You can't secure what you don't acknowledge.SM

Friday, September 28, 2007

Is Your Wireless Encryption Enough?

After reading this piece about the recently released report on the TJX breach from the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta, I had a thought about the false sense of security that wireless encryption gives us. TJX was apparently using both WPA and WEP for wireless encyrption but it was the WEP that got them into trouble. The thing is, whichever one is used, it's easy to believe that the airwaves are protected. "Encryption" is being used after all..that's good enough, right?

Based on my own experience and that I've from others, I guarantee you most of the times that aircrack (or any of the other wireless encryption cracking tools) are run against a wireless network, the results come back negative. No weak encryption implementation - no cracked passphrases - nothing. All's well in 802.11-land. Management sees this and assumes that the business network is safe.

The devil's in the details though. If you look closer at how most wireless "hacking" or penetration tests are carried out, the techniques are often flawed:
  • the timeframe for wireless testing is limited (i.e. you/they need to move on to other stuff since the budget doesn't allow for days or weeks of analysis)
  • many wireless networks don't generate enough packets needed by the tools to crack the passphrases
  • dictionaries used for cracking WPA pre-shared keys are too's difficult if not impossible to have a dictionary of all possible passphrase combinations
  • it's assumed that if no signal can be seen outside of the building with a plain old laptops built-in wireless antenna that no one will be able to access the wireless airwaves
  • testing is only performed on a limited subset of wireless access points (this is OK if all wireless networks are configured the exact same way but that's rarely the case)
All of these provide just enough false sense of security to justify leaving things the way they are.

My point is that just because your wireless environment checks out OK, it doesn't mean it really is secure. With the right tools and enough time and effort, it very well could be cracked. Whether it's protected by WEP or WPA using pre-shared keys - if it's implemented incorrectly, wireless encryption can eventually be broken leading to a TJX-like mess.

If you're using wireless, make sure your testing is done the right way...Spend the time, money, and effort to get a real-world view of how secure or unsecure it really is. There's no logical excuse for using WEP in a business environment either. Get everything off of it as soon as you can. TJX apparently didn't do this and they - and a lot of people - are paying the price.

Thursday, September 27, 2007

Security is a Choice

As the saying goes, the more things change they more they stay the same. It suits what's happening with security just perfectly. It's common knowledge that computer security is a problem that affects every business and every individual in some way. Security best practices are available. The rules have been laid down. Why are breaches still occurring?

I think to myself, on the surface there's:
  • information systems complexity
  • untrained IT staff
  • people not using the right tools and methodologies to uncover vulnerabilities
  • limited budgets
Blah, blah, blah...We've been talking about this stuff for years! The deal is - security's a choice. Just like everything else we do in business and life, we're either contributing or we're taking away. There is no in between. You either support information security for the betterment of the business or you don't. When management chooses not to give security the real attention it chooses the consequences. In particular, when managers ignore security assessment report findings, training requests, and policy enforcement needs, and instead, bury their heads by choosing to believe that security doesn't affect the business - or technology is the answer (ha!) - then they're masking the real problems.

How many more entries are going to be made into the Privacy Rights Clearinghouse Chronology of Data Breaches? Just look at it. Today it's at 166 million+ compromised records and growing by the day. And, it's chock full of stupid security oversights - things that could've been prevented. How many more security breaches will occur that go unnoticed or unreported? Well, I guess we won't know - but you get my drift.

Wake up business managers and executives! Your business is bleeding and only you can stop it.