control, and governance
The Science Behind Wireless
Understanding how mobile access works can help internal auditors enhance their organization's security efforts.
Nelson Gibbs, CIA, CISA, CISM, CISSP
Deloitte & Touche Overseas Services LLC
While it may be difficult to imagine a world without Blackberries, iPhones, or the latest Bluetooth device, many IT departments are still playing catch-up in terms of security policies surrounding the use of wireless technologies and mobile devices in the workplace. In fact, according to a 2007 study by research firm Coleman Parkes, more than 60 percent of chief information officers interviewed report an increased use of company-supplied mobile devices. However, these organizations are having a hard time managing the use of these applications.
This article provides a high-level overview to help internal auditors understand the terminology, environment, and some of the potential areas of concern when performing an audit involving wireless technologies. It establishes a foundational background to assist in developing the deeper technical knowledge necessary to audit wireless environments.
HOW WIRELESS ACCESS WORKS
There are many ways to connect wirelessly to the Internet and its various business and personal networks — from using low-frequency radio waves and high-frequency microwaves to fixed and mobile deployments, such as satellite transceivers, infrared (IrDA), Bluetooth, 802.11 (Wi-Fi), 3G, and worldwide interoperability for microwave access (WiMax) technologies. While each of these methods has its own benefits, each also has its own weaknesses, associated protocols for transmitting data, and requirements for operation.
Mobile devices include laptops, smartphones, personal digital assistants (PDAs), cellular handsets, and other specialty electronic devices that can be used to transmit and receive data wirelessly. These devices use a variety of operating systems, from full-blown PC operating systems to customized, vendor-specific platforms. This dizzying array of devices and platforms, and their various configurations, is one of the reasons securing mobile devices is such a difficult task.
This diversity also increases complexity because each technology combination requires its own unique set of solutions. For example, an employee could use Bluetooth or IrDA to connect a laptop to his or her smartphone to:
Although each of these activities has a different set of risks and security solutions, they all traverse a variety of network types with different security risk levels. As a result, the more variation in devices and operating systems used in an organization, the more variety in configuration and application use and the higher the organization's risk.
Wireless access is frequently confused with remote access. Wireless access refers to when a user connects a device to a local network access point (e.g., in an airport lounge) without physically plugging into the network. Remote access involves connecting over the Internet — rather than locally — to a corporate network. A wireless connection can be used to gain remote access.
Wireless connectivity also is used to link local area networks, as in the case of two corporate buildings in the same city linked by microwave dishes, or networks in different cities or continents that connect via satellite. Because wireless communication is a broadcast medium, anyone within range of the transmitting device can access the data transmission stream. As a result, organizations can face many risks that the various connectivity methods and application activities have in common, as well as unique risks for each type. Potential risks include legal, regulatory, compliance, reputational, intellectual property, competitive, and operational concerns. Some common risks include:
An online search for each technology or device will produce numerous lists of weaknesses, mitigating controls, and audit considerations. One of the most significant risks is the visibility of data as it traverses networks. For example, the common 802.11 encryption schemes — wired equivalency privacy (WEP), Wi-Fi protected access (WPA), and Wi-Fi protected access v.2 (WPA2) — protect the link between a user and the wireless access point (WAP), but not across subsequent network segments on the Internet between the WAP and the connection's end point. For this protection, users need additional security measures, such as a virtual private network (VPN), that are capable of providing end-to-end encryption of a communications session.
CONDUCTING AN AUDIT
Although a wealth of free guidance and audit work programs addresses current wireless technologies, no single source has a tool set that is entirely relevant to a specific environment because of the complexity and diversity of today's wireless landscape. Therefore, all risk assessment templates, automated tools and scripts, work programs, and related audit tools should be vetted thoroughly against the organization's IT environment to ensure they are current, comprehensive, and relevant. Some questions auditors should ask during the vetting process include:
It may be necessary for internal auditors to coordinate closely with both technology and business unit managers to understand the organization's concerns and capabilities. Such consultations can give auditors a more thorough picture of the various technology interdependencies for wireless access support and business functions.
Some industry-recognized practices common to all access methodologies and uses, as well as items that could be included in any wireless audit work program, include:
Finally, if the number of technologies used in the organization is too large to manage in a single audit, a useful approach is to conduct several smaller technology-specific audits. If this is the case, auditors need to make sure enough time is available to perform each review. This will enable them to understand and evaluate the environment fully before moving on to the next audit.
MANY RISKS AND SOLUTIONS
As they develop their wireless audit plan, internal auditors may be surprised by the proliferation and diversity of devices and solutions. Therefore, it is important that auditors understand the underlying technologies used and the business needs they meet to assess the technology's inherent risks, evaluate established controls, and develop appropriate recommendations for improvement.
Nelson Gibbs, CIA, CISA, CISM, CISSP, is a senior manager with Deloitte & Touche Overseas Services LLC on assignment in Hyderabad, India.
To comment on this article, e-mail the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.