Today's businesses are constantly on the move.
Mergers, acquisitions, downsizing, reorganization and restructuring—are commonly used words suggesting change. Accountability of managers, their location and the people they supervise also change in the process. Moving from one location to another, working with two or more separate physical locations, telecommuting and working while traveling are increasingly common.
Businesses are supported by various infrastructures, including information system networks. Until recently, these networks were designed to depend upon physical links via phone lines, cables, dedicated wiring and so forth. However, the physical links constrain flexibility and limit mobility. Providing physical links to the information system infrastructure of the organization at relocation sites may be prohibitively expensive and subject to significant time delays. Even changes in the internal layout of an area, temporarily or otherwise, become difficult because of the "frozen" lines that need to be moved around and reconfigured.
The commercial value of wireless network components is evident when computer-controlled equipment must be moved to locations where wired connections are not available.1 Over time, awareness and knowledge of wireless networks have increased, while the cost of the technology required has decreased. Consequently, wireless networks are emerging everywhere and have become a popular option in the SOHO (small office, home office) market. However, this welcome change is not without additional risks. For example, the negative impact of data theft from a wireless network has become a critical issue.2 Fortunately, the cost of protecting a wireless network can be affordable, even for a small organization.
The two major risks in wireless network environments are:
- Illegitimate users may successfully access the network.
- Data accessible through the network may fall into the wrong hands.
The following article describes wireless networks, their risks and several network audit tools to test for such vulnerabilities.
Additional Components of a Wireless Network
By definition, wireless implies the absence of hard links. The network, therefore, has to look for users wanting to connect through the air. A network does this by broadcasting itself, using its wireless access point (WAP). Any client computer not physically linked to the network must logically and virtually dock in to the network through the access point. This role is performed by a component on the client computer called a network interface card (NIC). Wireless network communication is typically governed by a communication protocol, most popularly from the 802.11 series protocols.3
Risks in Wireless Networking
Wireless networks are networks first. Consequently, exposures to networks, such as network intrusion, malicious code and viruses, unauthorized access, loss of data, compromise of data integrity and nonavailability, are also applicable to wireless networks. There are additional risks, too. The state of wirelessness offers portability and, therefore, mobility. However, while adding convenience, this adds to the risk, for example, of losing a wireless device. Equipped with all essential hardware, software, data and assigned privileges, the device is ready to hook up with the rest of the network. A lost device can become an open and uninhibited source of access to the network with which it typically communicates. Moreover, if the owner chose the same password for all assigned privileges, the wireless device can potentially become a wide-open door to systems, applications and data on the network.
Additionally, while consumer TV and radio broadcasts are one-way, wireless signals travel both ways; every user can be a sender and a receiver of signals. A client's request to connect to the network can come from anywhere, for the location of the mobile client is not predetermined. Someone present in the air may find the access point on the network and could successfully connect to it. An unauthorized user successfully logging in may send messages that can cause damage to the network or may gain access to confidential data.
In a wireless network, unauthorized users can become a part of an unprotected network through the airwaves using standard wireless NICs. Wireless signals can travel several hundred feet and can be picked up even at greater distances with inexpensive specialized antennas. Intruders can hop on the signal and traverse any unprotected server or other equipment on the network.
A second risk of wireless networks is data disclosure. An intruder can intercept the transmission and read any unprotected contents. Thus, sensitive or confidential data can be compromised, and critical intellectual property of an owner can become public knowledge.
Two major risks in the wireless networking environment are:
- Unauthorized access to the system
- Data disclosure4
There should be two objectives for wireless auditing techniques. The first is to assure that only authorized individuals receive the transmission. Often, wireless networks use media access control (MAC) filtering, which ensures that only specified NICs may connect to the access point. To authenticate entities requesting connection, users may be required to use digital certificates or a weaker alternative, such as passwords. The second objective is to assure that no user who successfully connects to the network has access to data that he/she should not see. If such data are in an encrypted form, they would be rendered useless to the unauthorized user. Encryption techniques include the default packet encryption scheme of the 802.11 protocol series, called Wired Equivalent Privacy (WEP).5 Wireless Protected Access (WPA) is a stronger alternative to WEP and is expected to be released in 2004.
In looking for assurances in wireless network security, the auditor should also explore several other possibilities. The WAP can be configured to belong to a subnet, and the resources (including data) available to it can be limited. This is more like creating a demilitarized zone. Moreover, vendor-supplied default identifiers should be changed. To keep intruders away, broadcast signal power may be restricted to a limited area that is supposed to serve all authorized users. This is like creating an airspace perimeter so that no one outside of it can make the contact. Finally, WAP beacon transmissions can be removed (or made silent) so the WAP listens to authorized users rather than broadcasts (and, therefore, invites) passers-by to link up.
To test how well a wireless network authenticates its users, one can attempt to connect to the network and, in the process, determine what credentials are requested for the purpose. A laptop or a PC with a wireless NIC located within the broadcast range of a WAP can issue IPCONFIG RELEASE and RENEW commands to determine if a network connection (IP address) is granted.
As discussed earlier, confidentiality of data can be preserved in various ways, including the use of encryption technology. This article will illustrate how to identify access points and their configuration and show how to verify whether data are encrypted.
Audit Tools and Results
Many software tools are available for wireless network audits, such as NetStumbler and PrismDump (discussed in this article). Figure 1 summarizes information about the two software packages illustrated within this article, their potential uses and the vendor. Figure 2 displays selected information about other audit tools, including the name of the software, equipment on which it can be used, the function it performs and the web site on which additional information about the software can be found.
Figure 3 presents accessories that may be used with each software tool. By deploying NetStumbler, the auditor can determine the configuration of an access point, including encryption. This can be done by first identifying the existence of access points. Next, the auditor verifies whether WEP encryption is used by reviewing the report.
To convert a laptop running Windows to a dual-boot Windows/Linux machine, Partition Commander6 or PowerQuest's Partition Magic7 may be used. If running the Windows XP operating system, the only additional minimum purchase required is a Prism II PCMCIA wireless NIC. The total investment at the time of publication is approximately US $150 plus the time involved for installation. Linux, NetStumbler, PrismDump, Ethereal and the wlan-ng-0.1.13 card driver are available without cost.
NetStumbler is the first tool an auditor should use to take an inventory of the wireless access points in the proximity of company facilities. Figure 4 shows the results of a NetStumbler session. NetStumbler can identify the equipment MAC serial number, assigned name [service set ID (SSID)], and the longitude and latitude (using GPS devices that require additional outlay) to help determine whether the owner of the access point is in the auditor's scope. The fourth column in figure 4 shows the channel used by the access point—an input essential for the next tool, PrismDump, to capture packets.
The encryption column in figure 4 indicates if WEP is in use. WEP was enabled in seven out of 28 (25 percent) of the access points in the test shown. If hackers gravitate to the easiest path, they may be busy with the 21 weak networks, and they may never have incentive to break into the seven WEP-protected networks, despite the shortcomings of WEP. The use of WEP is certainly more effective than not encrypting at all; however, WEP alone may not provide all the protection needed. The SSID and name columns in figure 4 may provide auditors with additional useful information. In this example, the default SSID of INTERMEC indicates the equipment normally used in the medical environment. This may be more inviting to hackers than the blank spaces in the name column.
The second tool, PrismDump, can capture any nearby wireless packets once the Prism II card is placed in the promiscuous (listening) mode. The aim is to verify if the data are readable or are secured in some manner, such as with encryption. This can be achieved by inspection of the packets captured by PrismDump. Figure 5 shows the results of a PrismDump session. Packets captured by PrismDump can be read by the Ethereal tool (see figure 5). The top Ethereal panel shows a series of packets captured. The middle panel provides the Transmission Control Protocol (TCP) characteristics of the packet. The bottom panel reveals the data content of the packet. An inspection of the third panel permits the auditor to verify whether the data are readable.
Incidentally, nonuse of WEP does not mean that data are not protected by some other technology. For example, a wireless network session can be protected using a virtual private network (VPN).
While wireless networks provide greater mobility, they also are a source of additional risk exposures. It is easier for intruders to roam in a wireless network without being noticed. Strong authentication procedures are likely to keep intruders out of a system. In the event that unauthorized users enter the network, compromising confidential data would be a serious concern for the organization. The best protection against this exposure can be obtained using encryption technology. Several affordable tools are available to the auditor to verify accessibility of wireless networks and whether encryption is used in data transmission.
In looking for assurances in wireless network security, the auditor should take a defense-in-depth approach. For example, to the extent possible, the wireless network should be isolated from other networks, and the resources (including data) available to it should be restricted to what is absolutely required. To help keep intruders away, broadcast signal power should be just enough to serve all authorized users and WAP beacon transmissions can be removed.
1 Held, G.; Deploying Wireless LANs, McGraw Hill, New York, USA, 2002
2 Verton, D.; "New Risk for Wireless Access Points," Computerworld, volume 36, no. 34, 10 August 2002, p. 14; Brewin, B., Computerworld, "Watch Out for Wireless Rogues," volume 36 no. 29, 15 July 2002, p. 36
3 802.11 series of protocols, Institute of Electrical and Electronics Engineers
4 US National Institute of Standards and Technology (NIST), description of wireless risks, http://csrc.nist.gov/publications
5 Kay, R.; "Wireless Security," Computerworld, volume 36, no. 26, 24 June 2002, p. 38
Michael T. Hoesing, CISA, CISSP, CIA, CCP, CMA, CPA
is the IS audit manager at First National Nebraska Inc., assessing risk and helping to improve the control environment for technology sectors at the bank and the related nonbanking subsidiaries. He has more than 25 years of experience in the areas of IS audit, IS implementation and financial audit. He has been involved in external and internal audit processes and has served as a software trainer and a university instructor.
Vasant Raval, CISA, DBA
is chair of the department of accounting and a professor at the College of Business Administration at Creighton University (Nebraska, USA). His primary research interests include IS security and control and corporate governance. He is coauthor of a book on accounting information systems and has published many articles in various publications.