Banking on wireless? Ken Newman, Director and Infrastructure Security Assurance Manager for a major global financial institution, shares his strategies for securing wireless.KEN NEWMAN is Director and Infrastructure Security Assurance Manager for a major global financial institution. He is responsible for implementing an information security program to ensure the secure operation of technology infrastructure. In previous roles at this bank, Mr. Newman managed security products, information security consulting, and perimeter security and operations. He has worked closely with vendors and IT teams on implementation and strategy. Ken also recently worked with the bank's network engineering team to design a secure Wi-Fi access model for deployment within the organization. Prior to joining his current company, Ken worked for another Fortune 50 firm, where he was responsible for the deployment and management of access control and anti-virus security products. Ken has more than 15 years of practical IT experience working with systems, networks, and applications, plus a proven track record of more than 10 years of providing security solutions in financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. . ONE ON ONE ADVISOR: Please tell me a little bit about your background and what you do in your role as a Infrastructure Security Assurance Manager (ISAM (Indexed Sequential Access Method) A common disk access method that stores data sequentially, while maintaining an index of key fields to all the records in the file for direct access. )? NEWMAN: I've been in information security in financial services for about 11 years. During that time, I've been involved with a little bit of everything. The operational side of security: account administration, monitoring, etc.; the technology side of security: introducing products and technologies to provide control and reduce risk; and, the risk management side: assessing and analyzing technology risk as it applies to business processes and helping businesses identify appropriate controls to manage that risk. Right now, my focus is on making sure security related technologies are properly configured con·fig·ure tr.v. con·fig·ured, con·fig·ur·ing, con·fig·ures To design, arrange, set up, or shape with a view to specific applications or uses: for the environment. ADVISOR: What does the role of ISAM entail? NEWMAN: I look at policies and standards around managing infrastructure components, like a wireless network, and I update processes, procedures, or tools to address any gaps in security. ADVISOR" I'd imagine that, given the data with which they're dealing, financial institutions are on the bleeding edge A pun on "leading edge." It implies that using the latest technology is often risky because it has not been tested with enough users and may not perform as expected. Introducing an advanced product or service is also risky because the user community may not be ready for it or really want of security technology. Is that accurate? NEWMAN: I would say that's probably true. The need is certainly there. Banks are obviously heavily regulated here in the U.S. and all the countries in which they do business around the world. There are regulatory bodies that monitor how they're allowed to handle transactions, as well as how they must maintain the security of their information. ADVISOR: Does wireless technology play a large part in the financial industry? NEWMAN: Generally speaking, wireless is probably starting to playa playa or pan or flat or dry lake Flat-bottomed depression that is periodically covered by water. Playas occur in interior desert basins and adjacent to coasts in arid and semiarid regions. more substantial part in financial services, for much the same reason it does in many other industries: the collaborative ability and increased productivity that come from a mobile workforce. These workers can come together and work in different ways and not be so constrained con·strain tr.v. con·strained, con·strain·ing, con·strains 1. To compel by physical, moral, or circumstantial force; oblige: felt constrained to object. See Synonyms at force. 2. by traditional wired environments. The difference for financial services is, from a regulatory standpoint, there's a greater mandate and requirement for controls. There has been a strong demand from the business to make the technology available, and you should focus on bringing it to business users in a way that meets their needs, with an appropriate amount of control. ADVISOR: When you're looking at rolling out a mobile solution, how do you decide which employees merit access to mobile data? NEWMAN: I would look at it a little bit differently. Rather than looking at what employees are appropriate to be mobile, assess what types of information and applications are appropriate to be accessible via mobile devices, regardless of the type of user. Let business management decide which users should be mobile since they're paying for it. ADVISOR: Can you give me an example of how that decision-making process plays out? NEWMAN: At a high level, it makes sense for a business user to have access to market data that isn't confidential--it's subscription based, but isn't necessarily private--or, various types of non-proprietary information companies make available to all employees just by virtue of placing it on the corporate intranet. Certain kinds of directories or common services are good examples of this kind of data. Right now, it's better to focus on mobilizing mobilizing, v 1. freeing or making loose and able to move. 2. observing any ongoing movements in a client's body, whether small or large, assisted or not, that identify strengths and weaknesses, as well as the client's physical and supporting data rather than confidential, transactional, or mission critical data. ADVISOR: How are other industries using wireless technologies, and what issues have they been encountering? NEWMAN: Retailers are doing some interesting things with wireless. They're using wireless most commonly on the point-of-sale (POS (1) See point of sale and packet over SONET. (2) "Parent over shoulder." See digispeak. POS - point of sale ) side. I assume a number of them are using it for inventory as well, but there's a clear driver at the register to use wireless technology to deliver information to back-end processing systems; inventory systems could also automatically key off those. However, there have been security issues with wireless POS Wireless point of sale (wireless POS or WPOS) is the use of wireless devices to facilitate order-taking or payment for products or services. As a rule, a wireless point of sale system consists of a base station directly connected to a central server computer and one or more . For example, when a well-known consumer electronics store started selling Wi-Fi technology to the masses, it ran into a problem with customers who were buying Wi-Fi cards. They'd leave the store and immediately want to test out their new gadget (1) Slang for any hardware device, typically small. Synonymous with "gizmo." (2) A mini application that resides on a computer desktop or personal home page, typically found in the Windows environment. , sometimes not even making it out of the parking lot. They'd plug the cards into their laptops and start fiddling around and suddenly be associated to the store's wireless network. I'm sure not everybody took advantage of the unsecured network, but an unscrupulous users could use wireless sniffers to pick up purchase information going back and forth. The same thing happened to a large retail book store here in New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of . It's located in midtown mid·town n. A central portion of a city, between uptown and downtown. midtown Noun US & Canad the centre of a town near where a computer group called 2600 meets. When the group started getting interested in wireless, in one issue of its magazine, 2600 published a list of all the books at that location sold during the course of one of their meetings. The store apparently had an open wireless POS system, and the all the purchase information was readily available. ADVISOR" When you say "all the purchase information," does that include credit card numbers and customer names? NEWMAN: Potentially, in both cases--both the consumer electronics store and the book seller. By now, I'm sure those stores have taken steps to rectify rec·ti·fy v. 1. To set right; correct. 2. To refine or purify, especially by distillation. that situation. ADVISOR: Wi-Fi went mainstream pretty quickly, but it's sophisticated technology for the average user. NEWMAN: Yes, Wi-Fi took off before most people knew the kinds of issues it would introduce. I've seen technology programs on TV that show owners of brand-new mobile equipment how to sniff for open networks they might be allowed to access. The problem, of course, is they might be connecting to someone else's network without even realizing it, connecting to a network they shouldn't, or have the opportunity to collect information crossing that network. ADVISOR: Microsoft Windows See Windows. (operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. XP makes this even easier by giving users an interface that lets them easily scan for open networks. NEWMAN: Yes, it's one of the things that makes XP much easier to use. In previous versions of Windows, when you bought your wireless PCMCIA card See PC Card. , you had to install the client software from Cisco or Linksys--or whatever vendor you happened to be using--to configure See configuration. (software) configure - A program by Richard Stallman to discover properties of the current platform and to set up make to compile and install gcc. Cygnus configure was a similar system developed by K. and use it. XP built all that into the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. , so you can take almost any wireless card you want, plug it into an XP machine, and just start using the networking applet A small application, such as a utility program or limited-function spreadsheet or word processor. Java programs that are run from the browser are always known as applets. See midlet, crapplet and Java applet. in XP to completely manage a wireless connection. A window pops up to let you know what wireless networks are available, and which ones are encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science or not encrypted. You just click on one of the unencrypted ones and you're part of that network. ADVISOR" When you're using your Wi-Fi connection, have you noticed that many of the wireless networks out there are still unencrypted? NEWMAN: I have an apartment in a large urban area with a number of high-rises around me. I use a very small portable--nothing nearly as powerful as a full-sized laptop Same as laptop computer. laptop - portable computer , no external antenna--and I'm able to use NetStumber to see wireless networks. NetStumber is a very heavily downloaded wireless tool. It easily installs on Windows, and you don't have to do much to configure it. It acts just like a client and looks for an available connection, then finds every connection in range and gives you information about it. From my apartment, I took a sample in September 2002, then again in the spring of 2003 and saw a three-fold increase in the number of unencrypted networks. Some were home, and/ some were probably business networks. Someone with the same equipment would be able to connect to any one of them. ADVISOR: So, rather than the trend being an increase in an understanding of the technology and more people locking down their networks, the trend is a base increase in the number of wireless networks, and because people simply aren't protecting them, an increase in the number of unsecured networks. NEWMAN: From everything I've experienced and read, I'd have to say that's correct. The volume is certainly out there, and all the product gurus are correct: Wi-Fi is exploding. But, as the volume increases, the percentage of properly configured environments isn't increasing. If you look at the statistics from the group that does the World Wide War Drives, you'll see the percentage of well-configured systems--enabling encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. and changing default properties such as network names--appears to be decreasing. ADVISOR: Wi-Fi has taken a beating in the press for its lack of security, specifically weaknesses with Wired Equivalent Privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard. WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. , which is being replaced with WPA WPA: see Work Projects Administration. WPA in full Works Progress Administration later (1939–43) Work Projects Administration U.S. work program for the unemployed. . But, how much of the problem should be attributed to weaknesses in Wi-Fi security, and how much is attributable to the fact that users aren't using any security on their networks? NEWMAN: Things would be a lot better if everybody used 128-bit WEP. Certainly, WEP is flawed flaw 1 n. 1. An imperfection, often concealed, that impairs soundness: a flaw in the crystal that caused it to shatter. See Synonyms at blemish. 2. , but then again, I know only a handful of people who have taken the time to break it. enterprises should not rely on WEP alone for security, but for home users, small businesses, and quick and dirty network setups, it may be fine. And, WPA corrects most of the flaws in WEP. Microsoft even has a Service Pack that adds WPA support into XP the way WEP is today. That could produce phenomenal improvements across the market as more vendors provide support. In many cases, just turning on WEP would be an improvement; and, WPA is a substantial improvement. The problem is many people don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. about WEP or WPA. Wi-Fi products are often put on the market with insecure in·se·cure adj. 1. Lacking emotional stability; not well-adjusted. 2. Lacking self-confidence; plagued by anxiety. in default configurations. They're sold to be plug-and-play and easy to use. Whenever you do that, security is going to take a back seat. Wi-Fi products should be sold with either better configuration in place or clearer instructions and tools to help users make them secure. So, to answer your question, I put more of the blame on how the products are configured and sold, and not as much on the technology itself. If you take sophisticated technology and sell it like toasters, people are going to use it like toasters. They aren't going to be concerned about whether their toaster See intranet toaster and Video Toaster. (jargon) toaster - 1. The archetypal really stupid application for an embedded microprocessor controller; often used in comments that imply that a scheme is inappropriate technology (but see elevator controller). is secure, they just want it to do its job. ADVISOR: What other dangers does Wi-Fi's ease of use introduce? NEWMAN: If you're in a corporate environment, you might have a scenario where you have a user who has a piece of equipment that's Wi-Fi-enabled. Perhaps you've given him permission to access the access point, or maybe the user has a top that's Wi-Fi-enabled out-of-the-box. Either way, he's connected to your network. And, say someone outside your company sets up an access point with a stronger signal and user's XP machine automatically associates to it. That laptop is now potentially bridging your internal network to somebody else's network. ADVISOR: With Wi-Fi's ability to go through walls and its theoretical range of several hundred feet, that could happen fairly easily in a densely populated pop·u·late tr.v. pop·u·lat·ed, pop·u·lat·ing, pop·u·lates 1. To supply with inhabitants, as by colonization; people. 2. area or in an office building. NEWMAN: Exactly. I have seen wireless walks through some office buildings to scan for the presence of access points; in a lot of cases, you can't tell if an access point is in your building and belongs to you, or is across the street and belongs to somebody else. ADVISOR: So, what happens when you scan a building for access points, you find one, and you're somehow able to determine it doesn't belong to you? What do you do? It isn't as if can go next store and ask the neighboring neigh·bor n. 1. One who lives near or next to another. 2. A person, place, or thing adjacent to or located near another. 3. A fellow human. 4. Used as a form of familiar address. v. company to shut down its wireless network. NEWMAN: There's very little you can do. One option is to them you found an open access point, and that for their own protection, they should lock it down. Maybe they'll do something about it, maybe they won't. Maybe it's a public hotspot. The only thing you can do on your side is make sure your user's equipment is properly configured so that either wireless connectivity is disabled in areas where you don't want to make it available or that your users' machines can only talk to your access points with your WEP keys, and so forth. But, even that's a challenge because, if users want to take their laptop home at night, they're going to want it to talk to their wireless network at home. ADVISOR: What is "information leakage Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. For example, when designing an encrypted instant messaging network, a network engineer without the capacity to crack your "? NEWMAN: That goes back to how people configure access points. I've seen a number of access points that use the company name and/or location as the SSID (Service Set IDentifier) The name assigned to a wireless Wi-Fi network. All devices must use this same, case-sensitive name to communicate, which is a text string up to 32 bytes long. in the network name. That's like waving a flag, saying, "Hey, here's a big company, and here's exactly where it is." Not only do you want to get rid of the default network name, you want to have a network name that doesn't let someone scanning from blocks away know what kind of business you're doing and where you are. ADVISOR: So far, we've discussed a lot of things people unknowingly do to make their networks vulnerable. What about intentional in·ten·tion·al adj. 1. Done deliberately; intended: an intentional slight. See Synonyms at voluntary. 2. Having to do with intention. attacks that hackers might launch? NEWMAN: The entree for those attacks is usually the accidental steps we've discussed. Maybe somebody's laptop associates with another network and acts as a bridge. Or, perhaps a user simply doesn't understand the risk and decides he wants wireless connectivity in his area or conference room. So, he just goes down to CompUSA, buys an access point, and plugs it into the wall. Everyone in the area can use it, and it's an open path to the network. Anybody on the outside with basic equipment can find that access point, discover that it's open, and simply connect to it. At that point, the attacker is on your network and can do anything he wants to do. He's gone by the firewalls, and bypassed any other measures you implemented to protect your network. After he's on your internal network, every other traditional attack applies, whether it's just looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. information, trying to bring down your system, or trying to produce transactions that weren't supposed to happen. Even if he can't associate to your network because you've implemented some level of security, he can try to collect unencrypted traffic and learn information without ever being connected. There have also been cases of potential spammers who have been identified driving around looking for open wireless networks. After they find one, they look for a mail server and use it to send spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). . That makes you the source of someone else's spam and everyone comes back and complains to you. It's unauthorized use of your services, denying your users the use of your services, getting you into trouble with other people, and potentially--depending on your industry, and depending on the legal direction the government continues to take--getting you into trouble with various regulators for not taking reasonable minimal steps to protect your assets. ADVISOR: Let's talk about solutions, starting with usage policies. What policies should companies put in place regarding wireless usage and how do they enforce them? NEWMAN: As a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the , an organization should already have a fundamental set of policies, standards, and guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. from a technology point of view. If a company doesn't have that, it's well behind the curve and has a lot to do. You need to set up policies, standards, and guidelines around when and how to use wireless technology, and how to configure it to integrate into existing technology. You must communicate this on a couple of different levels, so your users know what they should and shouldn't do, both at home and at work, what's appropriate use and what isn't, and what they should and shouldn't access. You also have to communicate to your technology people what they are and are not allowed to plug in, where they're supposed to plug in, and who needs access and who doesn't. There should be a high-level policy statement that demands only authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: , approved, standard Wi-Fi devices are allowed anywhere in your environment. You also need a standard that specifies a list of approved devices and the areas in which they can be deployed. There also has to be a guideline guideline Medtalk A series of recommendations by a body of experts in a particular discipline. See Cancer screening guidelines, Cardiac profile guidelines, Gatekeeper guidelines, Harvard guidelines, Transfusion guidelines. that defines exactly how the devices should be configured, the technology with which they must integrate, and what employees are approved to use them for what purpose. At a high level, that's probably a good starting point. ADVISOR: In terms of standards for configuration, what categories of software do you recommend to protect wireless connections, access points, networks, and data on Wi-Fi-enabled laptops? NEWMAN: My recommendation is multiple levels of protection for in-depth defense. For example, look at having multiple layers of encryption. You can use standard WEP encryption today between the client radio and the access point. But--because you realize WEP is flawed and want to be able to maintain a higher standard--you can use a VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. on top of that. WEP acts as a basic layer of encryption just above the hardware to assure the connection is secured as much as the technology permits. Then, at a higher level, you have a VPN providing stronger IPSEC user authentication See authentication. and encryption. In terms of the overall environment, the best recommendation is to make sure access points aren't connected directly to the internal network. Instead, you should connect them to an external segment outside the firewall. That firewall can then filter based on what services are and aren't allowed. In conjunction with that firewall, you should have the traditional types of network controls that any organization must implement: up-to-date anti-virus software anti-virus software n → Antivirensoftware f checking the traffic going back and forth, intrusion detection See IDS and IPS. software looking for inappropriate activity, etc. Going back to the client side, the client itself should also have current anti-virus software. The client should have a personal firewall as well as some kind of encryption, either low-level encryption or file-level encryption. If the laptop is using Wi-Fi, the user could inadvertently roam to someone else's network, potentially giving them access to his system whether he's connected to the enterprise network or not. To sum up, these are the kinds of things you need on the client: anti-virus, personal firewall, and encryption, as well as VPN software to improve the level of encryption and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. basic Wi-Fi architecture provides. On the server side, all wireless communication should go through firewalls with rules to control the kind of traffic that's accessible. You also need intrusion detection, anti-virus at that level, and any other kinds of standard network controls your company is using. You should view traffic through this connection the same way you view external users coming from over the Internet: as untrusted. ADVISOR: We've been focusing exclusively on Wi-Fi. What about mobile devices such as smartphones connecting through mobile phone carrier networks? NEWMAN: That's a little more difficult. Most of those devices don't yet support the same range of protection-VPN, encryption, etc. I wouldn't let those types of devices connect directly to a corporate network without comparable controls. That's still in a bit in the future for most companies. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion