Getting Past WLAN 'Apathy' - Page 2
August 30, 2002
Risk assessment needed
The National Institute of Standards and Technology warns executives the need for continued scrutiny of their wireless networks throughout its life cycle.
"Agencies should understand that maintaining a secure wireless network is an ongoing process that requires greater effort than for other networks and systems," said Tom Karygiannis and Les Owens in a draft report NIST released July 24. "(They) should not undertake wireless deployment for essential operations until they understand and can acceptably manage and mitigate the risks to their information, system operations and risk to continuity of essential operations."
Coley said he's found many companies do take risk assessment, but many IT departments are rushed to deploy equipment so companies can take advantage of the technology's benefits, namely portability.
The legalities behind wardriving and packet-sniffing are still being hammered out at the federal level, though the industry is still so new, it seems regulators and law enforcement officials have some catch-up work to accomplish.
The Federal Communications Commission (FCC) doesn't have much to say in the matter, minus a legislative mandate, outside its existing Part 15 rules, which govern the use of APs and other wireless equipment. The rule is used to prevent 2.4 GHz operators (the spectrum 802.11b runs on) from interfering with licensed spectrum owners.
The Federal Bureau of Investigation (FBI) is in similar straits. According to Coley, "sniffing" out wireless networks isn't illegal, and to a large extent neither is connecting with the AP -- even if it's being used to access the Internet for free. There is a case, he said, in Texas to change that rule; a man is being tried for wire-tapping fraud for associating his laptop with an open wireless network.
According to federal law, he said, the only time a person is committing a crime is if they knowingly bypass Wired Equivalent Privacy (WEP) security to get to the intranet or Internet.
"And it's only going to get worse," Coley said. "(IT departments) are buying gateways that are going to be around for a long time -- to get their money's worth -- using today's technology."
Is it such a threat?
Not everyone is convinced WiFi is such a serious threat. Chris Rangel, assistant vice president for marketing at equipment manufacturer Alvarion, said the incidences of wireless break-ins are happening in controlled environments, not in the real world.
"I'm not trying to minimize the vulnerability, it is there, but this wide-range breaking into just doesn't happen," he said. "I think that in terms of actual break-ins, this has been much more of a media event.
"Not to say the risk isn't there, but these break-ins and insecurities have come about through university research, not hackers," he continued.
The real danger, he said, is that the press is disseminating information not normally found and giving would-be hackers ideas to circumvent existing security measures. Once the tools to circumvent WEP and other standards, like 802.1x, get out, no amount of prevention will keep networks safe.
"If someone's really going to go after you, those things aren't going to stop them," he said. "It's like locking your door; it's only going to keep the halfway-honest people from coming in.
He agrees with Coley's assessment, however, on improperly configured wireless equipment on the corporate network. Many companies, he said, don't even enable WEP security on their APs, as well as leaving the default service set identifiers (SSIDs) password on the machine. SSIDs are used to differentiate WLAN environments.
"It's quite easy to go out with a default PC card and get on a network, because no one's gone and changed the defaults," he said.
McCuchins, the N.C. network administrator, said the time and effort putting into securing a wireless network can be easily solved, even if administrators aren't able to get more funding and training help from its executives.
"Change the passwords, don't broadcast your AP's make and model number; that just gives hackers a launching ground to see where to get around the security," he said. "Take a laptop outside, see how far your network extends, and turn the power down if its going too far."