Embed Size (px)
Citation preview
Vasilis Katos
18.07.07
1
Securing your business data in a wireless environment
2
outline
Security challenges in a wireless environment understanding the scope of the
threats
Policy considerations
3
Traditional risk management
security
£
security investment
losses
Total cost
4
Threat vector examples
unauthorised connection to the WLAN WEP is not secure
“authorised” connection to the WLAN theft of laptop or PDA
unauthorised connection to the PDA connected to the host PC for sync. purposes PDA acts as a bridge
5
What is the problem?
Information Security is associated with: availability integrity confidentiality
What about privacy?
6
Some facts No privacy-o-meter available! Some empirical relations:
P1: “privacy decreases when we do everyday shopping”
P2: “privacy decreases more than in P1 when we apply for a mortgage”
Accept existence of side-channels
Relates to: security decisions Information available
privacyOmeter
7
Security vs. Privacy
But we need security in order to ensure privacy! (PRI SEC)
SEC
PRI
information richness
level
M
Katos V. & Adams C. (2005)
8
Security vs. Privacy
But we need security in order to ensure privacy! (PRI SEC)
SEC
PRI
information richness
level
M
Katos V. & Adams C. (2005)
SEC
PR
I
M
9
Security vs. Privacy
SEC
PRI
information richness
level
M
Low Highrisk
10
Wireline vs. wireless
wireline SEC
PRI
information richness
level
MO
wireless SEC
M´
P2P3
Katos V. & Adams C. (2005)
P1
11
Conclusions Security risks raise significantly(?) with the
introduction of a wireless environment higher exposure on activities, transactions, etc. privacy is expected to drop – is it acceptable? physical security is challenged; results into a
increase of threat vectors to the corporate data identity management has become an even
bigger thorn
These need to be reflected in the security policies
12
Security policy considerations
complete asset management (e.g. registration of PDAs, WLAN points, etc.)
initialisation of mobile devices (h/w, s/w, default settings)
security configuration of access points location restrictions? data classification – type of information
allowed to communicate over wireless links response/escalation procedures for loss or
theft of device encryption and key management processes DISABLE WEP!!! Use WPA instead! …
13
Resources
NIST Special publication 800-48. Wireless Network Security http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
Cracking Wireless Networks, YouTube video: http://www.youtube.com/watch?v=Ep3CRtzAM_E
White papers:http://www.jiwire.com/whitepaper-section4.htmhttp://www.sans.org/reading_room/whitepapers/wireless/1109.php
