The Science of Wireless

December 2008

The Science Behind Wireless

Understanding how mobile access works can help internal auditors enhance their organization's security efforts.

Nelson Gibbs, CIA, CISA, CISM, CISSP
Senior Manager
Deloitte & Touche Overseas Services LLC

While it may be difficult to imagine a world without Blackberries, iPhones, or the latest Bluetooth device, many IT departments are still playing catch-up in terms of security policies surrounding the use of wireless technologies and mobile devices in the workplace. In fact, according to a 2007 study by research firm Coleman Parkes, more than 60 percent of chief information officers interviewed report an increased use of company-supplied mobile devices. However, these organizations are having a hard time managing the use of these applications.

This article provides a high-level overview to help internal auditors understand the terminology, environment, and some of the potential areas of concern when performing an audit involving wireless technologies. It establishes a foundational background to assist in developing the deeper technical knowledge necessary to audit wireless environments.

HOW WIRELESS ACCESS WORKS

There are many ways to connect wirelessly to the Internet and its various business and personal networks — from using low-frequency radio waves and high-frequency microwaves to fixed and mobile deployments, such as satellite transceivers, infrared (IrDA), Bluetooth, 802.11 (Wi-Fi), 3G, and worldwide interoperability for microwave access (WiMax) technologies. While each of these methods has its own benefits, each also has its own weaknesses, associated protocols for transmitting data, and requirements for operation.

Mobile devices include laptops, smartphones, personal digital assistants (PDAs), cellular handsets, and other specialty electronic devices that can be used to transmit and receive data wirelessly. These devices use a variety of operating systems, from full-blown PC operating systems to customized, vendor-specific platforms. This dizzying array of devices and platforms, and their various configurations, is one of the reasons securing mobile devices is such a difficult task.

This diversity also increases complexity because each technology combination requires its own unique set of solutions. For example, an employee could use Bluetooth or IrDA to connect a laptop to his or her smartphone to:

Use dial-up to connect directly to a corporate analog modem.
Use "always-on" cellular transmission technology to gain Internet access to a corporate e-mail server.
Use an existing 802.11 hot spot connection to participate with co-workers in a Voice over Internet Protocol-based conference call.

Although each of these activities has a different set of risks and security solutions, they all traverse a variety of network types with different security risk levels. As a result, the more variation in devices and operating systems used in an organization, the more variety in configuration and application use and the higher the organization's risk.

WIRELESS SECURITY

Wireless access is frequently confused with remote access. Wireless access refers to when a user connects a device to a local network access point (e.g., in an airport lounge) without physically plugging into the network. Remote access involves connecting over the Internet — rather than locally — to a corporate network. A wireless connection can be used to gain remote access.

Wireless connectivity also is used to link local area networks, as in the case of two corporate buildings in the same city linked by microwave dishes, or networks in different cities or continents that connect via satellite. Because wireless communication is a broadcast medium, anyone within range of the transmitting device can access the data transmission stream. As a result, organizations can face many risks that the various connectivity methods and application activities have in common, as well as unique risks for each type. Potential risks include legal, regulatory, compliance, reputational, intellectual property, competitive, and operational concerns. Some common risks include:

Eavesdropping — the unauthorized interception and viewing of communications, also called "sniffing."
Impersonating — assuming the identity or copying the account and characteristics of an authorized user or device, also called "spoofing."
Rogue or spoofed access points — the deployment of network connection devices intended to fool legitimate users into using the device for access to view and control traffic or to gain unauthorized access to a network.
Cracking — the unauthorized access and use of a network or control of a device for malicious purposes.
Denial-of-service (DoS) — the prevention of access by authorized users to a network resource, typically resulting from overwhelming or consuming all available device capacity.

An online search for each technology or device will produce numerous lists of weaknesses, mitigating controls, and audit considerations. One of the most significant risks is the visibility of data as it traverses networks. For example, the common 802.11 encryption schemes — wired equivalency privacy (WEP), Wi-Fi protected access (WPA), and Wi-Fi protected access v.2 (WPA2) — protect the link between a user and the wireless access point (WAP), but not across subsequent network segments on the Internet between the WAP and the connection's end point. For this protection, users need additional security measures, such as a virtual private network (VPN), that are capable of providing end-to-end encryption of a communications session.

CONDUCTING AN AUDIT

Although a wealth of free guidance and audit work programs addresses current wireless technologies, no single source has a tool set that is entirely relevant to a specific environment because of the complexity and diversity of today's wireless landscape. Therefore, all risk assessment templates, automated tools and scripts, work programs, and related audit tools should be vetted thoroughly against the organization's IT environment to ensure they are current, comprehensive, and relevant. Some questions auditors should ask during the vetting process include:

How well does the template mirror corporate policy and requirements?
What environment-specific elements need to be added to address the organization's specific risk profile fully?
Are the recommendations and requirements contained in the guidance realistic for the organization?

It may be necessary for internal auditors to coordinate closely with both technology and business unit managers to understand the organization's concerns and capabilities. Such consultations can give auditors a more thorough picture of the various technology interdependencies for wireless access support and business functions.

Some industry-recognized practices common to all access methodologies and uses, as well as items that could be included in any wireless audit work program, include:

Ensuring there are well-documented, clearly communicated, and up-to-date policies and procedures to help mobile users and support staff understand corporate expectations and requirements.
Ensuring the latest software patches and updates are applied to mobile devices — preferably automatically — and default vendor settings have been modified as guided by corporate policy, which in turn should be an element of a comprehensive software development life cycle process.
Making sure all mobile devices use antivirus, anti-spyware, and personal firewall protections.
Managing all mobile devices from a central, enterprisewide console.
Prohibiting and monitoring for unauthorized waps and connections.
Using policy management tools to ensure that mobile devices comply with corporate policies.
Encrypting and authenticating all connections, both users to waps and waps to users.
Encrypting communication sessions via a VPN or secure sockets layer to protect data in transit.
Using full media encryption (i.e., of hard disks, secure digital cards, and universal serial bus drives) or encrypting file systems to protect data at rest.
Hardening operating systems and waps based on recognized standards, such as those published by the U.S. National Institute of Standards and Technology and industry organizations, or vendor-specific security recommendations.
Terminating all inbound wireless and remote access connections in a restricted and secured subnetwork for additional inspection and monitoring.
Considering the purchase and distribution of mobile devices to employees to minimize support requirements and retain corporate ownership and control, similar to procedures used for laptops and desktops.

Finally, if the number of technologies used in the organization is too large to manage in a single audit, a useful approach is to conduct several smaller technology-specific audits. If this is the case, auditors need to make sure enough time is available to perform each review. This will enable them to understand and evaluate the environment fully before moving on to the next audit.

MANY RISKS AND SOLUTIONS

As they develop their wireless audit plan, internal auditors may be surprised by the proliferation and diversity of devices and solutions. Therefore, it is important that auditors understand the underlying technologies used and the business needs they meet to assess the technology's inherent risks, evaluate established controls, and develop appropriate recommendations for improvement.

Nelson Gibbs, CIA, CISA, CISM, CISSP, is a senior manager with Deloitte & Touche Overseas Services LLC on assignment in Hyderabad, India.

To comment on this article, e-mail the author at nelson.gibbs@theiia.org.

Share This Article:

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>