Copyright 2006 ISACA. All rights reserved. www.isaca.org.

Risks and Risk Control of

Wi-Fi Network Systems
By Hui Du, Ph.D., and Chen Zhang, Ph.D.
Wi-Fi wireless network systems are growing rapidly
because they are easily deployed and provide convenient
network access to users. Currently the most popularly applied
wireless network is standardized by the Institute of Electrical
and Electronic Engineers (IEEE) 802.11b/g Wireless Fidelity
(Wi-Fi). Wi-Fi wireless Ethernets provide network access to
business facilities and public areas without wiring and enable
ubiquitous access to networks from mobile devices such as
notebook and handheld computers. However, due to the widely
reported security weakness of the 802.11 networks, businesses
also face tremendous risks associated with the Wi-Fi networks.
This article identifies the risks associated with using Wi-Fi
networks, introduces available technologies to reduce and
control the Wi-Fi network risks, and discusses necessary
security policies for organizations when applying wireless
technologies. These are also the areas that information
technology (IT) auditors should pay attention to when they
audit organizations Wi-Fi networks. IT auditors can also use
this information when they evaluate the reliability, security,
and integrity of organizations computer systems.

Introduction
The next generation of the computer network revolution is
expected to be Ethernet Everywhere.1 Different versions of
Ethernet have been rapidly accepted as the network solutions
for all geographical locations and scales. In addition to the
common practice of many organizations to apply Ethernets on
local area networks (LANs) and backbone networks (BNs), the
trend also includes gigabit Ethernets for metropolitan area
networks/wide area networks (MANs/WANs) and 802.11
wireless Ethernets (Wi-Fi) for LANs, home office/small office
(Ho/So) and public areas known as hotspots. Through the
mixture of wired and wireless interconnections, these
individual hotspots can be further extended into a MAN/WAN
mesh network. Examples include the M-city projects in Taipei
by Nortel.2
Wi-Fi networks have become pervasive in recent years
because the costs of Wi-Fi access points and network interface
cards (NICs) are more affordable for businesses and home
users, and the installation of Wi-Fi networks has become as
simple as so-called plug-and-play. Many businesses have
already developed their own wireless LANs (WLANs) based
on Wi-Fi technology. Hotspots in public areas also provide
Internet accessibility. However, when business users transmit
sensitive information (e.g., unencrypted e-mails or remote
corporate Intranet access) over an insufficiently secured Wi-Fi
connection, the users are exposed to multiple types of
information attacks.
JOURNALONLINE

It is important to identify the risks businesses are exposed

to when applying Wi-Fi networks and understand the available
technologies to control and reduce their risks.

Wi-Fi Networks Overview

The most widely used standard for WLANs is the IEEE
802.11b/g, known to many people as Wi-Fi. This standard was
developed by the IEEE, which is the largest international
professional association and standard-setting organization in
the electric and electronic area. Its standard-setting tasks are
carried out by many concurrent working groups, such as the
802.11 working group,3 which is responsible for WLANs
standard-setting and has been drawing intense attention from
the industry. Wi-Fi Alliance4 is a nonprofit group involved in
the interoperability of industrial WLAN product vendors. It
was established in 1999 and issues product certifications for
its members. In January 2003, Wi-Fi Alliance also started the
certification of hotspots (known as Wi-Fi zones) to provide
802.11b/g WLANs access in public areas such as hotels
and airports.
The modulation process converts the digital signals of 1s and
0s into signals of certain frequency ranges known as channels.
Then radio spectrum is used to transmit data in WLANs.
WLANs were standardized by 802.11b in 1999 and the
high-speed extension by 802.11g in 2003. Both networks
use radio frequency (RF) channels in the US Federal
Communications Commission (FCC) license-free 2.4 GHz
Industrial/Scientific/Medical (ISM) band. Until the recent
booming of Wi-Fi technology and other similar innovative
technologies including WiMax, Mobile-Fi, ZigBee,
Ultrawideband and Bluetooth devices, these radio frequencies
were used only by microwave ovens, some medical equipment
and cellular phones. Wi-Fi networks operate in one of
two modes. One is called infrastructure mode, which is
a centralized architecture with access point (AP) and
Wi-Fi-ready client computers; the other is called ad hoc mode,
which is a peer-to-peer architecture with only Wi-Fi-ready client
computers. Through the interoperation of the ad hoc and
infrastructure modes, as well as the wired and wireless
interconnections of wireless routers and access points, a mesh
Wi-Fi network can be constructed to cover a MAN/WAN range.
Figure 1 illustrates the infrastructure and ad hoc Wi-Fi networks
and figure 2 is an example of a Wi-Fi mesh network model.
Wi-Fi networks will continue to grow because of their
advantages in comparison with the wired networks. One recent
survey shows 57 percent of US companies already support
802.11 networks, with an additional 22 percent planning to
implement and support this technology in the next 12 months.5
WLANs can save money on expensive cables and wiring
1

Figure 1Infrastructure and Ad Hoc Wi-Fi Network

Ad Hoc Mode

Infrastructure Mode

Client A

Client B

Client A

Access Point
Client B
Client C

Figure 2Wi-Fi Mesh Network

Internet

Access
Points

Wireless
Routers

Client
Devices

processes while providing high mobility and this advantage

becomes more significant as the network scale grows larger.
The mobility increases the flexibility of obtaining and
communicating business information, facilitates information
and business processes, and improves management decision
making. A study of Intel IT and E-business Group6 shows that
an average of 11 minutes productivity gain per week will pay
for a WLAN and most WLAN users will gain much more
productivity.
However, the gain of productivity should not compromise
the baseline of the network and information security. Security
weaknesses and risks in wireless networks become the biggest
concern and obstacle among the businesses and users of
existing and planned Wi-Fi networks. Auditors, especially IT
auditors, who are the professionals to ensure the information
systems reliability, security and integrity, should be aware of
the risks in the Wi-Fi networks and be familiar with the
technologies to secure Wi-Fi network communications.

Wi-Fi Vulnerabilities and Risks

The unique security issue in Wi-Fi networks is that all data
transmission is not over physical wires but through radio waves
in open space. Therefore, IT auditors should pay special
attention to the areas described in the following sections.
Unauthorized Use of Service
2

In wired Ethernet LANs, the LAN cables and other network

equipment are secured behind walls and in closets. Tapping
into a physical network to breach the system from inside a
company is usually difficult. Furthermore, proper installation
of firewalls and intrusion detection servers can construct a
fairly safe internal network even though the LANs are
eventually interconnected with the Internet. Deploying a
Wi-Fi network is as easy as purchasing an AP in a local
electronic store or on the Internet to connect to the existing
wired network. If an organization simply keeps vendors
default settings when deploying a Wi-Fi network in an area,
data transmitted over radio waves can be captured by any
Wi-Fi-ready devices in the area. As a result, the network scope
is no longer encompassed by the building walls and can be
accessed by war drivers. War drivers use high-gain antennae
and software to log the existence of vulnerable Wi-Fi networks
and map their geographic locations using global positioning
systems (GPS). Some of these maps are posted on hackers
web sites for downloading.7
After an organization has replaced its wired Ethernet LAN
with a Wi-Fi network installation, IT auditors should check all
AP settings to make sure that they have authentication and
encryption protections. Nearly all APs are set by default to not
have any authentication and encryption protection or to use the
manufacturers default password for Wireless Equivalent
Privacy (WEP) for easy use and rapid deployment.8 When the
AP is installed by default and without the minimum protection,
the AP can be accessed by any Wi-Fi-ready computers with
virtually no effort. Through unprotected APs, unauthorized
users can gain access to the Wi-Fi network and to all data
packets transmitted over the LAN. If the packets are not
encrypted, unauthorized users can easily read the information
transmitted over the LAN. When IT auditors detect wireless
AP settings without proper authentication and encryption
protections, they need to identify a two-fold risk:
1. Unauthorized users consume Wi-Fi network resources for
free and may interfere with normal network traffic.
2. They may also pose a threat to data security for
unencrypted data.
Another type of protection against war drivers is to apply
the media access control (MAC) filter protection. MAC filter
protection is based on constructing a table of legal users NIC
hardware (MAC) addresses to filter out illegal users. IT
auditors need to be aware that this protection can be bypassed
by spoofing the Wi-Fi data packets. This is further discussed in
the Frame Spoofing section.
WEP Crack
The authentication and encryption protection specified by
the original 802.11 standard is WEP. As mentioned in the
previous section, this security tool is not activated by nearly all
APs or is set to use a fixed default key for a specific vendors
products when out of the box. Therefore, IT auditors need to
check that the WEP keys are properly set manually so that the
security tool can reach 128-bit high encryption and the key
cannot be recovered by brute-force attacks. However, IT
auditors also need to be aware that WEP has a well-known
security breach in its key scheduling algorithm that makes it
JOURNALONLINE

susceptible to a WEP crack attack. This weakness has been

revealed and a cracking algorithm is available.9 Moreover, this
algorithm has been implemented in downloadable tools such as
WEPCrack and AirSnort.10 The process is based on collecting
and analyzing enough frames to recover the encryption key.
Although such a crack might take days on a home or small
business WLAN where traffic is light, it can be accomplished
in a matter of hours on a busy corporate network.11 Therefore,
IT auditors must be aware that even when properly set, WEP
encryption is not sufficiently secure.

Figure 3Man-in-the-Middle Attack

Typically 802.3
LAN
Access Point
802.1

Authentication
Server

Frame Spoofing
A frame spoofing attack is a common attack to wired
and wireless networks. In the wireless world, frame
spoofing attacks can take the form of session hijacking and
802.1
Attacker
man-in-the-middle (MITM) attacks.
A Wi-Fi frame is the data packet with structure specified by
Supplicant
802.11 protocols. Every frame sent on Wi-Fi networks has a
source and a destination address. However, these source
unable to connect to the AP.14 Other types of DoS attacks will
addresses are not encrypted and authenticated under WEP,
be addressed separately in another section because of their
which means there is no guarantee that the station with the
different nature.
source address actually put the frame in the air and therefore
To prevent these types of attacks from abusing the Wi-Fi
can be spoofed.
control frames, advanced cryptographic infrastructures such as
An easier type of session hijacking attack uses frame
WPA must be applied. Please note that unlike the DoS placed
spoofing to impersonate a legal user of an organizations
by the forging of control frames, multiple types of lower-level
network and throttle the communication of the actual user.
DoS attacks are beyond what can be addressed by advanced
Since the legal user will immediately observe the interruption
cryptography. An overview of these DoS attacks will be
of communication, it is relatively easy to detect. A more
discussed in the next section.
sophisticated session hijacker can use spoofed frames to
redirect traffic and corrupt address tables in the AP and client
Denial of Service (Jamming)
computers.12 The attacker can also pretend to be an
A DoS attack is one wherein an attacker attempts to disable
AP to the client and a client to the AP and launch a MITM
the target network from serving its legitimate users.15 Multiple
attack, described in figure 3. The MITM can intercept and
types of attack can be performed by emitting RF signals that
alter the message between the client and the AP, but
do not follow the underlying Wi-Fi MAC
this type of attack needs very sophisticated
spoofing techniques.
IT auditors also need to protocol.16 They are also often referred to as
jamming attacks.
IT auditors should require that new security
be aware that WEP has a
Physical DoS attacks can be less sophisticated
standards, such as Wi-Fi Protected Access
but
highly threatening, although not very
(WPA), be in place to address the interception
well-known security
common. A deliberate jamming attack is to set
of data. In addition, an intrusion detection
breach in its key
up a transmitter to operate on the same 2.4 GHz
system should be installed as a second line of
band and that has enough power to overwhelm
protection to detect abnormal operations.
scheduling algorithm.
the access points signals. For instance, a
deliberately modified microwave oven can
Traffic Analysis
spread radio waves covering the complete bandwidth with
Another weakness of WEP is that it not only leaves the
overwhelming power.
frame headers unprotected, but also leaves the control frames
The jamming adversary (i.e., jammer) can use multiple
not encrypted and authenticated. This allows the attackers a
models to attack:
large space to eavesdrop and analyze the traffic and to disrupt
A constant jammer continuously emits a random radio
the transmissions with spoofed control frames. Tools such as
signal. This will prevent legitimate users from accessing a
AirJack13 can forge control frames. This tool can also spoof
channel and sending packets. The source of a constant
data frame addresses and fake APs.
jammer can be relatively easy to detect, since its signal does
Although sniffing the Wi-Fi control frames is a relatively
not have a packet structure.
passive attack, sensitive network setting information revealed
A deceptive jammer constantly injects regular packets
by it can be used to assist with all attack types mentioned
instead of random radio signals. As a result, a legitimate user
previously. Forging control frames can cause the disruption of
will be deceived into remaining in the receiving state and,
wireless network service. For example, one type of denial-oftherefore, cannot start transmission.
service (DoS) attack functions by forging a control frame,
called deauthentication, to cause users under attack to be
JOURNALONLINE

 A reactive jammer can be even harder to detect by staying

quiet when the network communication is idle but starting
jamming as soon as it senses network activity.
The uniqueness of these DoS attacks lies in the fact that they
cannot be addressed sufficiently by simply applying appropriate
cryptography, such as WPA, since they do not follow the
underlying Wi-Fi physical and MAC protocol. To minimize the
physical DoS attack, IT auditors should perform a site survey of
radio interference before the design and deployment of a Wi-Fi
network and conduct periodic resurveys to locate sources of
interference either accidental or deliberate. To detect and locate
the jammers to remove them, some suggest that multiple
measurements can be compared with those from the normal
operating wireless network as benchmarks for jamming attacks.17
These measurements include signal strength, carrier sensing
time (the time for a node to obtain access to a channel) and
packet delivery ratio (rate of successful delivery). To further
locate the jammer, a wireless network with multiple APs/nodes
can use the measurements from all nodes and check the
consistency of these measurements to identify the jammed
region and the estimation of the jammers location. Enterprise
network administration tools such as CiscoWorks200018 can be
used to facilitate these analyses.
These five types of vulnerabilities of the current Wi-Fi
networks may threaten the organizations information security.
IT auditors may identify the following major riskssome are
unique to the Wi-Fi networks and some are found in any
networks including Wi-Fi networks:
1) Interception of user ID and passwordUnencrypted or
cracked Wi-Fi communication exposes logon operations and
breaches user ID and password, which are used to access
sensitive information of an organization.
2) Interception of dataWhen unencrypted or cracked Wi-Fi
communication is eavesdropped, sensitive data can be
breached by the attacker.
3) Corruption of data integrityAdvanced attacks based on
the previous two risks along with frame spoofing can further
corrupt the data integrity, damaging organizations database
systems and information processes.
4) Disruption of network communicationDoS attacks
directly disrupt the Wi-Fi network communication. Now that
organizations heavily rely on network communications, even
the shortest disruption can mean significant financial losses.

networks for authentication and encryption purposes. These

technologies include, but are not limited to, a virtual private
network (VPN) based on Secure Sockets Layer (SSL) or
IP Security (IPSec). SSL is implemented over the network
application layer by negotiating encryption techniques and
exchanging keys automatically. SSL is widely used on the web
for securing transmissions of credit card information and have
been proven to be secure through extensive applications. SSL
only requires implementation on the two communication end
parties and, therefore, can be completely software-based. IPSec
is similar to SSL in key exchanges but functions at a lower
level and, therefore, requires the routers to construct VPN.
Once implemented on the routers, possibly using encryption
hardware, it is more efficient and uniformly protects all traffic
between the two communication parties. IT auditors should
suggest the use of VPN technology when advanced encryption
over Wi-Fi, such as WPA, is not practical for an organizations
WLANs and remote access.
WPA is based on the draft of 802.11i. WPA provides the
most sophisticated rapid rekeying technology of Temporal Key
Integrity Protocol (TKIP).20 In addition, WPA adds Message
Integrity Code (MIC), which is a cryptographic checksum to a
packet before encryption to construct a strong protection
against frame spoofing. WPA has taken the major components
of the draft of 802.11i and has the capability of protecting
against session hijacking and MITM attacks. Hence, WPA has
addressed almost all known WEP weaknesses. Another
strength of WPA includes the fact that hotspots in public areas
can also benefit from this enhanced security technology.21
Microsoft released the WPA patch for Windows XP in
March 2003.22 Although the security features in WPA are
highly regarded, WPA for the rest of the operating systems is
not yet available. WPA-compatible Wi-Fi hardware including
NICs and APs and firmware upgrades are still making their
way to the market.23 It may take several years, therefore, for the
completion of the hardware and software upgrades of the
existing Wi-Fi networks to be able to fully adopt this new
security technology. Meanwhile, even if we trust that the
complete application of 802.11i will be able to remove all
WLAN security threats in the future, for the time being
business users must understand and manage the risks of
applying
Wi-Fi networks in business communications.
For the authentication (i.e., access control) in a
wireless
network and user account management,
Technologies to Secure Wi-Fi
WPA has addressed
IEEE
802.1x
has been proven in practice to be a
Network Communications
reliable
method
of authenticating users to wired
almost
all
known
Although 802.11i was ratified by IEEE in June
and
wireless
networks.
Figure 4 demonstrates a
19
2004, implementation of the complete standard
WEP weaknesses.
wired/wireless
LAN
applying
IEEE 802.1x
requires new hardware, including a dedicated chip
authentication.
The
process
of
a new wireless
to handle the encryption and decryption using
users
authentication
includes
these
major steps:
Advanced Encryption Standard (AES). This will cause a

When
a
new
wireless
user
requests
access
to
a
LAN
resource,
significant latency in vendor implementation and current Wi-Fi
the
AP
asks
for
the
users
identity.
The
user
who
requests
networks upgrades. The robustness of the standard will also face
authentication is often called supplicant. The supplicant is
the real-world application test. Before that time, security
responsible for responding to authenticator data that will
technologies applied on network communications in general and
establish its credentials.
the Wi-Fi networks specifically must be combined to ensure the

After
the identity has been sent, the authentication process
security of Wi-Fi network communications.
begins.
The protocol used between the supplicant and the
Many security technologies can be applied to the Wi-Fi
4

JOURNALONLINE

authenticator is Extensible Authentication Protocol (EAP). The

authenticator reencapsulates the EAP messages in Remote
Authentication Dial-In User Service (RADIUS) format, and
passes them to the RADIUS authentication server.
During authentication, the authenticator just relays packets
between the supplicant and the authentication server. When
the authentication process finishes, the authentication server
sends a success message (or failure, if the authentication
failed). The authenticator then opens the port for the
supplicant upon success and the supplicant is granted access
to other LAN resources/Internet. Figure 4 shows that a
wireless node must be authenticated before it can gain access
to other LAN resources.

IntegrityAssurance that the message has not changed in

transmission over the wireless network (i.e., protection from
transmission errors and/or willful modification of the message)
AvailabilityAssurance that the data will be available to
users when and where they are required (i.e., protection
against DoS or poor reliability)
The provision of these security features relies on the proper
applications of the security technologies. The satisfactory level
of the security features in the business communication network
context is evaluated together with other criteria such as
scalability, performance and manageability to decide the most
favorable Wi-Fi network design. IT auditors should pay
attention to the following management practices to assess the
risks in Wi-Fi networks.

Figure 4802.1Wireless Node Authentication

Wi-Fi Network Design

WLAN design decides the security level a Wi-Fi network
needs to reach. Defects in the original network design cannot
be easily remedied by maintenance efforts. This issue is
especially significant for large business communication
networks with a complex administration structure and
multilevel application of Wi-Fi networks. Wi-Fi network design
must deliver the security features of confidentiality,
authenticity, integrity and availability. Moreover, in
consideration of the rapid growth of Wi-Fi technologies,
extensibility, which is the upgradable capacity to support future
expansion in security and transmission rate (e.g., 802.11i and
802.11g for WLAN), is another critical feature that must be
provided by the design.

Authentication Server
(RADIUS)

Wireless Network

AS

Authenticator
1

AP
2

WN
Supplicant

Internet or other
LAN resources

Therefore, IT auditors should suggest the implementation of

a RADIUS server(s) and 802.1x authentication infrastructure
to business Wi-Fi users. Many RADIUS implementation
options are available including Microsofts implementation,
which is optional for Windows XP and Windows Server 2003,
and free implementations, such as FreeRADIUS,24 that are
suitable for cost-sensitive small business and small networks.

Control Risks in Business Wi-Fi Network

Communication
The biggest threat to Wi-Fi network security is ignorance.
Management awareness and responses to wireless network
weaknesses are critical to reduce the risks in Wi-Fi networks
and increase the benefits of this fast-growing technology. This
will in turn help to ease users psychological fears of using these
types of invisible networks. To the extent that a security level
is desired, the features of confidentiality, authenticity, integrity
and availability should be provided in wireless networks.25 These
are also areas in which auditors can provide assurance
concerning companies wireless networks.
ConfidentialityAssurance that the message sent over the
wireless network is readable by only the intended recipient
(i.e., protection against interception or eavesdropping)
AuthenticityAssurance that the message originates from
the claimed entity (i.e., protection against spoofing or
impersonation over the wireless networks)
JOURNALONLINE

Site Survey and Network Monitoring

Site survey is a process required for the design and the
maintenance of the Wi-Fi networks. The purpose of an RF site
survey is to ensure adequate RF coverage throughout a facility
by determining the most effective number and placement of
access points and to analyze RF impairments, such as
multipath distortion and RF interference.26 Properly planned,
scheduled and documented site surveys are a powerful control
process to provide efficient RF coverage and locate
interference. Another byproduct of the site survey is the
reduction of RF leakage outside of the business facility, which
also improves network security.
Wireless network monitoring is critical for identifying
sources of RF interference and jammers. Measurements such
as signal strength, carrier sensing time and packet delivery
ratio, as well as their consistency and distribution, should be
logged and monitored by the network administration.
Benchmarks can be set by IT auditors to measure network
healthiness and identify network jamming.
Firmware and Software Upgrade
Firmware is software stored (firmed) in read-only memory
(ROM) or programmable ROM (PROM). It is easier to change
than hardware. Many Wi-Fi hardware vendors provide
firmware upgrades as they adopt new security standards that
have been ratified. These firmware updates combined with
software vendor upgrades can improve the Wi-Fi network
security with minimum reinvestment.
5

Figure 5Recommended Network Architecture

Internet

Laptop

Internet
Access Point
Firewall

Authentication
VPN

Firewall

Wireless Network
Control Server

Workstation

Wi-Fi Firewall
Wi-Fi networks should be classified as untrusted networks
and, therefore, be isolated from the trusted organizational
intranet by special Wi-Fi firewalls. Figure 5 is the
recommended organizational network architecture.
There are many types of firewalls. Some of them are purely
hardware or software. More powerful solutions are a
combination of hardware and software. Many Wi-Fi gateways
and access points have built-in firewalls. These firewalls
commonly include network address translation (NAT)
functionalities that make the networked computers invisible to
simple hacking scans and probes. Under situations where the
devices do not have these built-in functionalities, software
firewalls, such as WirelessWall, are available for Windows 98,
ME, 2000 and XP.27
Intrusion Detection
Intrusion detection is the service of locating an intrusion in
progress. Although the best policy for security is proactive
instead of reactive, an intrusion detection system is an
effective second line of defense against attacks. Intrusion
detection systems identify intrusions by comparing them either
with an attack signature, called misuse detection, or comparing
them with normal operations, called anomaly detection.
Intrusion detection systems can lure the intrusion to a setup
scene to distract attackers and track the source of the attack to
block the attack or collect evidence for legal operations.
Most intrusion detection tools are effective on Wi-Fi
networks. There are also intrusion detection systems
specifically designed for WLANs such as WiFi Watchdog.28
Internal Policies
Organizations must establish policies and requirements for
using Wi-Fi networks. For example, as a security-sensitive
organization, the US Department of Defense (DoD) has set up
a model for using adequate internal policies to remedy Wi-Fi
security weakness.29 DoD requirements include that secret
and top secret data must be protected with a Type I
algorithm, e.g., AES, and that no interconnection of 802.11
networks with classified networks is allowed.
Although the interpretation of improper usage of Wi-Fi
networks varies for organizations, the following use of Wi-Fi
networks that threatens data and network security should be
banned under most circumstances:
Rogue APsThe easy deployment of Wi-Fi APs explains the
increase of rogue APs, which are installed internally without
6

authorization by employers. Unauthorized installation of APs

rarely satisfies the security requirements and, therefore, poses
a threat to information security.
Ad hoc modeThis peer-to-peer mode of Wi-Fi networks
actually converts the computers/workstations involved into
rogue APs, because any workstation is equivalent to an AP
under this mode. If any of the computers involved are not
protected properly, the communication can be easily
intercepted. This is especially true for handheld devices such
as pocket PCs because no security tools except for WEP are
available on these platforms so far.
Scanning tools that can locate these unauthorized or
insecure APs and workstations are available either stand-alone
or built into IDSs, such as Wi-Fi Watchdog. This scanning
process should be implemented both as IDS-automated
tasks and part of the site survey to supplement the
organizational policy.

Conclusion
Almost every new technology comes with benefits and
risks. On the one hand, Wi-Fi wireless technology can greatly
improve the information process and business practices,
because it provides a fast and convenient network connection
to users; on the other hand, it also comes with tremendous
risks to organizations that either do not understand those risks
or do not act accordingly to control those risks.
Major risks associated with Wi-Fi wireless networks include
unauthorized use of service, WEP crack, frame spoofing and
session hijacking, traffic disruption, and ultimate denial of
service. Some of them are common in any wired or wireless
networks; some of them are unique to Wi-Fi networks only
because Wi-Fi networks transmit data over radio waves in open
space. IT auditors should understand the unique features of
Wi-Fi technology and assess the risks.
Technologies are available to control risks in Wi-Fi
networks and secure Wi-Fi communications. IT auditors
should examine the critical role played by management to
establish policies and procedures that can control most
Wi-Fi risks.

References
Cisco Systems, A Comprehensive Review of 802.11 Wireless
LAN Security and the Cisco Wireless Security Suite, white
paper, 2002
Microsoft, 802.1xSolving the Key Management Problem,
white paper, http://www.microsoft.com/windowsxp/
pro/techinfo/administration/wirelesssecurity/solvingkey.asp

Endnotes
1

3
4

Aboba, Bernard; Ethernet Access: The Coming Revolution,

www.drizzle.com/~aboba/IEEE/Ethernet_MAN.zip
Nortel, Nortel Wins Taipeis Mobile City Project Phase II
Contract to Deploy Wireless Mesh Network,
www.nortel.com/corporate/news/newsreleases/2005b/
06_02_05_qware.html, accessed January 2006
http://grouper.ieee.org/groups/802/11/index.html
www.wi-fi.org
JOURNALONLINE

10

11

12
13

14

15

16

17
18

19

20

Singer, Michael; Wi-Fi: a Positive Disruption,

Small Business Computing, April 2003,
www.smallbusinesscomputing.com/webmaster/
article.php/2174571
Intel, Wireless LANs: Linking Productivity Gains to Return
on Investment, December 2002,
www.intel.com/eBusiness/pdf/it/pp024801.pdf
Gast, Matthew; Seven Security Problems of 802.11
Wireless, The OReilly Network, www.oreillynet.com/
lpt/a/2404
Wireless LAN Security, Internet Security Systems,
technical white paper, http://documents.iss.net/whitepapers/
wireless_LAN_security.pdf
Fluhrer, Scott; Itsik Mantin; Adi Shamir; Weaknesses
in the Key Scheduling Algorithm of RC4,
www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf
To download AirSnort, see http://airsnort.shmoo.com/;
to download WEPCrack, see http://sourceforge.net/
projects/wepcrack.
Wi-Fi Alliance, Wi-Fi Protected Access Overview,
www.wi-fi.org/OpenSection/pdf/Wi-Fi_Protected_
Access_Overview.pdf
Op. cit., Gast
To download AirJack, see http://sourceforge.net/
projects/airjack/.
Lynn, Mike; Robert Baird; Advanced 802.11 Attack,
http://802.11ninja.net/bh2002.ppt
Stanley, Richard A.; Wireless LAN Risks and
Vulnerabilities, Information Systems Audit and Control
Foundation (ISACF), white paper, www.isaca.org
Xu, Jun; Wooyong Lee; Sustaining Availability of Web
Services under Distributed Denial of Service Attacks, IEEE
Transactions on Computers, vol. 52, no. 2, February 2003
Ibid.
www.cisco.com/en/US/products/sw/cscowork/
ps4737/products_getting_started_guide_
chapter09186a00800ca020.html
http://wifinetnews.com/archives/003939.html
www.internetnews.com/security/article.php/3373441
Microsoft, Overview of the WPA Wireless Security Update
in Windows XP, Microsoft Knowledge Base

21

22

23

24
25
26

27
28
29

Geier, Jim; WPA Security Enhancements, 802.11 Planet,

www.80211-planet.com/tutorials/article.php/2148721
To download Windows XP Support Patch for WPA, see
www.microsoft.com/downloads/details.aspx?FamilyID=009d
8425-ce2b-47a4-abec-274845dc9e91&displaylang=en.
Brewin, Bob; Microsoft Bolsters Wi-Fi Security in XP;
HP Unveils 802.11g Laptops, Computer World, 31 March,
2003, www.computerworld.com/securitytopics/security/story/
0,10801,79897,00.html
www.freeradius.org/
Op. cit., Stanley
Wi-Fi Alliance, RF Site SurveyRecommended Practices,
www.wi-fizone.org/zoneSiteSurvey.asp
www.netgear.com/products/details/FWG114P.php
www.newburynetworks.com/products/watchdog.php
Havighurst, Timothy J.; DoD Wireless Policies and
Requirements, NIST 802.11 Wireless LAN Security
Workshop, Dec. 2002, Falls Church, Virginia, USA,
http://csrc.nist.gov/wireless/S04_DOD%20Wireless%20
Requirements-th.pdf

Hui Du, Ph.D.

is an assistant professor of Accounting at the University of
Texas-Pan American. Her research interests include the
impact of new technologies to accounting and accounting
professionals, information systems control and audit,
corporate governance, and the effects of legislation on
financial reporting. She has been published in the Journal of
Accounting and Public Policy and the Review of Business
Information Systems.
Chen Zhang, Ph.D.
is an assistant professor of Computer Information Systems at
Bryant University. Zhangs primary research interests fall into
the areas of distributed systems, wireless communications and
network security. He has published in the Journal of Real-time
Systems, the Journal of Computer Information Systems, the
Journal of Sensor Review and the Journal of Concurrency &
Computation: Practice & Experience.

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.
Copyright 2006 by ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.
www.isaca.org

JOURNALONLINE