Just last week in this very Infosecurity Opinion column I quoted a few of them and threw in my own two cents worth for good measure.
No one's disagreeing with the fact that 2001 was probably the worst and most active yet as far as the frequency and virility of various cyberattacks went. You can rest assured that, based on this grim view, most industry pundits are predicting a comparable, if not worse, scene in the infosecurity world for 2002.
Recently, the FBI's National Infrastructure Protection Center provided their outlook for 2002 to SANS NewsBites as part of SANS' Jan. 7 Bonus Issue. None of what the FBI cited was necessarily news to our eyes: more 'sophisticated' cyberattacks will occur more frequently, while at the same time awareness of these, as well as the many vulnerabilities of which the attacks will take advantage, should rise. Along with this, wireless technology will become the target of the usual attack scenarios that traditional wired networks experience, and also feel "new exploits" as the technology continues its evolution.
There is no escaping talk about what we can expect this year, especially when it comes to all those wireless devices professionals are using, and the wireless LANs companies are deploying - most often, without consideration of security. The META Group has released numbers that predict about 20 million PDAs and handheld devices will hit the streets by 2003.
And wireless LANs, according to experts interviewed for a couple of SC Magazine's February features that tackle these very issues, seem to be daringly absent of protection. Indeed, the majority of companies that are deploying WLANs are doing so at great risk. Apparently, ignorance is blissful, especially when weighing the lowered labor and various other cost-savings associated with wireless... that is, until a so-called war driver pings your WLAN only to discover that it is as naked as a skinny-dipper. That vision can only get worse if the offending wireless network is hooked up to your traditional wired one, which, of course, could leave it just as vulnerable.
We've all seen the dramatic local news coverage of just such a war driving exercise or read about a security consultant showing an intrepid reporter just how absent of security mechanisms companies' wireless networks are, haven't we? For example, in the most recent issue of SecureAgent Software's Secure eNewsletter, Minnesota-based security consultant Brad Rubin tells of how he recently drove around the Twin Cities with a laptop, antenna and, apparently, some sniffer (or war driving - whatever you'd like to call it) software to locate 24 wireless networks. Of those, he found that 10 of them were not encrypted and were "open to snoopers." Those with encryption, he adds, may not be safe from a more persistent and skilled hacker.
"The idea of being wirelessly connected to the Internet is slowly becoming flashy and sexy, at the same time boosting mobility and productivity," Gemma Paulo, industry analyst for In-Stat/MDR, recently stated in a news release.
Wireless tools based on the 802.11b standard are being purchased at a rapid rate, many say. And this is happening despite increased questions regarding the soundness of 802.11b's WEP (Wired Equivalent Privacy) security protocol. (However, groups like RSA and Hifn have proposed to the Institute of Electrical and Electronics Engineers Task Group, the body tweaking the wireless standard, a move to strengthen WEP security.) Because of this, others postulate that vendors making the money from these quick sales are hesitant to even implement a new and improved WEP, associated stronger encryption mechanisms such as AES, and fast packet keying to nix some of the vulnerabilities.
Even with the WEP security concerns and the continued work to enhance the security provisions of wireless standards, companies deploying such WLANs must also take some responsibility for deploying such tools. While vendors and the IEEE Task Group continue to figure out ways to plug holes, so too can those organizations that are considering or have already implemented WLANs.
In SC Magazine's February cover story, In-Stat's Gemma Paulo and a slew of other experts will provide some insight on how to tackle WLAN and LAN security to ensure that data on wireless and wired devices are protected. They'll discuss what security mechanisms to employ and touch on trends in wireless and wireless security, in addition to remote access security.
Meantime, based on some of the input for this issue so far, here's a little taste of what you can learn. Experts suggest you determine what you have and develop a clear understanding of how and where wireless devices are going to be situated in your company's infrastructure. Once you figure this out, you should keep in mind that security, as with the great bulk of the kind deployed with wired networks, should be easy to use or altogether transparent to the user. Centrally managed and automatic security controls are a good idea, too. And as you determine the types of security tools to employ, you must recall the three A's: authentication, authorization and administration.
As Bob Hansmann, Trend Micro's enterprise product manager, notes for our upcoming February article, "Wireless technology, like the automatic braking system (ABS), is tremendously useful. But, it also introduces more parts that can break - or pose security risks."
Stay tuned for more about those risks and the ways to reduce them!
Illena Armstrong is U.S. editor, SC Magazine.