PKI dies hard Brian McKenna
ne
ws
10In
fosecu
rity Tod
ayJuly/A
ugust 2004
Fashion sharpens wireless riskJoe O'Halloran
The present business fashion to give wireless
access to corporate information systems,
while having many benefits, means companies
pay too little attention to basic precautions.
Seventy per cent of successful wireless local
area network (WLAN) attacks are made
possible by the misconfiguration of WLAN
access points and client software.
Research and analysis company Gartner
broke this news at its security summit in June.
It warned that it expects this rate to continue
until 2006.
Many companies want to extend the
perimeter of their organisations by allowing
mobile and remote access to their information
systems. The need to stay competitive, to
increase the speed and flexibility of response to
marketplace events stoke this desire. But there is
also an element of the fashionable about this
trend.
Fly-by-wirelessComputer Weekly's InfoSecurity User Group
(CWIUG) revealed in March that half the
companies it surveyed have or will use wireless
technology to access their corporate networks
by the end of this year. A further one-fifth will
do so by the end of 2005.
The benefits of operating without wires can
be huge. Gartner vice president and research
director Nigel Deighton says "Wireless mobility
is the greatest change to occur in corporate data
collection and distribution in the past decade.
Wireless enables a real-time enterprise in a
connected society: responsive, collaborative,
flexible, connected and informed."
The pressure to go wireless is immense.
There are few IT bosses who could argue
against the benefits, and consumers of mobile
access technologies find little to worry about. A
Gartner wireless & mobile summit reported in
March that more people are using more
wireless technologies in daily life. But up to
90% ignore precautions to ensure they're secure
and to ward off hackers.
A different CWIUG survey shows that more
than four companies in five are worried about
the security of wireless mobile products and
services.
So what are the risks? Could the wisest heads
belong to those who've banned wireless access
from the corporate compound?
Wireless security attracts a lot of media
coverage mainly because the received wisdom is
that wireless technology is inherently insecure.
But is it really true? A better question is not
whether the technology is flawed, but how
securely are people using it.
Easily compromised Robert Duncanson, a security consultant at
Unisys, argues that the problem is that
fundamentally, wireless LANs are unbounded.
He says "Some people and organisations deploy
open wireless LAN with no data encryption.
But even the standard, WEP, is easily
compromised, so businesses need better
security."
But Gartner is more worried about working
practices and culture rather than the
technology. It concludes that security for
WLANs and wireless products needs to be
driven by updated security policy that addresses
the unique demands of the mobile workplace. It
believes the policy should be driven by the need
to contain costs and to protect mobile
information assets, and not a knee-jerk reaction
to what the other guys are doing.
That said, there are some technologies that
do help tighten the loopholes. One popular
emerging technology is wireless intrusion
detection. It is essential to monitor the flow of
information across any network, just to ensure
that all the data gets from one point to another
and that the message is intelligible. The next
step is to ensure that the source and receiver are
properly identified and authorised to send and
receive the data.
This become especially important when
using broadcast channels, By definition,
broadcast means others will receive the signal.
The point is to ensure that even if they receive
the signal they cannot understand the contents,
unless they have the right authorisation.
John Walker, head of operational security at
Experian, a credit data firm, stresses this point.
He believes that wireless technology may be
used securely, but only in concert with strong
security practices. This takes work.
"To maintain security, it is essential to track
security vulnerabilities and exposures, and to
map them onto a process that deploys best
levels of security assurance. But this may be
easier said than done with an extended
perimeter environment," he cautions.
Walker says that security assessments need to
sort hype from reality and to use credible
sources. Key points to consider are the scope of
the test (everything, or selected areas of
interest); method (applicability and level); users,
access channels and methods, and upgrades and
change control.
Bear in mind there's no perfect security
system and that wireless networks are relatively
new. As with traditional closed networks,
throwing technology at the wireless security
problem without having the right systems and
procedures in place is like putting a barbed wire
fence around a field and leaving the gate open.
Rustlers will get in and the cows escape.
With that in mind you can begin to get to
grips with this slippery issue.
Public Key Infrastructure is
staging a comeback, according
to new research from European IT
user association EEMA.
The European Certification
and Authority Forum — EEMA’s
security interest group — has
published ‘PKI Usage within User
Organisations’. The report shows
that 92% of responding
organizations consider PKI a
strategic requirement, with many
more organisations indicating
that they are issuing certificates to
business partners.
Sixy four per cent of the
surveyed organisations are using
separate signing and encryption
keys, compared to 43% in 2002.
Kate Hodgson, systems
manager at Royal Mail, and the
vice-chair of ECAF said that PKI
certificates would be a decisive
counter to phishing attacks, and
that the technology would have
been more successful in the UK
had “the government given a better
lead; they were reluctant to be seen
to endorse one particular
technology, and so retarded the
whole thing”.
She added that PKI has been a
big benefit to the Royal Mail,
which has its own Certification
Authority for internal use.
"Identity management is a big
driver", said Hodgson. "There is
no real alternative to PKI that
gives you the infrastructure across
the whole access and control
piece. Basically, you can turn the
employee off when they leave,
straightaway”.
She confirmed that 25 of
EEMA’s 200 member
organizations responded to the
survey. "It is not a huge sample”,
she admitted, “but there were
some implications we could draw.
PKI has not gone away, but has
been growing steadily and quietly
in the background. It is, after all,
a complex technology that can
change all your processes”.
The research shows that big
multi-national companies are
most minded towards PKI. "They
have a need to use the certificates
for more that one thing, not just
securing email".