Alan Calder on IT Governance, information security & ISO 27001

Wireless insecurity has been in the press during the last week - the Sunday Times (March 6, 2005) spoke of a ‘virus epidemic’ threatening to wipe mobiles’ memories, while SC Magazine and Computing both report the astonishing absence of security in one third of the City’s wireless networks.

Why are there these failures?

OK, Cellphone “virus epidemic” is a bit of journalist panic-mongering; while Cellphone viruses have, indeed, been reported from a number of countries, there still aren’t a great many species (three, I think) and they still aren’t spreading terribly quickly - not 100,000 devices affected in 24 hours, but maybe 100 affected in a number of months. Sure, now’s a good time to be looking at Cellphone level anti-malware products, but it’s not yet time to panic.

Wireless, though, is a different matter. Who in the computer world doesn’t know that WiFi kit, out of the box, has no security configured? Who, in the computer world, thinks that security is important on the fixed network but not on (or for) mobile devices? Who is accountable for employing the computer ‘experts’ (the IT staff) who allow wireless laptops to be issued to staff - or, worse, allow wireless Access Points to be set up, without appropriate security?

You can sympathise with those employees who’ve taken with enthusiasm to the wireless world beyond their organization’s fixed perimeter: it’s great to not have the heavy-handed system administrator telling them what they can and can’t do. What is surprising is that sysadmins allow this state of affairs - or that their managers and executives turn a blind eye to it.

Because they are turning a blind eye, aren’t they? The alternative is that they’re just incompetent simply don’t know that wireless security is an issue, or that they’re supposed to do something about it.

Bluetooth devices, particularly mobile phones, are at risk from two types of attack from nearby or passing devices, bluejacking and bluesnarfing. A bluejacking attack involves sending text messages to the mobile phones of any users who are within range, and it could be used both maliciously and for ‘bluespam’. A bluesnarfing attack is potentially more serious, and involves the theft of all contact information stored in the phones. Not all phones are vulnerable to these sorts of attacks and as manufacturers respond to the discovery of these vulnerabilities, so there will be changes. At the moment (January 2005), it is said that Nokia 6310, 6310i, 8910 and 8910i models are at greatest risk. Apparently, “on some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in non-visible mode”.

The only defence is to turn Bluetooth off.

Gosh.

Information security specialists have been talking increasingly about the problems of “the porous perimeter”. Business managers are simply going ahead and making the problem worse. Why? Because mobile computing and wireless connectivity massively improve business flexibility, efficiency and competitiveness. And management is quite right - the point about today’s handheld equipment - PDAs, Blackberries, MP3 players, USB flash sticks, digital cameras, camera phones, hand scanners and ultra light laptops - combined with Bluetooth and wireless modems - is that, as well as giving managers instant information, it empowers the workforce. It also empowers those who fancy themselves as industrial spies and, of course, makes it harder to identify the real espionage professionals.

Wouldn’t it be nice if business managers and IT professionals could get together inside organisations (technically, it’s called IT Governance) and ensure that the deployment of new technologies does not leave businesses exposed - the 53% of businesses who have recently deployed wireless networks, for instance, but admit they haven’t included security controls of any sort might need to think things through a little…..we managers don’t need to know what WPA2 is - but we do need to make sure it’s deployed - don’t we?