IT Audit Basics Auditing Wireless Telecommunications: An Issue of Standards By Frederick Gallegos, CISA, CDE, CGFM Volume 3, 2004

Introduction to the Wireless Community

In today's technological world, growth in industries has inspired new trends and revolutions toward new technologies that benefit business, communication and life in general. These trends include faster bandwidth connections to the World Wide Web, higher clock-speed processors and new breakthroughs in wireless technology. Years ago, wireless access was not as much of an interest as it is today. Prices were significantly higher, so fewer companies and end users bothered to purchase the young and impractical toy. Since then, there has been growth and change in the way business is done and how people and businesses communicate. More and more people have been moving toward mobile computing to handle their business needs because they cannot be in the office all the time. Our businesses are hard-nosed, but always looking for improvement and efficiency. It just takes the right kind of technology to do so. It also takes the right level of audit, control and security.

In today's busy communications environment, businesses worldwide have been integrating more and more wireless technology over the years. Whether it is just for home use or office networking, wireless technology has taken a larger foothold in Internet usage, as seen in figure 1.¹ There has been a movement from wired surfing to wireless surfing, because of significant price drops that offer viable alternatives for the end users. Having no wires offers more mobility to take a communication device [e.g., personal digital assistant (PDA), laptop or cell phone] anywhere within the range of the base station or even around the country with wireless protected access (WAP) technology. Employees and home users have found that it is more convenient to have the mobility that wireless connections offer. Though network connection speed has been an issue for a while due to the constraints of the 802.11b protocol, new emerging technology seems to be paving the way toward faster and more reliable wireless connections. The trend toward a wireless worldwide Internet is looking increasingly bright, and with it comes concern for information assurance.

Wireless Internet

Wireless technology, like all transmission media, uses radiation as its means of transmitting data through space. Specifically, wireless technology uses electromagnetic radiation to transmit data, because it does not require a medium to transfer the energy from one point to another. Unlike wired components, such as RJ-45 network patch cables, which transmit data through a series of copper wires, wireless solutions, such as the 802.11b standard, transfer data through the atmosphere through the radio frequency 2.4GHz. This allows for less cabling around the building and a lower cost.

A wireless LAN can be very similar to a fixed (wired) LAN, with the exception that it uses airwaves rather than cabling to connect the devices. Wireless LANs are typically secluded in a confined area, usually a home or an office building. Obstructions, such as walls, especially if they are solid, cause interference and weaken the signal. Instead of a socket for a cable connector, each terminal connected to the LAN has a small transceiver connected or attached within it. By using a wireless LAN protocol, such as 802.11b, devices such as computers, laptops and Ethernet cameras can connect to the LAN and interact with each other. There may also be a central stationary point, such as a router, that connects to a fixed line such as ISDN, DSL, cable, T1, etc., to access the Internet or another LAN. This point will work just like a bridge that allows the passage of network traffic through from the mobile devices connected to the wireless LAN.²

The set of evolutionary IEEE standards, 802.11, is designated as the Wireless LAN Working Group.³ It was developed as a replacement for wired LAN technology such as Ethernet (802.3), and was designed to cover areas such as an office building or a group of adjacent buildings, none of which are too far apart. Now, 802.11b is the standard that provides connectivity among different vendors of wireless devices. This means one could use a Linksys Wireless Router with a Netgear Wireless Card and still be able connect. 802.11b is a revision of the original, older 802.11 standard. It operates in the 2.4GHz range and allows short-range transmissions at up to 11Mbps, which is comparable to 10Base-T Ethernet technology. Its mobile range is meant to extend for 100 meters, but at reduced rates as the distance increases. One could have close to 11Mbps five to 10 meters from the access point, but transmission speeds greatly decrease as it takes more time for the information to reach the receiver. This is not counting the interference and climate conditions that the wireless transmission faces.

802.11b subdivides its frequency band (2.4 - 2.483) into several channels. The original 802.11 operated three physical layers: Direct Sequence Spread Spectrum (DSSS), Frequency Hopped Spread Spectrum (FHSS) and Infrared (IR). However, 802.11b has simplified the interface, so it now runs only on DSSS.

The evolution of the 802.11 protocol has been progressing quickly with 802.11b already in place and others being tested and implemented. Advancements and new techniques in sending packet data through different frequencies of radio transmissions have been goals of many wireless companies.

Figure 2⁴ displays the growth and progression from one single protocol to a new mixture of protocols that will improve functionality and widen the bandwidths that this wireless technology can transfer. As the graph shows, the progression toward increases in throughput has split into two initiatives. One, the aforementioned 802.11g, is based off the 2.4GHz spectrum. It will use the existing band but will accommodate up to 54Mbps. At the same time, 802.11a offers a similar solution with the proposal to offer up to 50Mbps using a 5GHz band. Not shown are new protocols for security concerns such as 802.11i.

 Internet Security

Internet security is always a concern to businesses, as well as end users, because having a computer compromised is an eerie thought. Files, programs, documents, passwords, credit card numbers and even personal information can be corrupted or stolen by the ominous hacker who decides to target the computer. The Internet began as a sort of public information database with no security backbone, which made it easy for hackers to compromise systems, alter web sites and steal personal information. Over the past few years, security has become a big issue with large corporations, governmental web sites and even school districts, because hackers find it fun to disrupt businesses that are working optimally.

Wired Equivalent Privacy (WEP) was one of the first wireless security encryptions designed to protect WLANs from unauthorized users. This protocol uses security keys that are created within the router and then encrypted, so the user outside the LAN must have the proper key to gain access to the LAN. One of the main problems of WEP is that the security keys are easy to break, and there is no way to reset keys on a regular basis to avoid someone breaking into messages encrypted with an overused key.

Wi-Fi Protected Access (WPA) is a new wireless security protocol developed to add further protection against unwanted guests. WPA addresses these problems by implementing an automatic key resetting feature.⁵ It increases the initialization vector (IV) from 24 bits to 48 bits, making a WPA-protected message order much harder to crack than before. Next, WEP changes the key with every packet sent out using a Temporal Key Integrity Protocol (TKIP). This indeed makes packets harder to break, but it also hinders the performance of the PC and the network interface card. Finally, WPA uses an old technique of message security called the checksum method. It checks the validity of an 8-bit message integrity code within a frame and tests that frame by the 4-byte integrity check value. Most recent efforts in protection come from the work of the US National Institute of Standards and Technology (NIST) and a conference it held in December 2002 on wireless technology and security, especially 802.11i testing. Information from this important conference is available at NIST's Computer Security Resource Center.

Virus vulnerability is always an issue within companies because mobile devices are often used inside and outside the corporate firewall, which makes them more susceptible to infection. At the same time, they are not powerful enough to scan for viruses on their own because of the limited computing power the processor and hard drive contain. Passwords are another threat to the company, because they can be used outside the intranet on an employee's personal device to gain entry into the company's network. The use of mobile devices in the public sometimes allows information to be cached in the machine, which provides hackers with an easy means to access the corporate network.⁶ They can gain the proper password by observing the code entered and by stealing the device used. Mobile device usage outside the firewall can be a benefit, providing easy access to mobile employees, as well as hindrance, allowing hackers to gain access to the private networks and steal or modify company database information.

Behind a firewall, a company is safe to an extent, but there is always the threat of someone trying to hack through the firewall. This is why most companies hire IT professionals who specialize in network administration and Internet security to protect their networks from outside threats. These trained professionals try to deter or even stop these threats, but occasionally a good hacker will slip through and every encryption, password and port that was compromised need to be changed so the hacker will not be able to enter the same way again. It is in the best interest of IT auditors to see that they are doing their job in this area of vulnerability and risk.

802.11x architecture⁷ is a type of network security protocol that utilizes a bridge, also known as an authenticator, to authenticate users. This bridge routes controlled ports to uncontrolled ports (see figure 3). The authentication server that verifies the user sends a status (success or failure) to the user, and the bridge intercepts that status. If the user is authenticated, the bridge opens the uncontrolled port to the controlled port, which allows the flow of data to take place, and the user is free to access or update the information through this security precaution. The question that must be continually asked is whether the controls in place are working and keeping out the unauthorized. If changes are made, one must ensure that controls in place are not degraded or security holes created through poor testing.

Conclusion

As wireless innovation continues, the use of such applications and their types will increase. This area is a moving target as standards are evolving and changing. It behooves the business to ensure that standards are followed to the extent possible, knowing that change is imminent. IT auditors must ask the questions of risk, controls and protective action that needs to be taken.

Endnotes

¹ Greenspan, Robyn; "Wireless Surfer Numbers Grow," 6 September 2003, http://cyberatlas.internet.com/markets/wireless/article/ 0,,10094_1457671,00.html
² Rhoton, John; The Wireless Internet Explained, Digital Press, imprint of Butterworth-Heinemann, Massachusetts, USA, 2002, p. 42
³ Ibid.
⁴ Ibid.
⁵ Vaughn-Nichols, Steven J.; "Making the WPA Upgrade,"
5 May 2003, http://www.80211-planet.com/tutorials/ article.php/2201281
⁶ Paavilainen, Jouni; Mobile Business Strategies: Understanding the Technologies and Opportunities, IT Press, 2002
⁷ Sadiku, Matthew N.O.; Optical and Wireless Communications: Next Generation Networks, CRC Press LLC, Florida, USA, 2002, p. 118