Security 2 Q 07[1]


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security 2 Q 07[1]

  1. 1. Rogue Access Not Only CIO Security Headache BY J. SHARPE SMITH Security threats in the wireless space are so plentiful In fact, according to research done by J. Gold it is no wonder that some companies throw up their Associates, fewer than 10 percent of companies deploy hands and cut back on wireless access to their mobile security software suites. In its White Paper, computers. When we think of security risks, we usually “10 Steps to Mobile Security,” J. Gold suggests several think of someone stealing credit card information, actions that are key to mobile security. These 10 Steps but there is so much more to be wary of in today’s to Mobile Security include: enterprise in terms of threats, including rogue wireless access to company networks, denial of service • End users attacks on web sites and the introduction of crippling – Set policies, document, and get user buy-in viruses into the wireless space. – Enforce policies on mobile devices for all users • Devices But it doesn’t have to be that way. Companies today are – Make sure password protection is always set to finding plenty of ways of strengthening their security “ON” with a growing array of defenses to protect both – Include updated personal anti-virus (AV) and customer data and company data. For today’s telecom firewall on devices director or IT manager, if sensitive information is being – Encrypt sensitive files on all devices transmitted or can be accessed over the air, security is – Enable device lockdown and kill just as important as connectivity. • Infrastructure – Determine what file types can be Many corporate executives, however, are not aware downloaded/synced by which users, when, how of the risk and consequences of unsecured wireless, and to which devices according Kevin Beaver, an independent information – Log device usage for compliance where security advisor with Principle Logic, LLC. Working with appropriate today’s enterprises, Beaver sees many people – Enforce connection security/virtual private overlooking the task of testing for wireless security network (VPN) standards vulnerabilities during standard security assessments • Organization and audits. – Review and update policies regularly, as things change often VOL. 3, ISSUE 2, 2007 EWM 18
  2. 2. Over the Air Encryption Too VPN must be deployed that includes data encryption, authentication and data encapsulation.” Often Overlooked Authentication of the mobile user can be achieved Beaver sees several quot;security frontsquot; or points of through the use of a user/password, biometrics, such vulnerability. The first one is people who carelessly use as a fingerprint, and the use of a token key or wireless networks at work, at home and when smartcard, which is inserted into the computer’s USB traveling. He finds many major corporations with port. It creates an additional layer to confirm the user. laptops, PDAs and other mobile devices that have no security protection such as device-specific firewalls, power-on passwords or VPNs. Even 802.11 communications with Wired Equivalent Privacy (WEP) or the Wi-Fi Alliance specification, Wi-Fi Protected Access (WPA) are vulnerable, according to Beaver. “These encryption keys can be hacked using a number of free tools such as Aircrack,” he says, “which can lead to the capture of confidential information, denial of service attacks, and more.” Mobile VPNs One security measure is to make a wireless laptop’s transmissions more secure through the use of a virtual Authentication of the mobile user can be achieved private network. While most VPNs are created for the through the use of biometrics, such as a fingerprint. wired networks, it is critical for a wireless user to use a mobile VPN, which is designed particularly for wireless networks. A mobile VPN allows for data encryption, “Authentication tokens are an essential component in encapsulation and authentication for each individual PC and data security solutions for they provide strong mobile user. user authentication, ensuring that individuals accessing data are who they claim to be,” according to a White “There is increased Paper by Aladdin, makers of Etoken authentication and market demand for password management. “Furthermore, certain kinds of security in mobile VPNs. authentication tokens – such as USB smart-card-based Users are expressing the tokens – can provide significant extended support for need for security in their strong PC and data security by offering secure data transmissions,” generation and storage of encryption keys.” says David Torres, director of business Not only must the user be authenticated, but the development, Radio IP wireless laptop must be guaranteed that it too is the Software, Inc., which correct mobile device for accessing the corporate offers mobile VPN as a network. To do this, the corporate server gateway has feature of its Radio IP David Torres, a certificate and the laptop receives a certificate. MTG software suite. Radio IP Software Together they can mutually authenticate. “Certificate authentication further validates your devices and “Government agencies, utilities and others are protects your system from intrusions,” says Torres. becoming more careful about transmitting sensitive information over the air.” The problem, according to User authentication attempts can only be made if Radio Torres, is that most VPN solutions are created for the IP MTG has validated the device and opened an wired networks. To protect a wireless laptop, a Mobile encrypted tunnel. This process protects the username, VOL. 3, ISSUE 2, 2007 EWM 19
  3. 3. domain and password information from being intercepted. The data is then compressed to protect it from being intercepted and encrypted. Today’s encryption has been enhanced, making it increasingly difficult to break. There are several levels of encryption possible, from the 56 bit Data Encryption Standard (DES), which many feel is too easy to hack, to the Advanced Encryption Standard, which comes in 128, 192, and 256-bit key sizes. “To ensure your data is transmitted securely with high-level encryption,” says Torres, “your data should be encrypted with either AES (256-bit) or Triple DES (168-bit) methodologies, using FIPS [Federal Information Processing Standard] 140-2 certified technology.” The username, domain and password information in over the air transmissions are targets for interception. Mobile VPN Helps Northeastern Utility Secure Communications acceptance of wireless LAN technology comes ample possibility for leakage of corporate information or the Security plays a critical role in the wireless system of introduction of malware, malicious software designed EnergyEast, a diversified energy provider that serves 3 to damage a computer system. As a result, analysts million people in the Northeast, which deployed Radio suggest that more than half of the security breaches IP’s Mobile VPN early in 2006. come from within the walls of company headquarters through rogue wireless access to the network. Highly encrypted, secure transmissions to and from mobile devices in the field through the use of a Mobile “Guarding against denial of service attacks plays a big VPN are essential to protect the customer information, role in our security plan,” says EnergyEast’s Nistane. employee confidential information and details “It’s our most stringent criteria in combating wireless concerning the utility’s overall electrical infrastructure, security issues.” The utility is using Radio IP’s Access according to Shrikant Nistane, project lead for mobile Defender, which scrutinizes and quarantines all data at Energy East. In additional to the Mobile VPN, he incoming communication attempts, allowing the LAN to adds additional passwords to ensure user give access to the mobiles rather than the mobiles authentication. initiating the access to the LAN. “When there are mobile devices out in the field, there Access Defender is an example of central management is always the possibility that some one will gain access software that protects the host network from outside to the device. We are here to minimize and contain the attacks such as the DOS attacks and buffer overrun risk,” says Nistane. “It is a constant battle. At the same attacks. Rogue access must be detected and shut down time, we have to do everything that is absolutely before sensitive information is lost or an attack on the necessary to serve the customer.” network ensues. Vulnerable access points can occur for many reasons: Rogue Access to IT Systems Can a wireless system set up by an employee, a mis- Cause Security Breeches configured access point or one that is running default configurations. Additionally, a breech can be as More than just over-the-air security was needed at malicious as a hacker setting up an access point or it EnergyEast. The utility also required a way to guard can be as innocent as a neighboring WLAN accessing against denial of service (DOS) attacks in the form of the strongest signal through a poorly configured access rogue access to its data system. With the increasing point. And there’s more. A hacker can also gain access VOL. 3, ISSUE 2, 2007 EWM 20
  4. 4. using hybrid network bridging through WiFi, AirMagnet. Mobile Manager detects rogue APs by Bluetooth, Modems or infrared links to a PC while it is comparing data from the APs and wireless laptops connected to the wired corporate LAN. reporting on the wireless side of a network with what Mobile Manager detects on the wired side. The key to network management is visibility of port access, knowing who is connecting what devices to Safend’s hybrid network bridging prevention feature is every single endpoint in the network –– from USB to designed to block access to WiFi, Bluetooth, modems WiFi and Bluetooth –– enterprise-wide, according to or infrared links while a laptop is connected to the Hay Hazama, VP of research and development for wired corporate LAN. “Concerning Wifi, most Safend, which produces endpoint security solutions. manufacturers have concentrated on the infrastructure, providing more secure protocols, higher “While most organizations adequately protect encryption, authentication and remaining compatible Internet connections via TCP/IP ports with firewalls, with 802.11,” says Safend’s Hazama. “But the endpoints are often overlooked,” says Hazama. problem is that the laptop can log on to a rogue “Given that there are 26,000 different USB products access point and believe it is on the correct network available today and WiFi use is on the rise, the and expose its data to unauthorized personnel.” problem of securing company laptops and PCs from data theft, data leakage and malicious attacks Encrypting the Hard Drive continues to challenge IT administrators.” Covers Another Vulnerability “The answer for IT managers deploying Wireless LANs is to effectively detect and block wireless access But what about the data after it is stored on the points and client stations automatically and in real- computer? The security threats caused by stolen laptop time,” according to a White Paper by AdventNet, computers have been well documented. University of provider of network management solutions for California, Berkeley had a laptop stolen that contained enterprises. personal information on more than 98,000 of the school's graduate students. In the last year, wireless According to AdventNet, rogue activity can be laptops containing hundreds of thousands of personnel detected by regularly doing the rounds of the records have been stolen from U.S. Department of facility with a mobile device using software such as Veterans Affairs staff, ING's U.S. Financial Services AirSnort or NetStumber that sniffs the air for wireless hoffice in Washington, D.C., Deloitte Accountants, activity. These solutions are well known for being able Electronic Data Systems and Equifax, the credit-bureau to detect unrecognized access points, but it is company. Mercantile Potomac Bank, General Electric, irregular in its approach to security. Full time RF Aetna, Hewlett-Packard and Fidelity Investments. sensors such as products by AirMagnet and AirDefense can be installed to continuously monitor Analyst Kevin Beaver all Wi-Fi traffic to detect, disable and document notes, “Hard drive rogue access. encryption is an especially big issue. In what is known as a background probe, Wavelink When a hard drive is not Rogue AP Detection and Identification Software can encrypted, practically enable the mobile devices in the company to scan the anyone can use airwaves for rogues during idle time. Additionally, legitimate security tools the AP detection can actually be integrated into the such as Ophcrack's access points, such as the ORiNOCO made by LiveCD or Elcomsoft Proxim Corp. System Recovery to maliciously break into Wavelink Mobile Manager and Airwave Management a system within minutes Platform (AMP) both depend on wired side inputs for of obtaining it by Kevin Beaver, AP detection and both support sensors from stealing it or finding it.” Principle Logic, LLC VOL. 3, ISSUE 2, 2007 EWM 21
  5. 5. Securing data on laptops is a new area of focus for organization can utilize a Radio IP Mobile VPN, and use today’s corporations, brought about by these well- iAnywhere's Afaria as another layer of security,” says publicized security problems and new regulations that Radio IP’s Torres. have also pointed a spotlight on security on the laptop, according to Shari Freeman, director of product Disaster Recovery, Business management for Sybase iAnywhere. Continuity and Data Security “For a long time, companies have been focused on over the air security, how wireless laptops get authenticated One way to reduce the risk involved in losing a wireless and how they connect with the corporate network with laptop is ensure that no company files reside on the VPN technology,” Freeman says. “The increase in hard drive; therefore, no possibility exists of have a security breeches has raised companies’ awareness of laptop full of critical information fall into the wrong the security issues surrounding laptops.” hands. Technology now exists that allows an employee to access the network remotely but is not allowed to In one example, in response to the theft of an download information. For example, Citrus and unencrypted laptop computer containing the personal Chemical Bank, a community bank in Central Florida information of 26.5 million people, the U.S. Department with $850 million in assets, was looking for a device to of Veterans Affairs moved to encrypt all computers support business continuity in the event of a disaster across the entire VA system, more than 300,000 such as a hurricane but found a new way to keep its laptops, desktops, smart phones and PDAs. Using the corporate data safe. GuardianEdge Data Protection Platform and Trust Digital Security's Mobile Device Solution, the V.A. targeted “We wanted a secure method for our employees to be laptops first for data security programs and then able to work from home if they were unable to come to followed with desktop PCs and portable media like work due to some disaster,” says Render Swygert, flash drives and compact discs. executive vice president of information systems and technology, Citrus and Chemical Bank. “We have a staff Another option to protect the laptop hard drive is that supports the bank 24/7/365. We are always on call Sybase Ianywhere’s Afaria product, which is designed to wherever we are.” manage applications and data and provide security on wireless devices. To protect the data in case the computer is stolen, The Afaria 5.5 Security Manager component uses an AES cryptographic module (currently undergoing FIPS 140-2 certification) to encrypt the hard drive and a pre-boot authentication password. “We see an increasing amount of interest in managing and securing mobile devices from companies with a lot of field workers, such as utilities and telecom providers, and companies with large sales forces, such as pharmaceutical companies and financial services,” Freeman says. No single solution will protect against all of the threats. As a matter of course, Sybase iAnywhere has partnered with Radio IP to combine hard drive encryption and The MobiKEY from Route1 is a cryptographic USB token mobile VPN, which are compatible and complementary device that uses two-factor authentication to enable technologies. “We frequently see installations where an secure remote access. (Photo courtesy Route1) VOL. 3, ISSUE 2, 2007 EWM 22
  6. 6. What the financial institution found To do this, Enterprises should take managed. Every data transmission was the Route1 MobiKEY, a concrete steps to protect data, using should be monitored and verified to cryptographic USB token device that a variety of techniques in areas of ensure against a security breach. uses two-factor authentication to exposure. Starting with securing Employees must be educated on enable secure remote access. The every mobile device, all methods of security procedures and policies to device operates on a access to the corporate network protect corporate data. communications platform called need to be evaluated, approved and MobiNET, which authenticates the user, certifies the device and encrypts the transmission, while ensuring no residual data files are left behind on the remote computer. Swygart purchased the MobiKEYS and the administration portal to manage the devices, reporting on who is accessing the computer network and when the connections are made. IT staff, commercial loan officers, executive management team, risk management team and finance all received the devices. “I like the fact that once the MobiKEY is unplugged from the computer no residual files are left on the unit,” says Swygert. “It is an excellent solution to the problem of people getting their computers stolen.” The laptop computer is used as a slave to the host computer. Since no data resides on the unit and the user manipulates software on the host computer, Swygert has decided that in the future employees will only need a thin client, or dummy laptop, running Windows® OS and with internet connectivity. Wireless security is a must for today’s Fortune 500 company. Personal information of employees, as well as the social security numbers, credit card numbers, and other personal information of its customers, must be safe and secure. VOL. 3, ISSUE 2, 2007 EWM 23