Wireless technologies began to proliferate with the advent of inexpensive cellular phones and the enormous infrastructure that supported them. While this technology was consumer-oriented, it demonstrated the value consumers placed on mobility and convenience in technologies. It was only a matter of time until convergence led to handheld devices that could serve as a cell phone and Internet appliance.
Then, along came the business world to take advantage of cost savings using emerging wireless technologies. One survey in 2002 showed a return on investment (ROI) of 8.9 months for wireless local area networks (WLANs).1 Another survey showed an annual ROI of US $7,550 per employee.2 Cost savings and increased productivity made the melding of wireless technologies and local area networks (LANs) inevitable.
Wireless technologies are every bit as technical and sophisticated as other technologies. The approach to auditing wireless technologies is essentially the same as any other IT audit; it consists of risk assessment by the IT auditor, determining the applicable control objectives, and assessing the effectiveness of the controls (i.e., managing the applicable risks). This article will focus be on WLANs because of their association with operations and financial reporting.
How Does Wireless Technology Work?
WLANs use electromagnetic radiation as their means of transmitting data through space. The standard protocol for WLANs is the 802.11 series of standards from the Institute of Electrical and Electronics Engineers (IEEE). An access point (AP) device is physically connected to the LAN (typically a router). The AP has an antenna and sends and receives data packets through space, usually by one of the 802.11 series protocols. Thus, there is no need for wires and patch cables for the wireless devices on WLANs, which is one of their major advantages. A wireless device (e.g., a Blackberry, pocket PC, personal digital assistant [PDA], wireless-enabled laptop) then connects to the WLAN using its transmitter to connect to the AP, and then to the LAN. Theoretically, the WLAN works the same way a LAN works. However, there are some crucial differences, both technical and audit-related.
The WLAN transmission, because it is radiation in space, generally reaches beyond the physical space that contains the WLAN, while a LAN’s connectivity is limited to the physical space and, of course, possibly the Internet from remote locations. Also, generally speaking, there are several differences in the actual technical manner in which the WLAN works.
One article that explains the basic technical aspects of wireless in plain language is "Auditing Wireless Telecommunications: An Issue of Standards." 3 A more technical article is "Autonomic 802.11 Wireless LAN Security Auditing," which discusses wireless auditor software in particular.4 The National Institute of Standards and Technology (NIST) and IEEE have technical documents for wireless technologies.
Just as they would for any other risk assessment, IT auditors look at risks in at least three aspects: operational risks, asset risks and financial reporting risks. Operational risks are associated with the operations of the entity, especially with regard to its information systems and underlying technologies. Asset risks are associated with the loss or damage to assets. Since data are valuable assets, they are included in that aspect of risk assessment. Financial reporting risks involve risks that could cause errors or fraud in the financial reporting data, especially those of a material nature. Therefore, this risk is closely associated with data integrity.
Many of the wireless risks are the same as those for a wired LAN, and include those associated with the Internet, internal risks (e.g., malicious attacks, errors) and access control. The Internet always presents risks associated with malicious users. The most common term for this kind of rogue is “hacker,” although usually these types of rogues are technically crackers or script kiddies. The actual risks of the Internet are that the whole world potentially can connect to the entity’s computer systems, and the potential exposure associated with the transmission of sensitive data across these communication lines and systems around the world. Research shows that most of the malicious activities on networks and in information systems come from employees inside the entity. There is also the problem of employee error or carelessness. For example, an employee could carelessly add an AP to a LAN without authorization, exposing data during transmission. Access control for wireless networks includes controls such as strong passwords, but needs more than that to mitigate the risk associated with radiation broadcasting of data beyond the physical WLAN where someone could gain unauthorized access to the WLAN from nearby. Special control tools are necessary to mitigate that risk, which will be discussed later.
Many of the risks associated with IT are information security risks, which are commonly categorized as confidentiality, integrity and availability. One good way to analyze the risks associated with operations is to use the model in figure 1.
Figure 1—Information Security Risk Model5
Obviously the model must incorporate the amount of mitigation of existing controls, and use only the residual risk. For example, if the wireless technologies used in the WLAN stop working, the WLAN is not available, and such a loss would have severe or catastrophic adverse effect on the organization’s operations, and there are no controls in place to mitigate that risk, that risk should go in the availability category as a high risk. This model could also apply to the other two aspects of risk assessment: assets and financial reporting.
Asset risks are associated with the protection and custody of entity assets. Because data have intrinsic value, they are considered one of the assets to be protected. Data are particularly exposed during the telecommunication process. One major advantage to WLANs is that no wiring has to be in place. However, that also means the transmission of data across the WLAN is susceptible to interception and corruption, depending on the level of security on the WLAN. This issue is directly related to asset risk—the loss, theft or damage to data. The data being transmitted wirelessly can potentially be stolen by data thieves just outside the building.
The mobility aspect of wireless makes it attractive to users and can lead to productivity increases. For example, when employees travel, they can use wireless devices to check e-mail, edit documents and do other corporate tasks while in transit or while sitting in hotels and airports, increasing their total time at work. However, the mobility is also a risk to the portable device itself—it can “walk off ” easily.
Financial reporting risks are directly associated with the integrity of the data. Since the data travel through the air and extend beyond the physical space of the WLAN, this risk is inherent in WLANs, assuming financial data travel across a WLAN. Other risks could be associated with errors or fraud; for example, the ability for an unauthorized person to connect or access the WLAN and gain access to the financial data constitutes a serious risk that must be assessed and properly mitigated. Therefore, access controls, as stated previously, are not only applicable in general for networks, but are even more important in WLANs.
Control objectives are related to the major risks already identified, but without regard to the specific control to be employed. Those important residual risks are likely to be access control, monitoring access points, transmission control and viruses. For the most part, activities are safe behind the entity’s firewall when the WLAN is in compliance with the entity’s policies and procedures. But WLANs bring twists to LANs that the IT auditor must consider.
The risk might seem to be mitigated if the entity uses effective antivirus software, especially programs with “push” updates. However, because the appliance (handheld device) is transported out of the building with the employee and used to access the Internet from various unsecure places (e.g., airport, Internet cafes), that device might pick up a virus away from the employee’s desk and be brought into the system when the person returns to work. At that point, the antivirus software would probably detect the virus, but damage might already be done. The objective is to minimize the risks associated with contracting viruses.
The objective for access control is to make sure only authorized people can gain access to the system. But that objective in a wireless environment is different from a wired LAN. Access control is even more important for WLANs than for regular systems and networks because of the ease of accessibility and broadcasting the data through space. At any wired connection point, a person can connect to a wireless router. These routers are inexpensive (typically less than US $100) and offer wired and wireless connectivity. Thus, it is feasible for an employee to buy a wireless router, bring it to work, unplug the computer, insert the new router, plug the computer into the router, and then have wireless access. Many people have done that very thing at home to create a WLAN. But without the proper security in place, someone outside the building could access the WLAN using a wireless device and the unauthorized wireless router. Therefore, controls such as strong passwords and monitoring access are even more important in WLANs. Two additional controls are media access control (MAC) address authentication tools and virtual private networks (VPNs).
The security of APs is critical to the security of a WLAN. Three major problems with APs are unauthorized APs, improperly configured APs and ad hoc networks. Monitoring the presence and configuration of the APs is key to the security of a WLAN. Some advocate the “walk around” control—walking through the physical perimeter to visually verify APs or spot unauthorized APs. Hackers are known to use chalk to place a special symbol on a sidewalk or other surface that indicates a nearby wireless network, especially one that offers Internet access. This process is known as warchalking.6 The walk around needs to include a trip outside the building to spot warchalks on the sidewalks and parking lots. But the effectiveness of this control depends heavily on the frequency and coverage of the walk around. Other tools for control include a sniffer, which analyzes data packets, and wireless auditors.
A wireless auditor is an automated online system that scans for changes or activities that constitute anomalies, and then notifies someone immediately. These features are almost identical to that of continuous audit and data integrity. Two commercial packages are Netstumbler7 and Kismet.8 A newer one is Distributed Wireless Security Auditor (DWSA).9 This system uses the information for authorized APs and scans the area for all APs. DWSA actually uses GPS tools to pinpoint the physical location by room and floor and can graphically plot APs in 3D. The auditor system also checks the configuration of APs to ensure that they are configured properly (e.g., security settings).
The transmission control’s objective is to ensure safe and secure transmission of all data across the WLAN. The IEEE designed some data confidentiality and integrity protection through Wired Equivalent Privacy (WEP). WEP uses checksum over unencrypted data. The WEP has numerous known problems, but, at a minimum, the entity should be using it.10 Wi-Fi Protected Access (WPA) was created by the Wi-Fi Alliance in October 2003 to enhance the security of wireless communications and, in part, to overcome weaknesses in WEP. That tool was updated to WPA2 in September 2004 and is equivalent to the newest IEEE 802.11 protocol (11i) that is supposed to address security problems. WPA2 uses the Advanced Encryption Standard (AES), which to date has not been broken.
Other controls can also be employed to mitigate these risks. Physical security over the APs could be maintained to protect against theft or unauthorized access. Password and data protection is more effective if maintained by the application than if maintained by the wireless device or tools. User authentication should take place at the AP or as close to it as possible. Figure 2 provides a summary of the controls.
Finally, the IT auditor will assess how effective the controls are in meeting the control objectives. To judge or assess the effectiveness of controls, the IT auditor needs to have a modicum of knowledge of the control tools available.
The wireless auditor tool has the ability to do an ongoing risk management assessment 24 hours a day, seven days a week. Thus, this control adds dynamic benefits to the analysis it gives at any point in time.
Figure 2—Summary of Potential Wireless Controls
Monitoring of packets and activities
Authentication at AP or next point
Password executed by application, not WLAN
Physical security (AP)
Intrusion detection systems
Data protection by application, not WLAN
||Scan or protect handheld devices when away from work|
The basics of wireless networks involve some language and terminology (described throughout this article), a basic understanding of the issues, and a modicum of knowledge of the tools and controls available. For the IT auditor not familiar with WLANs, this article will start him/her down that path (see figure 3 for some resources).
1 Signa Services, "Best Practices for Deploying Wireless LANs," www.wi-fiplanet.com, accessed 7 February 2006
3 Gallegos, Frederick; "Auditing Wireless Telecommunications: An Issue of Standards," Information Systems Control Journal, vol. 3, 2004
4 Branch, J.W.; N.L. Petroni Jr.; L. Van Doorn; D. Stafford; "Autonomic 802.11 Wireless LAN Security Auditing," IEEE Security & Privacy, Spring 2005, p. 56-65
5 Taken from a presentation made by National Institute of Standards and Technology (NIST) and associated with FIPS Publication 199
6 McFedries, P.; "Bluetooth Cavities," Spectrum, IEEE. www.spectrum.ieee.org/print/1225, accessed 18 April 2006
9 Op. cit., Branch, Petroni, Van Doorn and Stafford
Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting information systems using microcomputers. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.