Professional Documents
Culture Documents
Jpdf0604 Risks and Risk Control
Jpdf0604 Risks and Risk Control
Jpdf0604 Risks and Risk Control
Introduction
The next generation of the computer network revolution is
expected to be Ethernet Everywhere.1 Different versions of
Ethernet have been rapidly accepted as the network solutions
for all geographical locations and scales. In addition to the
common practice of many organizations to apply Ethernets on
local area networks (LANs) and backbone networks (BNs), the
trend also includes gigabit Ethernets for metropolitan area
networks/wide area networks (MANs/WANs) and 802.11
wireless Ethernets (Wi-Fi) for LANs, home office/small office
(Ho/So) and public areas known as hotspots. Through the
mixture of wired and wireless interconnections, these
individual hotspots can be further extended into a MAN/WAN
mesh network. Examples include the M-city projects in Taipei
by Nortel.2
Wi-Fi networks have become pervasive in recent years
because the costs of Wi-Fi access points and network interface
cards (NICs) are more affordable for businesses and home
users, and the installation of Wi-Fi networks has become as
simple as so-called plug-and-play. Many businesses have
already developed their own wireless LANs (WLANs) based
on Wi-Fi technology. Hotspots in public areas also provide
Internet accessibility. However, when business users transmit
sensitive information (e.g., unencrypted e-mails or remote
corporate Intranet access) over an insufficiently secured Wi-Fi
connection, the users are exposed to multiple types of
information attacks.
JOURNALONLINE
Infrastructure Mode
Client A
Client B
Client A
Access Point
Client B
Client C
Access
Points
Wireless
Routers
Client
Devices
Typically 802.3
LAN
Access Point
802.1
Authentication
Server
Frame Spoofing
A frame spoofing attack is a common attack to wired
and wireless networks. In the wireless world, frame
spoofing attacks can take the form of session hijacking and
802.1
Attacker
man-in-the-middle (MITM) attacks.
A Wi-Fi frame is the data packet with structure specified by
Supplicant
802.11 protocols. Every frame sent on Wi-Fi networks has a
source and a destination address. However, these source
unable to connect to the AP.14 Other types of DoS attacks will
addresses are not encrypted and authenticated under WEP,
be addressed separately in another section because of their
which means there is no guarantee that the station with the
different nature.
source address actually put the frame in the air and therefore
To prevent these types of attacks from abusing the Wi-Fi
can be spoofed.
control frames, advanced cryptographic infrastructures such as
An easier type of session hijacking attack uses frame
WPA must be applied. Please note that unlike the DoS placed
spoofing to impersonate a legal user of an organizations
by the forging of control frames, multiple types of lower-level
network and throttle the communication of the actual user.
DoS attacks are beyond what can be addressed by advanced
Since the legal user will immediately observe the interruption
cryptography. An overview of these DoS attacks will be
of communication, it is relatively easy to detect. A more
discussed in the next section.
sophisticated session hijacker can use spoofed frames to
redirect traffic and corrupt address tables in the AP and client
Denial of Service (Jamming)
computers.12 The attacker can also pretend to be an
A DoS attack is one wherein an attacker attempts to disable
AP to the client and a client to the AP and launch a MITM
the target network from serving its legitimate users.15 Multiple
attack, described in figure 3. The MITM can intercept and
types of attack can be performed by emitting RF signals that
alter the message between the client and the AP, but
do not follow the underlying Wi-Fi MAC
this type of attack needs very sophisticated
spoofing techniques.
IT auditors also need to protocol.16 They are also often referred to as
jamming attacks.
IT auditors should require that new security
be aware that WEP has a
Physical DoS attacks can be less sophisticated
standards, such as Wi-Fi Protected Access
but
highly threatening, although not very
(WPA), be in place to address the interception
well-known security
common. A deliberate jamming attack is to set
of data. In addition, an intrusion detection
breach in its key
up a transmitter to operate on the same 2.4 GHz
system should be installed as a second line of
band and that has enough power to overwhelm
protection to detect abnormal operations.
scheduling algorithm.
the access points signals. For instance, a
deliberately modified microwave oven can
Traffic Analysis
spread radio waves covering the complete bandwidth with
Another weakness of WEP is that it not only leaves the
overwhelming power.
frame headers unprotected, but also leaves the control frames
The jamming adversary (i.e., jammer) can use multiple
not encrypted and authenticated. This allows the attackers a
models to attack:
large space to eavesdrop and analyze the traffic and to disrupt
A constant jammer continuously emits a random radio
the transmissions with spoofed control frames. Tools such as
signal. This will prevent legitimate users from accessing a
AirJack13 can forge control frames. This tool can also spoof
channel and sending packets. The source of a constant
data frame addresses and fake APs.
jammer can be relatively easy to detect, since its signal does
Although sniffing the Wi-Fi control frames is a relatively
not have a packet structure.
passive attack, sensitive network setting information revealed
A deceptive jammer constantly injects regular packets
by it can be used to assist with all attack types mentioned
instead of random radio signals. As a result, a legitimate user
previously. Forging control frames can cause the disruption of
will be deceived into remaining in the receiving state and,
wireless network service. For example, one type of denial-oftherefore, cannot start transmission.
service (DoS) attack functions by forging a control frame,
called deauthentication, to cause users under attack to be
JOURNALONLINE
When
a
new
wireless
user
requests
access
to
a
LAN
resource,
significant latency in vendor implementation and current Wi-Fi
the
AP
asks
for
the
users
identity.
The
user
who
requests
networks upgrades. The robustness of the standard will also face
authentication is often called supplicant. The supplicant is
the real-world application test. Before that time, security
responsible for responding to authenticator data that will
technologies applied on network communications in general and
establish its credentials.
the Wi-Fi networks specifically must be combined to ensure the
After
the identity has been sent, the authentication process
security of Wi-Fi network communications.
begins.
The protocol used between the supplicant and the
Many security technologies can be applied to the Wi-Fi
4
JOURNALONLINE
Authentication Server
(RADIUS)
Wireless Network
AS
Authenticator
1
AP
2
WN
Supplicant
Internet or other
LAN resources
Laptop
Internet
Access Point
Firewall
Authentication
VPN
Firewall
Wireless Network
Control Server
Workstation
Wi-Fi Firewall
Wi-Fi networks should be classified as untrusted networks
and, therefore, be isolated from the trusted organizational
intranet by special Wi-Fi firewalls. Figure 5 is the
recommended organizational network architecture.
There are many types of firewalls. Some of them are purely
hardware or software. More powerful solutions are a
combination of hardware and software. Many Wi-Fi gateways
and access points have built-in firewalls. These firewalls
commonly include network address translation (NAT)
functionalities that make the networked computers invisible to
simple hacking scans and probes. Under situations where the
devices do not have these built-in functionalities, software
firewalls, such as WirelessWall, are available for Windows 98,
ME, 2000 and XP.27
Intrusion Detection
Intrusion detection is the service of locating an intrusion in
progress. Although the best policy for security is proactive
instead of reactive, an intrusion detection system is an
effective second line of defense against attacks. Intrusion
detection systems identify intrusions by comparing them either
with an attack signature, called misuse detection, or comparing
them with normal operations, called anomaly detection.
Intrusion detection systems can lure the intrusion to a setup
scene to distract attackers and track the source of the attack to
block the attack or collect evidence for legal operations.
Most intrusion detection tools are effective on Wi-Fi
networks. There are also intrusion detection systems
specifically designed for WLANs such as WiFi Watchdog.28
Internal Policies
Organizations must establish policies and requirements for
using Wi-Fi networks. For example, as a security-sensitive
organization, the US Department of Defense (DoD) has set up
a model for using adequate internal policies to remedy Wi-Fi
security weakness.29 DoD requirements include that secret
and top secret data must be protected with a Type I
algorithm, e.g., AES, and that no interconnection of 802.11
networks with classified networks is allowed.
Although the interpretation of improper usage of Wi-Fi
networks varies for organizations, the following use of Wi-Fi
networks that threatens data and network security should be
banned under most circumstances:
Rogue APsThe easy deployment of Wi-Fi APs explains the
increase of rogue APs, which are installed internally without
6
Conclusion
Almost every new technology comes with benefits and
risks. On the one hand, Wi-Fi wireless technology can greatly
improve the information process and business practices,
because it provides a fast and convenient network connection
to users; on the other hand, it also comes with tremendous
risks to organizations that either do not understand those risks
or do not act accordingly to control those risks.
Major risks associated with Wi-Fi wireless networks include
unauthorized use of service, WEP crack, frame spoofing and
session hijacking, traffic disruption, and ultimate denial of
service. Some of them are common in any wired or wireless
networks; some of them are unique to Wi-Fi networks only
because Wi-Fi networks transmit data over radio waves in open
space. IT auditors should understand the unique features of
Wi-Fi technology and assess the risks.
Technologies are available to control risks in Wi-Fi
networks and secure Wi-Fi communications. IT auditors
should examine the critical role played by management to
establish policies and procedures that can control most
Wi-Fi risks.
References
Cisco Systems, A Comprehensive Review of 802.11 Wireless
LAN Security and the Cisco Wireless Security Suite, white
paper, 2002
Microsoft, 802.1xSolving the Key Management Problem,
white paper, http://www.microsoft.com/windowsxp/
pro/techinfo/administration/wirelesssecurity/solvingkey.asp
Endnotes
1
3
4
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to
the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT
Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of
authors' content.
Copyright 2006 by ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.
Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly
prohibited.
www.isaca.org
JOURNALONLINE