VOL. 3, ISSUE 2, 2007 EWM 18

Security threats in the wireless space are so plentifulit is no wonder that some companies throw up theirhands and cut back on wireless access to theircomputers. When we think of security risks, we usuallythink of someone stealing credit card information,but there is so much more to be wary of in today’senterprise in terms of threats, including roguewireless access to company networks, denial of serviceattacks on web sites and the introduction of cripplingviruses into the wireless space.

But it doesn’t have to be that way. Companies today arefinding plenty of ways of strengthening their securitywith a growing array of defenses to protect bothcustomer data and company data. For today’s telecomdirector or IT manager, if sensitive information is beingtransmitted or can be accessed over the air, security isjust as important as connectivity.

Many corporate executives, however, are not awareof the risk and consequences of unsecured wireless,according Kevin Beaver, an independent informationsecurity advisor with Principle Logic, LLC. Working withtoday’s enterprises, Beaver sees many peopleoverlooking the task of testing for wireless securityvulnerabilities during standard security assessments and audits.

In fact, according to research done by J. GoldAssociates, fewer than 10 percent of companies deploymobile security software suites. In its White Paper,“10 Steps to Mobile Security,” J. Gold suggests severalactions that are key to mobile security. These 10 Steps to Mobile Security include:

• End users– Set policies, document, and get user buy-in– Enforce policies on mobile devices for all users

• Devices– Make sure password protection is always set to

“ON”– Include updated personal anti-virus (AV) and

firewall on devices– Encrypt sensitive files on all devices– Enable device lockdown and kill

• Infrastructure– Determine what file types can be

downloaded/synced by which users, when, howand to which devices

– Log device usage for compliance whereappropriate

– Enforce connection security/virtual private network (VPN) standards

• Organization– Review and update policies regularly, as things

change often

Rogue Access Not OnlyCIO Security Headache

BY J. SHARPE SMITH

VOL. 3, ISSUE 2, 2007 EWM 19

Over the Air Encryption TooOften Overlooked

Beaver sees several "security fronts" or points ofvulnerability. The first one is people who carelessly usewireless networks at work, at home and whentraveling. He finds many major corporations withlaptops, PDAs and other mobile devices that have nosecurity protection such as device-specific firewalls,power-on passwords or VPNs.

Even 802.11 communications with Wired EquivalentPrivacy (WEP) or the Wi-Fi Alliance specification, Wi-FiProtected Access (WPA) are vulnerable, according toBeaver. “These encryption keys can be hacked using anumber of free tools such as Aircrack,” he says, “which can lead to the capture of confidentialinformation, denial of service attacks, and more.”

Mobile VPNs

One security measure is to make a wireless laptop’stransmissions more secure through the use of a virtualprivate network. While most VPNs are created for thewired networks, it is critical for a wireless user to use amobile VPN, which is designed particularly for wirelessnetworks. A mobile VPN allows for data encryption,encapsulation and authentication for each individualmobile user.

“There is increasedmarket demand forsecurity in mobile VPNs.Users are expressing theneed for security in theirdata transmissions,” says David Torres,director of businessdevelopment, Radio IPSoftware, Inc., whichoffers mobile VPN as afeature of its Radio IPMTG software suite.

“Government agencies, utilities and others arebecoming more careful about transmitting sensitiveinformation over the air.” The problem, according toTorres, is that most VPN solutions are created for thewired networks. To protect a wireless laptop, a Mobile

VPN must be deployed that includes data encryption,authentication and data encapsulation.”

Authentication of the mobile user can be achievedthrough the use of a user/password, biometrics, such as a fingerprint, and the use of a token key orsmartcard, which is inserted into the computer’s USBport. It creates an additional layer to confirm the user.

“Authentication tokens are an essential component inPC and data security solutions for they provide stronguser authentication, ensuring that individuals accessingdata are who they claim to be,” according to a WhitePaper by Aladdin, makers of Etoken authentication andpassword management. “Furthermore, certain kinds ofauthentication tokens – such as USB smart-card-basedtokens – can provide significant extended support forstrong PC and data security by offering securegeneration and storage of encryption keys.”

Not only must the user be authenticated, but thewireless laptop must be guaranteed that it too is thecorrect mobile device for accessing the corporatenetwork. To do this, the corporate server gateway has a certificate and the laptop receives a certificate.Together they can mutually authenticate. “Certificateauthentication further validates your devices andprotects your system from intrusions,” says Torres.

User authentication attempts can only be made if RadioIP MTG has validated the device and opened anencrypted tunnel. This process protects the username,

Authentication of the mobile user can be achieved through the use of biometrics, such as a fingerprint.

David Torres, Radio IP Software

domain and password information from beingintercepted. The data is then compressed to protect itfrom being intercepted and encrypted.

Today’s encryption has been enhanced, making itincreasingly difficult to break. There are several levels ofencryption possible, from the 56 bit Data EncryptionStandard (DES), which many feel is too easy to hack, tothe Advanced Encryption Standard, which comes in128, 192, and 256-bit key sizes. “To ensure your data istransmitted securely with high-level encryption,” saysTorres, “your data should be encrypted with either AES(256-bit) or Triple DES (168-bit) methodologies, usingFIPS [Federal Information Processing Standard] 140-2certified technology.”

Mobile VPN Helps NortheasternUtility Secure Communications

Security plays a critical role in the wireless system ofEnergyEast, a diversified energy provider that serves 3million people in the Northeast, which deployed RadioIP’s Mobile VPN early in 2006.

Highly encrypted, secure transmissions to and frommobile devices in the field through the use of a MobileVPN are essential to protect the customer information,employee confidential information and detailsconcerning the utility’s overall electrical infrastructure,according to Shrikant Nistane, project lead for mobiledata at Energy East. In additional to the Mobile VPN, headds additional passwords to ensure user authentication.

“When there are mobile devices out in the field, there is always the possibility that some one will gain accessto the device. We are here to minimize and contain therisk,” says Nistane. “It is a constant battle. At the sametime, we have to do everything that is absolutelynecessary to serve the customer.”

Rogue Access to IT Systems CanCause Security Breeches

More than just over-the-air security was needed atEnergyEast. The utility also required a way to guardagainst denial of service (DOS) attacks in the form ofrogue access to its data system. With the increasing

acceptance of wireless LAN technology comes amplepossibility for leakage of corporate information or theintroduction of malware, malicious software designed to damage a computer system. As a result, analystssuggest that more than half of the security breachescome from within the walls of company headquartersthrough rogue wireless access to the network.

“Guarding against denial of service attacks plays a bigrole in our security plan,” says EnergyEast’s Nistane. “It’s our most stringent criteria in combating wirelesssecurity issues.” The utility is using Radio IP’s AccessDefender, which scrutinizes and quarantines all incoming communication attempts, allowing the LAN togive access to the mobiles rather than the mobilesinitiating the access to the LAN.

Access Defender is an example of central managementsoftware that protects the host network from outsideattacks such as the DOS attacks and buffer overrunattacks. Rogue access must be detected and shut downbefore sensitive information is lost or an attack on thenetwork ensues.

Vulnerable access points can occur for many reasons: a wireless system set up by an employee, a mis-configured access point or one that is running defaultconfigurations. Additionally, a breech can be asmalicious as a hacker setting up an access point or it can be as innocent as a neighboring WLAN accessingthe strongest signal through a poorly configured accesspoint. And there’s more. A hacker can also gain access

VOL. 3, ISSUE 2, 2007 EWM 20

The username, domain and password information inover the air transmissions are targets for interception.

VOL. 3, ISSUE 2, 2007 EWM 21

using hybrid network bridging through WiFi,Bluetooth, Modems or infrared links to a PC while it isconnected to the wired corporate LAN.

The key to network management is visibility of portaccess, knowing who is connecting what devices toevery single endpoint in the network –– from USB toWiFi and Bluetooth –– enterprise-wide, according toHay Hazama, VP of research and development forSafend, which produces endpoint security solutions.

“While most organizations adequately protect Internet connections via TCP/IP ports with firewalls,endpoints are often overlooked,” says Hazama. “Given that there are 26,000 different USB productsavailable today and WiFi use is on the rise, theproblem of securing company laptops and PCs fromdata theft, data leakage and malicious attackscontinues to challenge IT administrators.”

“The answer for IT managers deploying Wireless LANs is to effectively detect and block wireless accesspoints and client stations automatically and in real-time,” according to a White Paper by AdventNet,provider of network management solutions forenterprises.

According to AdventNet, rogue activity can bedetected by regularly doing the rounds of thefacility with a mobile device using software such asAirSnort or NetStumber that sniffs the air for wirelessactivity. These solutions are well known for being ableto detect unrecognized access points, but it is irregular in its approach to security. Full time RF sensors such as products by AirMagnet and AirDefense can be installed to continuously monitor all Wi-Fi traffic to detect, disable and document rogue access.

In what is known as a background probe, WavelinkRogue AP Detection and Identification Software canenable the mobile devices in the company to scan theairwaves for rogues during idle time. Additionally,the AP detection can actually be integrated into theaccess points, such as the ORiNOCO made byProxim Corp.

Wavelink Mobile Manager and Airwave ManagementPlatform (AMP) both depend on wired side inputs forAP detection and both support sensors from

AirMagnet. Mobile Manager detects rogue APs bycomparing data from the APs and wireless laptopsreporting on the wireless side of a network with whatMobile Manager detects on the wired side.

Safend’s hybrid network bridging prevention feature isdesigned to block access to WiFi, Bluetooth, modemsor infrared links while a laptop is connected to thewired corporate LAN. “Concerning Wifi, mostmanufacturers have concentrated on the infrastructure, providing more secure protocols, higherencryption, authentication and remaining compatiblewith 802.11,” says Safend’s Hazama. “But theproblem is that the laptop can log on to a rogue access point and believe it is on the correct networkand expose its data to unauthorized personnel.”

Encrypting the Hard DriveCovers Another Vulnerability

But what about the data after it is stored on thecomputer? The security threats caused by stolen laptopcomputers have been well documented. University ofCalifornia, Berkeley had a laptop stolen that containedpersonal information on more than 98,000 of theschool's graduate students. In the last year, wirelesslaptops containing hundreds of thousands of personnelrecords have been stolen from U.S. Department ofVeterans Affairs staff, ING's U.S. Financial Services hoffice in Washington, D.C., Deloitte Accountants,Electronic Data Systems and Equifax, the credit-bureaucompany. Mercantile Potomac Bank, General Electric,Aetna, Hewlett-Packard and Fidelity Investments.

Analyst Kevin Beavernotes, “Hard driveencryption is anespecially big issue.When a hard drive is notencrypted, practicallyanyone can uselegitimate security toolssuch as Ophcrack'sLiveCD or ElcomsoftSystem Recovery tomaliciously break intoa system within minutesof obtaining it bystealing it or finding it.”

Kevin Beaver, Principle Logic, LLC

VOL. 3, ISSUE 2, 2007 EWM 22

Securing data on laptops is a new area of focus fortoday’s corporations, brought about by these well-publicized security problems and new regulations thathave also pointed a spotlight on security on the laptop,according to Shari Freeman, director of productmanagement for Sybase iAnywhere.

“For a long time, companies have been focused on overthe air security, how wireless laptops get authenticatedand how they connect with the corporate network withVPN technology,” Freeman says. “The increase insecurity breeches has raised companies’ awareness ofthe security issues surrounding laptops.”

In one example, in response to the theft of anunencrypted laptop computer containing the personalinformation of 26.5 million people, the U.S. Departmentof Veterans Affairs moved to encrypt all computersacross the entire VA system, more than 300,000 laptops, desktops, smart phones and PDAs. Using theGuardianEdge Data Protection Platform and Trust DigitalSecurity's Mobile Device Solution, the V.A. targetedlaptops first for data security programs and thenfollowed with desktop PCs and portable media like flash drives and compact discs.

Another option to protect the laptop hard drive is Sybase Ianywhere’s Afaria product, which is designed tomanage applications and data and provide security onwireless devices. To protect the data in case thecomputer is stolen, The Afaria 5.5 Security Managercomponent uses an AES cryptographic module (currently undergoing FIPS 140-2 certification) to encrypt the hard drive and a pre-boot authenticationpassword.

“We see an increasing amount of interest in managingand securing mobile devices from companies with a lotof field workers, such as utilities and telecom providers,and companies with large sales forces, such aspharmaceutical companies and financial services,”Freeman says.

No single solution will protect against all of the threats.As a matter of course, Sybase iAnywhere has partneredwith Radio IP to combine hard drive encryption andmobile VPN, which are compatible and complementarytechnologies. “We frequently see installations where an

organization can utilize a Radio IP Mobile VPN, and useiAnywhere's Afaria as another layer of security,” saysRadio IP’s Torres.

Disaster Recovery, BusinessContinuity and Data Security

One way to reduce the risk involved in losing a wirelesslaptop is ensure that no company files reside on the hard drive; therefore, no possibility exists of have alaptop full of critical information fall into the wronghands. Technology now exists that allows an employeeto access the network remotely but is not allowed todownload information. For example, Citrus andChemical Bank, a community bank in Central Floridawith $850 million in assets, was looking for a device tosupport business continuity in the event of a disastersuch as a hurricane but found a new way to keep itscorporate data safe.

“We wanted a secure method for our employees to beable to work from home if they were unable to come towork due to some disaster,” says Render Swygert,executive vice president of information systems andtechnology, Citrus and Chemical Bank. “We have a staffthat supports the bank 24/7/365. We are always on callwherever we are.”

The MobiKEY from Route1 is a cryptographic USB tokendevice that uses two-factor authentication to enable secure remote access. (Photo courtesy Route1)

What the financial institution foundwas the Route1 MobiKEY, acryptographic USB token device thatuses two-factor authentication toenable secure remote access. Thedevice operates on acommunications platform calledMobiNET, which authenticates theuser, certifies the device andencrypts the transmission, whileensuring no residual data files areleft behind on the remote computer. Swygart purchased theMobiKEYS and the administrationportal to manage the devices,reporting on who is accessing thecomputer network and when theconnections are made. IT staff,commercial loan officers, executivemanagement team, riskmanagement team and finance allreceived the devices.

“I like the fact that once theMobiKEY is unplugged from thecomputer no residual files are left on the unit,” says Swygert. “It is anexcellent solution to the problem ofpeople getting their computersstolen.”

The laptop computer is used as aslave to the host computer. Since nodata resides on the unit and theuser manipulates software on thehost computer, Swygert has decidedthat in the future employees willonly need a thin client, or dummylaptop, running Windows® OS andwith internet connectivity.

Wireless security is a must fortoday’s Fortune 500 company.Personal information of employees,as well as the social securitynumbers, credit card numbers, andother personal information of itscustomers, must be safe and secure.

To do this, Enterprises should takeconcrete steps to protect data, usinga variety of techniques in areas ofexposure. Starting with securingevery mobile device, all methods ofaccess to the corporate network need to be evaluated, approved and

managed. Every data transmissionshould be monitored and verified toensure against a security breach.Employees must be educated onsecurity procedures and policies toprotect corporate data.

VOL. 3, ISSUE 2, 2007 EWM 23