one of the best ways to securequot; your connection on Wi-Fi networks, he said12 Figure 13 - VPN VPN and Wi-Fi security each has its role in network security. VPNs allow users to connect securely over any network (including the Internet) whether they are user has a dial-up modem or a Wi-Fi hotspot connection. This allows VPN to work from virtually anywhere in the world that provides Internet access. Wi-Fi security, on the other hand, offers user security only at the data link layer between user’s WiFi device and the organization’s wireless access point, which usually means it can only work locally in a LAN environment. But Wi-Fi security solutions provide
  38. 38. 38 significantly more speed, less overhead and less complexity. The purpose of Wi- Fi security is to give an user equal or better security than using a wired connection to the LAN with an equal level of functionality. 2.10.0 The cost of data breaches: Looking at the hard numbers As the frequency and gravity of security breaches has increased over the past few years, there have been several attempts to estimate the costs associated with them. The estimates, however, have churned out vastly different figures, further adding to the confusion. For example, a U.S. Department of Justice study, published in August 2006, determined that the average loss per incident was $1.5 million. These calculations conflicted with a 2005 survey done by Computer Security Institute/Federal Bureau of Investigation estimated the cost to be $167,000. Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8 million per breach, while some Chief Information Security Officers put the cost to recover from a security incident at $1,000 per hour. And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester survey done in the US, found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Puzzlingly, of companies that confirmed a personal data loss, 11% said that they did not incur any additional costs. 2.10.1 Tangible costs Tangible costs are the unbudgeted expenses resulting from a security breach. These costs typically include legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers. 12 http://money.cnn.com/2006/07/06/technology/wifi_security/index.htm - 6th Jan 2008
  39. 39. 39 Surprisingly, most estimates agree on this cost to be around $50 per record. This cost has increased slightly over previous years, but will continue to be somewhere around this number. 2.10.2 Regulations and lost employee productivity When employees and contractors are diverted from their normal duties in order to address data breach controls, a company loses money. According to a Ponemon Institute survey, this cost had increased 100% in 2006 from $15 per record in 2005, to $30/record in 2006. The primary reason for this increase has been the growing number of entities and regulations that must be satisfied. Previously, if a company had a data breach, a security team fixed the problem, tested the mitigation and then the company resumed normal activities. Now, the threat of a data breach forces companies to satisfy the industry regulators, like the Payment Card Industry (PCI) Security Standards Council for credit card breaches, or the HIPAA auditors for healthcare regulations. 2.10.3 Stock price In the long run, a security breach does not have a significant effect on a company's stock price, but it could. A stock typically dips immediately after a data breach, but the price rebounds quickly, and after one year there is very little evidence of the breach affecting the stock. 2.10.4 Opportunity cost Companies also typically experienced customer losses after a breach, but the severity varies significantly as well. Typically, banks and hospitals have had the lowest churn rates, and retail outlets have had the highest. A more significant issue at hand is the difficulty in acquiring new customers -- or new customer opportunities -- after a security breach. This number is hard to quantify, but most estimates compare these expenses to tangible costs. A
  40. 40. 40 Ponemon study, for example, puts opportunity cost at $98 per record, a 31% increase from 2005. This number is expected to grow as customers' security expectations increase and businesses compete on data protection technology. 2.10.5 Regulatory requirements and fines When a breach occurs, both customers and regulators need to be satisfied. Regulators may impose additional security requirements or fines. For example, Visa levied $4.6 million in fines, penalizing companies that mismanaged sensitive customer data; the company levied $3.4 million in 2005. As laws and regulations increase, this cost will become much more significant. 2.10.6 Bottom line A security breach can cost organization $50 to $250 per record. Depending on how many records are at stake, individual breach costs may run into millions or even billions of dollars -- and organizations still aren't prepared to protect their wireless environments. Although studies may not be able to determine the exact cost of a security breach in an organization, the loss of sensitive data can have a crippling impact on an organization's bottom line. Table 4-ROI 13 Most Indian enterprises still don’t calculate Return on Investment (RoI) when it comes to investing in network security. Access control, encryption, firewalls, intrusion detection systems (IDS), vulnerability assessment tools and virtual private networks (VPN) are some of the methods being used. Interestingly, around 12 percent of corporates are using Public Key Infrastructure (PKI) technologies (encryption). “Though PKI will become very critical in non-physical banking, problems in implementing PKI still remain the biggest challenge,” says Milind V Dikshit, head, technology solutions and security, Bangalore Labs.
  41. 41. 41 Table 5-Mobile Workers Globally, two-thirds of employees are cognizant of security risks when working remotely on company machines. That's the good news. Of course, the converse is that one-third connect blindly to the Internet(This includes Public Wi-Fi), in spite of hacking, theft and malware threats. According to quot;Perceptions and Behaviors of Remote Workers & Security Considerations for IT Organizations,quot; a study by Cisco Systems and Insight Express, end users are aware of security concerns, but often act contrary to best practices for protecting themselves, their machines, corporate networks or their data. The online survey, conducted in year 2006, queried more than 1,000 remote workers in 10 countries from every region of the globe. Users in China (78 percent), Australia (75 percent) and the United Kingdom (72 percent) reported the greatest level of security awareness. India (52 percent) and Japan (59 percent) posted the lowest awareness level. The United States was slightly above average, with a 68 percent awareness rate. Cisco/InsightExpress study reveals the often contradictory actions of end users who unnecessarily expose them and their work computers to security threats. Key Findings: 13 http://www.expresscomputeronline.com/20020624/network5.shtml - 7 Jan 2008
  42. 42. 42 2.11.0 The Scenario in India Table 6- Techscope 2003: e-Security14 India Inc has finally woken up to the security threat. But merely deploying firewalls or anti-virus solutions isn't enough. Here's how organizations need to strengthen their defences in the wake of new threats. by Vishwajeet Deshmukh A global study by KPMG in 2000 reveals that Indian companies achieved the dubious distinction of having the highest number of e-commerce security breaches in the world at 23 percent, followed by UK and Germany at 14 percent. Of the 60 percent companies that were victims of some security breach, 21 percent recorded actual loss in revenue. About 58 percent have still not been able to quantify their loss. According to a Price Waterhouse Coopers / Confederation of Indian Industry (PWC-CII) study, only five percent of the survey respondents reported a revenue loss of over Rs 5 million.
  43. 43. 43 2.12.0 Security Protections for Organization If organization wants to establish proper security protections, here are some important guidelines to follow. Wireless security policy and architectural design: The security policy of an organization should include wireless networking as a part of overall security management. • Enterprises have to take a top-down approach to frame a comprehensive security policy rather than treat it as a technological issue in the realm of CIO, CISO etc. The Board and the CxOs must show commitment to security with a clear mandate through policies. • Treat access points as untrusted: There is need for evaluating access points at regular time periods to find out whether they can be treated as untrusted devices. This will involve placing the appropriate firewalls, VPNs and IDS between the access point and intranets or the internet. • Access point configuration policy: One needs to define the standard security settings for access points before deploying them. • Access point security assessments: With the help of regular security audits, one can identify poorly configured access points. 14 http://www.networkmagazineindia.com/200301/cover7.shtml - 7 Jan 2008
  44. 44. 44 Table 7-The PWC-CII survey 2002-03 The PWC-CII survey 2002-03 illustrates the lack of framework of comprehensive security policy across India Inc and hence lack of effective security implementation. To quote from the report: Though 68 percent of the respondents accorded a high priority to security, only 41 percent had a comprehensive security policy in place. Worse, about 47 percent of the respondents continue to operate without a security policy. 2.13.0 Summary Ultimately, security is everybody's business, and only with everyone's cooperation and consistent practices will it be achievable. Wireless security is a work in progress, so it is essential to administer a wireless network so that it becomes more and more secure. And with more organizations focusing strongly on wireless security, we can only expect to see many more secured wireless networks in the future.
  45. 45. 45 CHAPTER 3 METHODOLOGY 3.1 Introduction This chapter elaborately discusses the methodology of this study. The research questions and assumptions (hypotheses) proposed in Chapter 1 are presented here. All phases of the research design, data collection, location of the research performed, method of inquiry and statistical analysis are reviewed. Finally, summary of the whole chapter is done. The research can be categorised as a combination of exploratory and descriptive study seeking insights into the IS and Risk Management in Wireless networks in India. 3.2 Research Questions and Research Hypotheses The research assumptions (hypotheses) framed in the study posses a strong background of the literature review. The combination of the research assumptions (hypotheses) and the literature review prove their importance in the study for answering the research questions. The answers to the research questions would provide a good in-sight for the IS professionals and executives regarding various scenarios and complexities posed prior to designing an IS and Risk Management System for wireless network Research questions • What are the information security risks in using a wireless network? • What would be the ideal characteristics of Information security management system to manage wireless network? • What functions must ISRMS fulfill to support users?
  46. 46. 46 • What will be cost of ISRMS implementation? 3.3 Data Collection / Collected Primary data collection is done on the basis of personal interviews along with responses based on the questionnaire filled by the IS / Management personnel, Information Systems Auditors, Information Systems Inspection Personnel, Network Security Professional, Network Administrators, Information Systems Administrators, etc. The data is also collected from the students of wi-fi enabled collages in order to understand the awareness among them, which might instigate quick development, deployment and improvement in the IS and Management methodologies and techniques in the respective organizations. The data collected from the customers is a value addition to the research in order to achieve certain insights regarding the IS threats which might have been overlooked as they might not have been informed or not registered. These customer inputs would also help us analyze the overall success of the organizations in terms of IS and Risk Management in wireless network. The choice of an adequate data collection method should mainly be based on the type of research problem investigated (Kiplinger 1986). Figure 3.1 indicates which choices were made at various decision levels related to the data collection method. At each level, the option selected is shaded.
  47. 47. 47 Data Collection Longitudinal research Cross-Sectional Experimental research Non-experimental Observation Survey Personal Telephone Mail Internet Figure 14: Selection of Data Collection Method • Cross-Sectional Research Research can either be cross-sectional or longitudinal. In this study, a cross- sectional design research has been applied. Cross-sectional research involves the collection of information from any given sample of population elements. Longitudinal research on the other hand provides an in-depth view of the situation and the changes that take place over time. Scholars recognise that representative sampling and response biases are serious problems of longitudinal research. In longitudinal research, the cooperation of panels is required. Respondents’ refusal to co-operate, panel mortality, and payment of panel members increase the lack of representative sampling. Furthermore, response bias is increased as a result of the fact that panel members more consciously perform the investigated behaviors and that new panel members tend to increase the investigated behavior. Finally, longitudinal research implicitly requires long data collection periods. Based on these arguments and the
  48. 48. 48 objective of this study, a cross-sectional research is considered to be adequate in order to provide the required information in a valid and representative way. • Non-Experimental Research In this study, a non-experimental method as opposed to an experimental research method is used. Non-experimental research is generally defined as “systematic, empirical inquiry in which the scientist does not have direct control of independent variables because their manifestations have already occurred or because they are inherently not manipulable”. While experimental research generally allows obtaining high levels of internal validity as a result of the possibility to control, randomly assign, and manipulate, its lower external validity and artificiality are considered to be weaker elements. As this study aims at generating generalizable results for a wide range of IS and Risk Management situations, external validity is an important, additional evaluation criterion. Consequently, the use of non-experimental research is suitable for the purpose of this study. • Survey Research Survey methods are generally classified into mail, internet, telephone, and personal surveys. Non-experimental research designs can consist of observation as well as survey methods of data collection. In this study, survey research design was chosen, which is defined as “interviews with a large number of respondents using a pre-designed questionnaire”. • Personal Interviewing In this study, personal surveys were conducted in order to gather the required data. A personal interview is generally defined as “a questionnaire administration method in which the interviewer and respondent have a face-to-face contact”. According to many experts, the personal interview “far overshadows the others as perhaps the most powerful and useful tool of social scientific survey research”. Personal interviews outperform mail, internet, and telephone surveys on nearly all criteria, except for interviewer control and bias, cost, and social desirability. Several efforts were made in order to overcome these potential weaknesses. The
  49. 49. 49 use of structured questionnaires that included detailed respondent instructions automatically diminished the risk of interviewer bias. Further, interviewers were not aware of the underlying hypotheses of the study and could therefore not consciously influence the responses. Thus the data collection involved in this study used non-experimental research based personal surveys and telephonic interviews on a cross-sectional basis. 3.4 Location of the Data The data will be collected from Inspection Departments of various Wi-Fi enabled collages , IS and Risk Management cells, Information Systems Auditors, Network administrators, Information Systems Administrators, IS Specialist (Project Managers, Quality Assurance, Development Head for any IS software or hardware solutions), etc., Apart from this the data is also collected from the customers regarding their awareness about the IS threats in wireless networks. With a responsible and critical team of intellectuals forming the basis of this research, the remaining part of the questionnaires will be filled by a large number of students using wireless networks in their collage campus. 3.6 Method of Inquiry A self-administered survey was utilized to collect data. The questions were developed in a manner, which would help in analyzing the various IS threats and the Risk Management methodologies used to mitigate, transfer, avoid or accept the risks. Based on past researches, the data was gathered from both primary as well as secondary sources. The questionnaire was a blend of open and closed ended questions, which provided a range of possible responses to almost all questions, which made it easy for the respondent to select from a range of possible answers.
  50. 50. 50 3.7 Analysis to be performed on the Data Different statistical methods were used for the data analysis using Microsoft Excel and Statistical Package for the Social Sciences (SPSS). Descriptive statistics were generated to evaluate the distribution of variables and appropriate statistical techniques were used to study the data collected. 3.8 Summary This methodology chapter has provided a discussion related to the methods and procedures applied in this proposed dissertation. The chapter has discussed the objectives of this dissertation, research questions in order to fulfill the objectives, and methods used to collect and analyze the data required by the research questions.
  51. 51. 51 References 1. Faria, D. B. and Cheriton, D. R. 2002. DoS and authentication in wireless public access networks. In Proceedings of the 1st ACM Workshop on Wireless Security (Atlanta, GA, USA, September 28 - 28, 2002). WiSE '02. ACM, New York, NY, 47-56. DOI= http://doi.acm.org/10.1145/570681.570687 (December 13 2007) 2. Godber, A. and Dasgupta, P. 2002. Secure wireless gateway. In Proceedings of the 1st ACM Workshop on Wireless Security (Atlanta, GA, USA, September 28 - 28, 2002). WiSE '02. ACM, New York, NY, 41-46. DOI= http://doi.acm.org/10.1145/570681.570686 (December 13 2007) 3. http://www.winlab.rutgers.edu/~trappe/Papers/WiDoS_Wise04.pdf (December 13 2007) 4. Eagle, Steven J., quot;Wireless Telecommunications, Infrastructure Security, and the NIMBY Problemquot; . Catholic University Law Review, Vol. 54, No. 2, pp. 445-496, Winter 2005 Available at SSRN: http://ssrn.com/abstract=591249 (13-Dec-07) 5. http://www.securityfocus.com/infocus/1761 (06-Jan-08) 6. http://paper.ijcsns.org/07_book/200710/20071045.pdf (06-Jan-08) 7. http://www.sei.cmu.edu/str/descriptions/sbid_body.html(06-Jan-08) 8. csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf ( 05- Dec-08) 9. http://www.pcworld.com/article/id,119568-page,1- c,hubsswitchesrouters/article.html (06-Jan-08) 10. http://money.cnn.com/2006/07/06/technology/wifi_security/index.htm (06- Jan-08) 11. http://www.acm.org/crossroads/xrds11- 1/wifi.html?searchterm=Intrusion+detection+in+w... (10-Dec-07) 12. http://iase.disa.mil/wireless/wirelessfaq.html (06-Jan-08) 13. http://www.wi-fiplanet.com/tutorials/article.php/1368661 (07-Jan-08) 14. http://kbserver.netgear.com/kb_web_files/n101190.asp (07-Jan-08)
  52. 52. 52 15. http://www.sigmobile.org/phd/2000/theses/heinzelman.pdf (10-Dec-08) 16. http://www.itechnote.com/2006/10/26/public-wi-fi-network-threats/ (05-Jan- 08) 17. http://www.expresscomputeronline.com/20020624/network5.shtml (07- Jan-08) 18. http://www.networkmagazineindia.com/200301/cover7.shtml (07-Jan-08) 19. http://www.networkmagazineindia.com/200304/cover1.shtml (14-Dec-07) 20. http://www.practicallynetworked.com/tools/wireless_articles_security.htm (02-Dec-07) 21. http://pcquest.ciol.com/content/topstories/2007/107120421.asp (25-Dec- 07) 22. http://www.ciol.com/cgi-bin/printernew.asp?id=99399 (04-Dec-07) 23. http://www.acadjournal.com/2006/v19/part6/p3/ (05-Dec-07) 24. http://www.devx.com/wireless/Article/22160/1763/page/1 (11-Dec-07) 25. tnc2007.terena.org/core/getfile.php?file_id=527 (06-Dec-07) 26. http://www.acmqueue.org/modules.php?name=Content&pa=printer_friendl y&pid=36&pa... (10-Dec-07) 27. http://issj.sys-con.com/read/80915_p.htm (10-Dec-07) 28. Ian F. Akyildiz, Xudong Wang and Weilin Wang(March 2005) Wireless mesh networks: a survey Computer Networks, Volume 47, Issue 4, 15, Pages 445-487 29. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.ht ml (07-Jan-08) 30. http://www.crn.com/article/printableArticle.jhtml?articleId=193105450 (14- Dec-07) 31. http://crystal.uta.edu/~kumar/cse6392/termpapers/Vijay_paper.pdf (12- Dec-07) 32. http://www.tribuneindia.com/2005/20050216/cth1.htm (14-Dec-07)
  53. 53. 53 33. http://wbt.sys-con.com/read/471261_p.htm (10-Dec-07) 34. http://www.acmqueue.org/modules.php?name=Content&pa=printer_friendl y&pid=222&p... (10-Dec-07) 35. http://www.networkmagazineindia.com/200501/coverstory03.shtml (16- Dec-07) 36. www.devx.com/assets/download/4069.pdf (11-Dec-08) 37. http://www.devx.com/wireless/Article/22160/1763/page/2 (11-Dec-07) 38. images.cxotoday.com/cxoimages/pdf/ResearchReport1.pdf 14-Dec-07) 39. http://www.networkmagazineindia.com/200111/focus2.htm (10-Dec-07)
  54. 54. 54 Glossary of Terms ActiveX Controls These controls link to any object--traditionally dynamic content such as tables and buttons that react to mouse clicks--embedded within a Web page. Although ActiveX controls help Web pages spring to life, malicious programmers can easily use them as vehicles for downloading spyware. Install a sturdy browser and firewall that screens your ActiveX Controls, and download them with care, accepting ActiveX only from trusted Web sites. Adware Typically, adware components install alongside a shareware or freeware application. These advertisements create revenue for the software developer and are provided with initial consent from the user. Adware displays Web-based advertisements through pop-up windows or through an advertising banner that appears within a program's interface. Antispyware software This is a broad term for programs designed to protect a computer from adware and spyware. Almost all antispyware applications feature a scanning engine, which detects suspicious items and removes them from the infected machine. Some antispyware applications also include a real-time-protection module, a shield that alerts users when suspicious programs attempt to install themselves and allows users to deny them. Backdoor programs This refers to any software program that allows other users to control machines remotely while hiding any evidence of the fact. Software developers are the most common authors and users of backdoor programs, adding them to make testing easier. Backdoor Trojan horses are spyware programs that sabotage your PC. These specific Trojan horses force a backdoor program onto your machine and infiltrate your system to collect information or install spyware. Bot
  55. 55. 55 An Internet robot, shortened to quot;bot,quot; is an automated program that performs a specific timesaving function in lieu of a human operator, such as a spider that trolls Web sites collecting data for market research. Spyware bots secretly install through worms, Trojan horses, and drive-by downloads. They are mostly used to carry out remote attacks, such as denial-of-service (DoS) attacks. Botnet A botnet is a network of bots installed on multiple computers, each running identical malware. A botnet can be controlled remotely via an IRC (Internet Relay Chat) server or a peer-to-peer application. Browser-helper object (BHO) BHOs are files--most frequently DLLs--that add additional functionality to Internet Explorer. Although many useful programs such as Adobe Acrobat employ BHOs, these files also can be used for unsavory purposes. BHOs associated with adware or spyware can monitor your browsing activities, hijack your home page, or replace certain advertisements with others. Cracker Cracker is a shortened name for a criminal hacker. Read more at hacker. Denial-of-service (DoS) attack Denial of service is an attack designed to block user access to a Web site or network by flooding it with bogus information (such as a surplus of requests). The information overload maxes out the Web site or network's processing capabilities, resulting in the user's inability to access Internet services and making it appear inaccessible. These DoS attacks damage productivity and can be highly frustrating, though the hacker's primary purpose of such attacks is generally disruption and not identity theft. Distributed denial-of-service (DDoS) attack This variety of DoS attack enlists multiple compromised computers to flood a single target with bogus information. A criminal hacker can hijack your computer and force it and others to perform a DoS attack against other computers, users, or networks. Dialer
  56. 56. 56 Traditional modems use a program called a dialer to connect a computer to the Internet, but dialers are perhaps most well-known for their illegitimate purposes. Bad dialers cause your PC to call long-distance or for-pay numbers, rather than your ISP. This most often results in a large telephone bill for the user and a tidy profit for the dialer's creator. Drive-by This term is loosely used for a stealth software installation the user does not initiate. In some cases, simply visiting a Web page can download malicious programs to a PC without a user's knowledge or consent. In other cases, a pop- up ad might be used to initiate a drive-by installation. Evil twin A spoofed doppelganger of a legitimate wireless access point is known as an evil twin. Often home constructed, the evil twin hotspot offers wireless access for the purpose of collecting the user's data, which can then be exploited or sold. False positive False positives can fall into several categories. In an effort to sell software, unscrupulous antispyware programs often will mislead a user into believing his or her machine is infected with spyware when no problems actually exist. The term false positive also can be used when legitimate antispyware applications mistakenly label a benign program as a threat. Firewall A firewall is a crucial component in a computer's line of defense, as firewalls prevent unauthorized services or programs from accessing a computer or network resources. Although virtually every corporate network has its own firewall, every personal computer should have one as well. Personal firewalls can come as standalone products or as components built-in to a larger security suite. Hacker quot;Hackerquot; is a term that often requires more qualification than is given, as hackers can act with intentions and outcomes ranging from beneficial to malicious. To hack a file or a program is simply to deconstruct it or tweak its performance. Therefore the term hacker has neutral connotations, encompassing those who
  57. 57. 57 tinker with computer programs with no malicious intent, such as computer programmers or security researchers, as well as criminal hackers (also called crackers) who seek to damage your system, gain from stored data, or control your PC remotely. Hacking taxonomy is associated by color--black hat hackers are malicious, white hat hackers are benign, and gray hat hackers are characterized by varying motivations. Hijackers Often installing as a helpful browser toolbar, hijackers may alter browser settings or change the default home page to point to some other site. Keylogger Keyloggers are just what they sound like--programs that record every keystroke made on a PC. Though some parental-control applications include keyloggers for monitoring purposes, the ones that come bundled with spyware are far more insidious. These types of keyloggers send sensitive information to a remote computer, where thieves can access data such as credit-card and bank-account numbers, as well as passwords and social-security numbers. Malware Malware is generally used to describe a piece of software that exploits or inconveniences the user. It usually refers to the most malicious forms of adware and spyware. Man-in-the-middle attack In this particular type of attack, a third party piggybacks on valid user privileges to gain unapproved access to a computer or network. The man-in-the-middle (MITM) attack exploits the authentication process of a one-way authentication (user approved by the network) wireless access point (WAP). MITM attacks are orchestrated by intercepting a valid authentication granted by a network with a one-way authentication setup to any valid Media Access Connection (MAC). With the user's legitimate access as a shield, the MITM has full access to the data flowing in and out of a user's computer. Pharming
  58. 58. 58 Like phishing, pharming preys on socially conditioned patterns of human behavior to coax sensitive information from victims. Whereas phishers masquerade as legitimate organizations, pharmers hijack sites' domain names to redirect traffic elsewhere. In this way, visitors to an online banking site can be channeled to a mirror site and prompted to provide personal data that crackers can collect and use. Phishing Spoofing legitimate organizations to lure users into giving up sensitive data is a favorite technique among security fraudsters. In a common phishing scam, users receive a look-alike e-mail message purportedly from a trusted institution like their bank, alerting them to an urgent need. Users follow the embedded link to a convincing site that requires them to sign in using account information. Among the subsets of phishing scams, spear phishing targets a specific user demographic, such as gamers. In VoIP phishing, users are directed to verify their account information over the phone rather than on a Web site. Phreaking Combining the words quot;phonequot; and quot;freak,quot; phreaking refers to a wide subculture of hacking that involves manipulating and exploiting telephone systems. Rogue antispyware software Posing as legitimate antispyware applications, these malicious programs scan a computer and induce false positives to scare users into buying a product. Rogues often attempt to distribute themselves via ominous pop-up ads and can be very difficult to manually uninstall. Rootkit Although an exact definition of what constitutes a rootkit is still under debate, it is generally regarded as a piece of software that allows intruders to conceal malicious files and programs from users or system administrators. Rootkits can be extremely hard to uninstall and allow troublemakers to go about their dirty work undetected. Spam
  59. 59. 59 Originally, the unsolicited bulk messages that inundate a user's account took the form of e-mail messages (mostly advertisements) in which the sender attempted to engage the user in a purchase. Spam has evolved, and unsolicited bulk messages crop up in instant messages (spim), blog comments (splogs), mobile texts (SMS spam), forums, and so on. More than merely annoying, spam attachments can contain viruses and malware or link to dangerous Web sites. Spam is the principle vehicle for phishing scams. Spoof Spoofs are misleading Web addresses, spam e-mails, and IP addresses forged by a malicious hacker to look identical to the legitimate organization's materials. They are used to trick users into responding to alerts that appear to be issued by trusted organizations such as banks. Users who respond to the visual fakery and urgency of the requests are prompted to give up private data, which is then often used in identity theft. Spoofs are instrumental in carrying out phishing, pharming, and phreaking scams. In a pharming exploit, a spoofed IP address of a legitimate company might be scripted to float over the culprit's actual, nonlegitimate IP address in order to make the user believe the site is valid. Spyware Spyware refers to programs that gather and transmit the user's personal details or behavior to a third party, often without the user's knowledge or consent. Like adware, it often installs as a third-party component bundled with freeware or shareware, creating a fuzzy distinction between the two. Tracking cookies Internet browsers write and read cookies, files with small amounts of data (such as site passwords and settings) based on instructions from Web sites. In many cases, cookies provide a benefit to users. However, in some instances cookies are used to consolidate and track user behavior across different sites, which provides marketers with private information about an individual. Trojan horses
  60. 60. 60 Trojan horses slip into an individual's system and run without the user's knowledge. They can have many functions. For example, some use a computer's modem to dial long-distance, generating huge phone bills for the computer owner. Unlike viruses and worms, Trojan horses do not make copies of themselves. Virus Like human viruses, the computer varieties contain harmful code and spread easily to infect multiple hosts. Viruses are notorious for corrupting hardware, software, and personal files. Viruses cannot spread on their own, requiring users to share infected files through e-mail attachments, flash drives, disks, P2P, Web sites, or any other file-transferring mechanisms. Worm Often conflated with viruses, worms also are self-replicating programs; however, they propagate independently of user interaction, often through a shared or direct network connection. Worms may destroy data on individual machines, but mostly inflict their damage by siphoning users' bandwidth or shutting down their computers. Zombie Using viruses, Trojan horses, and worms, criminal hackers can remotely operate a compromised machine without the knowledge of its owner. Zombie computers often host programs that allow them to be conscripted by a remote controller into bot armies, called botnets, to launch DDoS attacks. Zero-day exploit Malicious hackers have discovered they can increase their level of destruction by cracking the defenses of a product on the same day that news of a vulnerability breaks and/or an ensuing patch is released. Disclosure practices compel software and security vendors to publicly announce flaws, which informs fast- acting exploiters. The resulting zero-day attacks affect users who haven't applied a patch to fix the vulnerability.

×