A company looking to beef up the security of its wireless operations should start with its own policies and standards, according to Ken Newman, director of security and risk management at Deutsche Bank AG. That's because standards and policies form the foundation upon which all security efforts are built, he said during a case study demonstration at Computerworld's Mobile & Wireless Conference in Palm Desert, California.
For example, employees need to understand that something as simple as setting up a wireless access point can pose a threat to company security.
As for Deutsche Bank, it faced a business problem of needing a system that provides confidentiality and data integrity that would meet government-imposed security considerations. Complicating the effort: Fears that advances in technology meant the entire security program would only have a life span of 12 to 18 months.
After strengthening its policies and standards, the next step in the process was "hardening" PCs and laptops from security breaches with personal firewalls, updates and patches for existing software, upgrades to security software, the use of low-level encryption and the prevention of simultaneous wireless/wired connections, he said.
After taking those steps, Newman said the company set out to go after its own network with the same tools attackers would use. That way, Deutsche Bank could determine what information could be detected, what could be accessed and from where could it be accessed.
The company's physical security force was also brought into the operation, with security guards regularly patrolling corporate offices at night with special carts looking for rogue access points employees might have set up on their own. Newman called this "cart stumbling" a play on Netstumbler, which is a tool many attackers use to look for access points. "We have a limited staff, and we can't be everywhere," he said.
The company also regularly monitors Web sites where attackers regularly post discovered access points, such as www.netstumbler.com and www.wigle.net, to see if any Deutsche Bank access points are listed.
On the wireless side, Newman said the bank:
-Limits connectivity to the network by placing access points in a DMZ outside the company firewall. -Limits the types of applications and data available via firewall rules. -Sweeps for malicious code and viruses. -Provides for two-layers of encryption - LEAP and IPSec VPN Tunnel. -Commits to being a one-vendor shop to eliminate problems associated with using multiple encryption protocols and standards. -Builds-in strong user-based authentication, such as systems that require secure ID tokens.
Newman said the bank has also looked into setting up fake access points to confuse would-be attackers and to make it harder for them to distinguish between what is real and what is not. He suggested anyone interested in that idea look online at www.blackalchemy.to/project/fakeap/.
The bank may also create "honey pots" designed to find out what potential attackers are using and to discover trends and innovations the bank could use down the road.
Newman also urged attendees to take a close look at their company's Service Set Identifier, a 32-character identifier that is attached to data packets sent over wireless LANs. He said many of these codes allow attackers to learn the names of companies, what the company does and other sensitive data that could attract more attackers if it were published. It would be better, he said, if a company used something generic that would not draw attention.