Alan Calder on IT Governance, information security & ISO 27001

I’ve written before about the fact that wireless kit usually ships with a default security set up of ‘no security’ – because that’s what makes it easy for consumers to get started right away on using the kit. ‘No security’ is obviously not a good default setting in today’s identify- and bandwidth-hijacking world.
California, as so often the case, is taking the lead in dealing with this issue. Assuming that Governor Schwarzenegger signs it into law, manufacturers will have to place appropriate warning labels on all wireless equipment. Of course, that won’t mean that users will improve their wireless security – but it will at least ensure that they’re made aware of the issue.
California’s Database Security Breach law has been widely copied by state legislatures across North America – I guess we’ll now see a rash of wireless-related legislation as well.

There is ongoing debate of how safe it is to work wirelessly, with much discussion about how likely it is that your digital information will be monitored and stolen while you are online in a coffee shop or wherever. Of course, by far the most common security threat related to wireless internet use is physical, not virtual – it is the theft or loss of the laptop or PDA on which you’re working. However, beyond taking sensible steps to ensure that a device remains in your possession there are a variety of other security measures that companies need to adopt. This article on Computerworld gives a good overview.

Officials in Westchester County, New York have recently attracted attention for their new law that requires businesses to secure their wi-fi hotspots. I’ve spoken before about the need for proper wireless security but, as usual, when businesses fail to take voluntary action sooner or later a regulator will pass a law to force them to act.

This is actually a pretty sensible law, but inevitably the reaction from many businesses will be to complain about the growing weight of legislation with which they have to comply. However, legislators all over the USA and elsewhere will be watching closely, so expect to see a spate of similar laws coming into force around the world soon.

Wireless insecurity has been in the press during the last week – the Sunday Times (March 6, 2005) spoke of a ‘virus epidemic’ threatening to wipe mobiles’ memories, while SC Magazine and Computing both report the astonishing absence of security in one third of the City’s wireless networks.

Why are there these failures?

OK, Cellphone “virus epidemic” is a bit of journalist panic-mongering; while Cellphone viruses have, indeed, been reported from a number of countries, there still aren’t a great many species (three, I think) and they still aren’t spreading terribly quickly – not 100,000 devices affected in 24 hours, but maybe 100 affected in a number of months. Sure, now’s a good time to be looking at Cellphone level anti-malware products, but it’s not yet time to panic.

Wireless, though, is a different matter. Who in the computer world doesn’t know that WiFi kit, out of the box, has no security configured? Who, in the computer world, thinks that security is important on the fixed network but not on (or for) mobile devices? Who is accountable for employing the computer ‘experts’ (the IT staff) who allow wireless laptops to be issued to staff – or, worse, allow wireless Access Points to be set up, without appropriate security?

You can sympathise with those employees who’ve taken with enthusiasm to the wireless world beyond their organization’s fixed perimeter: it’s great to not have the heavy-handed system administrator telling them what they can and can’t do. What is surprising is that sysadmins allow this state of affairs – or that their managers and executives turn a blind eye to it.

Because they are turning a blind eye, aren’t they? The alternative is that they’re just incompetent simply don’t know that wireless security is an issue, or that they’re supposed to do something about it.

I know it’s not news, but it winds me up that there’s a whole industry out here that depends on software faults and basic failings. The information security industry (including my books and company) wouldn’t exist if software manufacturers and others did their job properly – calling their failings ‘vulnerabilties’ is nice, but it doesn’t change the reality.

And new products are launched that just aren’t good enough – take Instant Messenger – or wireless – and now VoIP – and it even appears that VPNs aren’t up to scratch – “right first time” is a pretty hard concept, isn’t it? For instance, I thought I’d done an excellent job on the updae version of my book, but the copy editor came back with nearly 30 queries – and she hasn’t told me how many she just corrected without mentioning them.

Of course, I like it that there’s a business opportunity for us all, but I can’t help wondering how much better at fighting the bad guys we would be if we didn’t have to spend so much time filling the holes left by our own side.

Information security specialists have been talking increasingly about the problems of “the porous perimeter”. Business managers are simply going ahead and making the problem worse. Why? Because mobile computing and wireless connectivity massively improve business flexibility, efficiency and competitiveness. And management is quite right – the point about today’s handheld equipment – PDAs, Blackberries, MP3 players, USB flash sticks, digital cameras, camera phones, hand scanners and ultra light laptops – combined with Bluetooth and wireless modems – is that, as well as giving managers instant information, it empowers the workforce. It also empowers those who fancy themselves as industrial spies and, of course, makes it harder to identify the real espionage professionals.

Wouldn’t it be nice if business managers and IT professionals could get together inside organisations (technically, it’s called IT Governance) and ensure that the deployment of new technologies does not leave businesses exposed – the 53% of businesses who have recently deployed wireless networks, for instance, but admit they haven’t included security controls of any sort might need to think things through a little…..we managers don’t need to know what WPA2 is – but we do need to make sure it’s deployed – don’t we?