Wireless Security on Context (disponible en español)
Wireless Security on Context (disponible en español)Posted by Jorge Guzman Olaya on Apr 15, 2013 10:02:25 AMWhy Security?It all started with an email account you accessed through your laptop, and now sometimes it is really hard to track allthe digital profiles you own, plus we tend to pay little attention about accessing our digital assets in secure “wirelessdomains”, these factors combined form a scenario where security breaches can really hurt your digital self as itexists. It is clear that wireless communications has allowed us to adopt technology in a new way; we can use digitaltools without being tied to a location, but the fact is that when you use technology everywhere you are exposingyourself to that “everywhere”. Popularity of wireless technology has shifted the usage of digital tools, your mobiledevice is amazingly powerful and networks are growing in complexity to cope with better services. All this powermakes it difficult on the user to keep a track of the myriad of vulnerabilities and possible security exploits.As mentioned above we have in our hands a complex scenario; from one side we have an exponential growth andsuccess of the wireless technology plus an increasing exposure of personal sensitive data to the digital world plusmore physical spaces where we can use the technology that at the same time increases the number of personal andsocial contexts involved in our interactions with technology. On the other side we have a user that is still adapting tothe rapid shift, possibly meaning that he is less conscious of how various factors come together to form the service,and it is how we find the first weak link in the chain; the lack of knowledge. Another factor is the fierce competitionamong industry stakeholders; they are working isolated pushing their own agendas, creating a non -cohesiveframework of security for the wireless industry. On the contrary, threats and bad-intentioned people usuallybeneficiate upon gathered knowledge of collaborative open communities through the Internet.Taking Action to be More SecureFrom the user perspective, the main action must be to increase knowledge of the technology. For example, where totune security configurations on the device or what information is being accessed on your device by the apps installed.It is also important to know the risks of using a non-secure WLAN network. In the final part of this blog I summarizevarious security tips you can find on the Internet and my personal recommendation.Application developers must commit more responsibly to security and inform the customer about their efforts on thematter, especially considering privacy of user sensitive information and its management; aspects like the length ofconservation of user information even after the user has uninstalled the app or the permissions of sh aring personal
information with third parties. Regarding the OS developers, it is expected that SW threats are addressed not only for the new releases of the product but also previous versions must be covered, and somehow frequency of security updates or patches must be increased. Other contributors to the industry take action: like national government’s initiative to extend EIR databases beyond countries frontiers to discourage device theft, or the effort countries are making, to oblige Internet giants to comply with international policies of user’s personal data handling. Academia presents innovative testing techniques against security breaches including fuzzy logic and genetic algorithms to simulate real life environments. New wireless applications like NFC and M2M also pose big questions and challenges to the industry that are being addressed; solutions like data encryption while being transferred or stored are being integrated into architectures and regulations, but the main path the industry must take is an improvement of the vision about security. Seurity threats cannot be avoided - they can only be managed and management must start with a plan to achieve a clear goal. A Framework to Achieve a More Secure Wireless Ecosystem If security threats can only be managed at the most, then, a base framework can be formulated to then build a plan or strategy to efficiently manage wireless security. CTIA has made a pretty good effort formulating such a framework in which the elements are: Consumers MNO Device Manufacturers Application Market Places Operating System vendors Chipset Manufacturers Network Services Systems Support SW Vendors VAS Service Providers Network Equipment Manufacturers Under its view CTIA proposes five cornerstones, around which security actions are executed and efforts should be built around:1. Consumers: Responsible to protect their devices through better configuration and installing applications to secure their devices and their data, also keeping that SW Up-to-date., Ffinally the users must be aware of what they put in their devices and what they disclosed on their social profiles.2. Devices: Comprises all the tools and methods that the industry and you as user, can use to minimize risks from security threats, given the high complexity of current devices and the great deal of information and activities we do with them.3. Network based security policies: Includes all the tools that network providers should use as countermeasures against security threats;, examples like Policy Routing Traffic Analysis, Service provider SSL VPN, and MDM (Mobile Device Management) capabilities for BYOD environments.4. Authentication control: Covers the authentication methods of the device with the network and those for the user to access the device, considering the multifactor method trend and the biometric approaches.5. Cloud, Networks and Services: Comprehends the whole extend of the network, its functional entities and the services that each part provides both for regular customers and enterprise users. Also the different precautions and plans that the network has to have in place for Disaster recovery scenarios and security schemes that ensure privacy and integrity of stored user information.
My Personal View on Wireless Security Image courtesy of Paola Buelvas (firstname.lastname@example.org) As mentioned above, a framework is only useful if there is some intention to develop something around that baseline, and in the introduction of this post I mentioned that industry main stakeholders tend to work isolated in a non - collaborative way, so I agree with some proposals about a push towards a multisource intelligence environment. In order to accomplish such an environment a Multisource Intelligent System could be the center tool to allow a collaborative effort of this kind. And so, the industry will have a transnational, multivendor, multi -technology tool, containing well documented security threats, problem workarounds, countermeasures and possible patches and solutions against known security breaches; all this following the best of the bread practices in IT management to organize, produce, control and store the flow of information that comes from solving engineering problems related to security in the wireless industry. This multi-collaborative industry repository will be accessible to all accredited members of the wireless industry and/or active contributors of security assets construction within the ecosystem. They will feed, maintain and update the content of this tool. Through the use of guidelines contained in international bodies of knowledge for IT handling, it will be possible to ensure the appropriate privacy for each industry stakeholder regarding industrial secret information, while still helping the development of solutions from already known threats and those foreseen by academia. The main objectives for an endeavor of this kind would be: Provide the industry with a construct around which industry stakeholders can produce collaborative efforts to better countermeasure security threats. To speed the production and divulgation processes of effective and more complete security countermeasures that better protect the customer and the industry, taking advantage of already documented knowledge, avoiding re -work and misinformation. Finally, I think that future technologies, like Context Aware networks can help to create a more secure environment for the user, allowing the execution of a counter action at the precise instant of technology usage and at the precise moment where a security threat becomes obvious, and without the need for the user to know or be prepared to all existent risks of his ongoing wireless transaction or service at a random space and time combination. All while at the same time optimizing the resources of the network devoted to protect the user against threats .; Ffor example, if the network detects that certain user is connecting through its own VPN client, a network base VPN solution flow can be allocated for another user. A Look into the Future of Wireless Security Fields for further study: BSN and BAN give security a totally new meaning, because this technology puts information concerning your own body into networks that today, cannot be considered totally secured;, so if this field of the industry is set for any success then security must be further developed and strengthen. Now MTC (Machine Type Communications) where human intervention is not required also needs an intelligent non supervised scheme that can ensure the basics of a secure communication network: Confidentiality, Integrity, Authentication, Non Repudiation, Access Control, Availability and Privacy.
Security future concepts: like beneficial viruses, SW that in the same line of DRM remain inactive but when found in unauthorized digital environments then proceed to delete themselves and the information attached to them. Another concept is the Active sentinel SW that contrary to a regular antivirus this SW adapts to a certain extent to identify the threat even if is not specified in the database but that follows a suspicious activity pattern against predefine rules. New biometric authentication methods like brain wave authentication that is really unique and fast. Summarized Tips for the Wireless User As promised, here is a list of “dos” and “donts” for the user of wireless technology. Do:1. Be informed and cautious while downloading apps, clicking links, providing information to online sites, setting passwords, and linking accounts and online profiles. Always consider installing security software on your wireless device.2. Check the permissions of each installed app, and take the time to read the permissions you give to apps while installing them.3. Be conscious when using Wi-Fi, check the type of security used, if security is absent from the access point or lower than WPA2, avoid logging in your sensitive accounts, or do banking transactions, without a VPN client solution, if you don’t have such solution, restrict your session to just browsing if at all.4. Be proactive and organized with your passwords: set a strategy to generate, change and store them, there are plenty of passwords apps.5. Check the details of your wireless bill to identify unauthorized usage or suspicious usage patterns from your devices.6. Update your trusted applications and OS in all the devices you run digital transactions.7. Report stolen or lost phones.8. Use a VPN solution for unsecure Wi-Fi9. Use complex passwords for important accounts.10. Set security questions that really help you protect your data.11. Use encryption of your sensitive data while stored on mobile devices, available apps can be found on your preferred SW provider online stores. Do Not:1. Publish personal information or specific information about your wireless devices (phone number, IMEI, MAC address, etc.)2. Root your phone or mobile device for personalization purposes.3. Buy an stolen phone or buy it from a suspicious provider4. Download apps from un-authorized stores different from the OS manufacturer store, like directly from the internet.5. Be lazy, when setting passwords, logging into sensitive accounts, exchanging banking info, and protecting mobile devices, always use what you consider is more secure for your digital asset, even if it takes more time.6. Have one factor authentication for sensitive accounts or digital profiles.7. Have the same password across multiple online or digital profiles.8. Thrust blindly on third parties to secure your digital data, take your own measures, backup regularly, encrypt your data, do not use unsecure access points can be just some examples.9. Link social accounts all together if unnecessary, you’ll be providing a great deal of information without noticing it. For more, follow me on Twitter @jomaguo Read this blog post in Spanish. For all blog posts written by Jorge Guzman Olaya, please visit his Community Profile. For more discussions and topics around SP Mobility, please visit our Mobility Community:http://cisco.com/go/mobilitycommunity