Protecting against wireless threats: security risks abound in networking environments that allow untethered server access - Computers & Auditing

URING THE LAST TWO YEARS, wireless fidelity (WiFi) has become one of the fastest growing electronics technologies in history. Although much of this growth can be attributed to the consumer market, businesses have also begun to appreciate the value of beaming data through the airwaves and pulling the plug on conventional networks.

WiFi provides a degree of flexibility in the work environment that cannot be achieved with conventional, wired connections. Through the use of wireless local-area networks (WLAN), for example, manufacturers can reconfigure production facilities for increased efficiency, hospital staff members can use handheld devices to deliver patient information, warehouse workers can exchange inventory control information without crossing the warehouse floor, and students and teachers can communicate without being confined to a computer lab or dorm room.

At the same time, however, WiFi also presents greater risks and security challenges. For instance, whereas typical wired networks feature a limited number of fixed physical points of access, wireless networks can be used at any point within range of the system's antennas -- approximately 300 feet. WLANs can potentially provide access to individuals located outside the physical security perimeter of the network, such as the office parking lot, an adjacent floor, or a nearby building, creating a host of new vulnerabilities for hackers and other ill-intentioned users to exploit With the increased presence of wireless connectivity in today's businesses, internal audit professionals need to recognize this emerging technology's potential impact on their organization's risk environment and help protect against wireless threats. Auditors can play a valuable role in assisting with WLAN-related risk management during both the evaluation and implementation phases for these systems, as well as after the WLAN is fully operational.

EVALUATION

Before system implementation, internal auditors should focus their attention on issues related to the adoption of wireless technology. Vendor offerings can vary considerably, especially in terms of security, and poor decisions made during this phase can lead to unnecessary risk.

First, auditors should ensure the company focuses on wireless vendors that provide standards-based security solutions. Many vendor offerings deliver security features such as key exchange and encryption through the use of proprietary technology, which can affect WLAN compatibility with other network components and increase the complexity of managing security in a multi-vendor environment. Furthermore, proprietary solutions can compromise independent security experts' ability to analyze and remedy weaknesses throughout the network.

Next, the audit team should make sure the company thoroughly assesses the security features of each vendor's system, as well as vendor plans for improving the inherent weaknesses of wireless encryption protocol (WEP) -- a standard security feature found on most WiFi networks that helps to prevent casual "eavesdropping" by unauthorized parties. Because many experts believe WEP's encryption method provides inadequate protection against intruders, WEP is being replaced by WiFi Protected Access (WPA), which is a standards-based, interoperable security specification that significantly increases the level of data protection and access control. Therefore, auditors should ensure that the manufacturer of each system being considered for purchase has plans for upgrading to this new technology once its available and that its equipment can be adapted easily to WPA.

Until WPA is released, however, auditors should also ensure the company considers using extensible authentication protocol (EAP) to provide an additional layer of security to wireless systems. EAP is a method of conducting an authentication conversation between a user and an authentication server. Its role is to relay messages between the parties performing the authentication. In wireless communications using EAP, user connection requests are relayed from the WAP to an authentication server, which then requests proof of identity.