Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
Security, Audit and Control Issues for Managing
Risk in the Wireless LAN Environment
By Richard A. Stanley, Ph.D., PE, CISSP
Business Drivers
Today, wireless transmission is a common method of data
communication for cellular phones, wireless personal digital
assistants (PDAs), Blackberrys, text pagers and wireless local
area networks (WLANs). Business requirements are providing
the “pull” for wireless technology, which can offer lower
installation and operating costs, mobility and flexibility.
Technology is providing the ability for sophisticated systems
that solve real business needs to be built and sold affordably.
The lure of being able to stay connected with business,
wherever and whenever, is certainly a main driver.
Security Issues
This push to untethered access to business is forcing
enterprises to deal head-on with security. Achieving this new
level of security requires weighing vulnerabilities against
requirements and the costs of reducing those vulnerabilities.
Wireless networks are inherently less secure than their wired
counterparts. The confidentiality of data is at risk because data
are sent through the free-space environment or into the air
where anyone with the appropriate technology can intercept
and/or spoof the data. The engineering standards for cellular
telephone availability (i.e., the probability of not getting a dial
tone when attempting a call) are lower than for wired
telephony, so availability is a concern. However, unlike
wireless voice networks, wireless data networks tend to be
always on, always ready to transmit or receive data. They face
the same vulnerabilities as do wireless voice networks, but
they tend to be always available for those vulnerabilities to be
exploited. Wireless communications also pose significant
technical challenges, as well as greater challenges in the areas
of control, security and audit, because they transcend
traditional and regulatory boundaries.
It is necessary to understand wireless technology and the
ways that it can be exploited to effectively implement security. A
security policy that deals realistically with the threats faced by
the network in question and is in compliance with local laws and
regulations is needed. Appropriate controls are also needed to
ensure that the measures called for in the security policy are, in
fact, implemented and that they perform as intended.
Understanding the security and quality risks that surround
wireless communications is a critical requirement for auditors.
Not only must the auditor know how the system works and
what can go wrong, he/she must also know the steps to take to
identify and correct problems when they occur. Equally
important, the auditor must have an idea of what can go
wrong, so that systems can be evaluated periodically to ensure
that all the appropriate measures are taken for each system to
assure the desired level of quality and security.
However, security is not an absolute. It is impossible to
provide unbreakable security, whether in a wireless network or
in a military setting. No matter how hard one tries, if an
adversary is willing to devote sufficient resources to
overcoming the defenses, he/she will succeed. The security
goal is to make it either too costly for an adversary to attack
the system, or to provide an incentive for the attacker to attack
another system.
Wireless networks are like radio stations because the
information-bearing signals are radiated into space or in the
air. As a result, anyone within range of the radio signal is able
to receive the network signal and, potentially, read the network
traffic and possibly connect to the network as do authorized
users. This places additional security requirements on the
network architecture and administration and may include
additional encryption and more sophisticated data handling
algorithms. Increasingly, wireless networks are used as
extensions of existing wired networks, which means that the
security problems of a relatively small wireless segment of a
network can suddenly become a security problem of the first
magnitude for the entire network. Adding a wireless extension
to a fixed network does not alter the four basic goals of
security: availability, authenticity, integrity and confidentiality.
Security Goals
Confidentiality is usually seen as a good thing—the more of
it, the better. When people think of security, they think about
confidentiality. Auditors want to make sure the information
being transmited through the air remains private.
Confidentiality does not come for free. One must invest in
cryptographic software and/or hardware to encrypt and decrypt
messages, and then deal with the continuing requirement for
managing the cryptographic keys, among other management
procedures. This is detailed, time-consuming and costly.
Unless the cost can be justified by the value of the information
to be protected, it is difficult to choose confidentiality on a
cost-benefit basis. Furthermore, there are many business
settings where confidentiality is simply not required, but other
aspects of security are.
Authenticity provides the recipient with assurance that the
message at hand truly originated with the purported sender and
that the sender is who he/she purports to be. Although
provided by cryptographic means, authenticity and
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004
confidentiality need not be part of the same package of
cryptographic services. One can easily envision situations in
which authenticity is desired, but confidentiality is not
necessary. Consider an electronic release of new tax code
documents. The issuing authority wants each branch office to
be sure that the documents at hand are authentic, i.e., they
came from the official source. On the other hand, the
documents are public information, and there is no need for
their contents to be kept secret.
Integrity provides assurance that the message received is
identical to the message sent, and that it has not been changed
either deliberately or accidentally. As it happens, the same
cryptographic tools that provide authenticity also tend to
provide integrity. Many network protocols, such as TCP, work
to provide integrity of messages sent over the network, but the
methods these protocols use are not secure enough to ensure
that the message and the integrity check were not altered.
Cryptographic integrity checks increase the level of assurance
of integrity, and are much more difficult to falsify than are
checks computed by an open protocol using data available to
anyone listening on the network.
Availability, unlike confidentiality, authenticity and
integrity, cannot be improved using cryptographic techniques.
If the business relies on a wireless network to deliver messages
when and where required, the enterprise must be confident the
network will be available. It may, in fact, make it worse by
increasing the level of complexity of the system and/or by
providing another means of attacking the system. Wireless
extensions to wired networks may also degrade the overall
network availability, as wireless systems are vulnerable to
many things that reduce their availability but do not affect
wired networks, such as interference and jamming. The net
effect of these additional, wireless-specific vulnerabilities is to
decrease the availability of the entire network.
Role of Assurance Professionals
Assurance professionals must understand the post-design
choices that were made for the networks being audited. They
must also understand the alternatives so intelligent
recommendations can be made to the network owners
regarding modifications that might be made to security
parameters to achieve lower costs, improved availability, etc.,
within the scope of the security requirements for the network.
The wireless network is rarely separable from the wired
network to which it connects. The performance of the wireless
network directly affects the performance of the backbone
wired network, usually in a more direct way than the wired
network affects the wireless segment.
Additionally, assurance professionals must understand that a
solid security policy is the key to defining and enforcing
security within any organization. At a minimum, the policy
should involve continuous review of potential threats and
vulnerabilities and should deal with:
• Overall policy
• Access control
• Usage management and monitoring
• Security monitoring
• Network security
• Virus protection
• Encryption
• Pertinent laws
• Incident response
• Enforcement
Points Covered in the Security Policy
The security policy section devoted to access control should
define the bounds, authentication and standards. For example,
if the policy is for a network, then the network should be
described. It should state who is allowed access, when they are
allowed access and from where they are allowed access. For
wireless, the standards used should be identified. The policy
should also define who has the authority to grant exceptions to
the policy.
The security policy should also define user management and
monitoring. For example, if management does not permit any
personal telephone calls at work, then it is consistent to do the
same with the network. If limited personal telephone calls are
permitted, however, then it is reasonable to allow limited
personal network use. Whatever the decision, the point is to
strive for consistency. Having established standards for usage
of the network, it is wise to set out in the policy the penalties
for failure to observe those standards. For example, a bank has
a rigid policy that no one, except specifically authorized
personnel, is allowed even to attempt to access the accounts
payable directories. In the event that an unauthorized employee
attempts such access, the penalty is immediate dismissal.
Auditing data can be obtained from log files, which can in
turn be produced by many applications and services. Most
commonly, the operating system can log critical events and
make them available for review as required. The procedure for
collecting audit logs should be described in the security policy.
The network administrator often conducts periodic
monitoring of the network to ascertain the caliber of security
and compare it with the objective security levels. The policy
for doing this should be stated. If automated tools are to be
used, then it is good to describe what tools and who may use
them. The current state of intrusion detection (sometimes
called intrusion prevention) systems (IDSs) is improving, but
this technology is still immature. Network-based IDSs can
monitor the network for events that are identified by reference
to a rule set (which must, itself, be specified in the policy
someplace). When such events are identified, alarms can be
raised, to which appropriate response can be made after
investigation of the specifics of the event. Host-based IDSs can
detect illicit activities that do not transit the network, such as
installation of an unauthorized program or alteration of the
operating system database or registry. Network-based IDSs are
on the wired network backbone and cannot see much of the
problems encountered by the wireless segment. Host-based
IDSs on the wireless clients, if configured properly, can detect
many illicit connection problems and report them. Monitoring
of the radio link can also help improve the ability to detect
intrusions or intrusion attempts into wireless networks.
The decision to implement encryption in the network is not
to be taken lightly. Once chosen, the encryption parameters
and management structure should be clearly stated in the
policy document. Encryption is a valuable tool and can
contribute significantly to the security of wireless networking.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004
However, if it is to be used effectively, the policy for its use
and maintenance must be carefully planned and thoroughly
described before attempting to encrypt the network.
Just as brick-and-mortar businesses exist within a legal
jurisdiction, so do networks. There are four areas of the law
that are of concern to wireless networks: radio regulations,
encryption, unauthorized use of the network and privacy. The
network security policy must deal with these areas of concern
adequately, coherently and consistently in the face of laws that
sometimes appear to be widely dissimilar.
The security policy is the assurance professional’s key
document. In it are the definition of the security goals, the
means of attempting to achieve those goals and the ways
success is monitored and measured. In a situation where
wireless networks exist, the security requirements of those
networks should be specifically described in the policy. If they
are not, there is no basis for further compliance measurement,
and the audit will be forced to proceed on the basis of the
auditor’s understanding of what the policy should say. As every
auditor knows, that is a difficult position from which to
proceed, so it is important to first evaluate the policy before
proceeding with the audit.
Conclusion
If the security is deemed by the auditor to be insufficient,
then the responsible parties should be advised to expend more
resources on the network to assure a higher degree of security.
If those entreaties are not heeded, auditors should document
the request and the response, as they will surely be important
should a liability case arise from a breach of network security.
Richard A. Stanley, Ph.D., PE, CISSP
is vice president of Wheeler Associates Limited, a technology
and educational consulting firm located outside Boston,
Massachusetts, USA, which specializes in custom security and
educational solutions. He has more than 35 years’ experience
with telecommunications and security systems and has directed
research in those areas for the US government and in the
private sector. His work has taken him all over the world, and
he has lived in Belgium, Canada, Germany, Israel, Egypt,
Vietnam and the US. He is a registered professional electrical
engineer in the Commonwealth of Massachusetts. Stanley is a
member of the New York Electronic Crimes Task Force and a
founding member of the New England Electronic Crimes Task
Force. He often speaks at professional gatherings, and he holds
appointment as an adjunct professor at Worcester Polytechnic
Institute, where he teaches security-related topics in electrical
engineering and computer science.
Editor’s Note:
This article is excerpted from research being published by
the IT Governance Institute in a publication titled Managing
Risk in the Wireless LAN Environment: Security, Audit and
Control Issues, by Richard A. Stanley, Ph.D., PE, CISSP. This
research is written from a business and risk management
perspective. It provides a technical, as well as functional,
assessment of the wireless landscape and will be available in
second quarter 2004. A white paper on wireless security can be
found at www.isaca.org/wirelesswhitepaper.htm. The
publication will be offered through the ISACA Bookstore at
www.isaca.org/bookstore.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2004