How safe is your wireless network?

26 May 2005

Last week’s security seminar in Croke Park kicked off with a nod to nostalgia: things used to be much simpler. The sentiment is certainly true for wireless networking. Eoghan Johnson, Irish sales manager for conference organiser Global Secure Systems (GSS), remarked 10 years ago networks were self-contained. Now, as wireless networks become more prevalent, they carry an additional security overhead.

Johnson introduced the results of a recent survey conducted by GSS, which found 38pc of wireless networks in Dublin don’t use encryption technology, leaving them unsafe and vulnerable to being hacked. The survey also found wireless networks here predominantly use older versions of the 802.11 standard, which means many Irish companies’ wireless equipment wouldn’t be compatible with new standards that have additional security features built-in. The report stated: “It would seem there is still a major disregard for the need to ensure data is not intercepted and used by unauthorised parties.”

Speaking afterwards, GSS managing director David Hobson remarked that many Irish firms included their company name as part of the SSID, a code that identifies the wireless network. It’s a practice he doesn’t recommend. “It’s a basic rule of security that you don’t go broadcasting who you are,” he said. “While it’s not a security vulnerability, it puts you up as a target.”

Hobson drew a parallel between security and insurance policies, noting security’s traditional perception problem that money allocated to it has no return on investment. This culture is beginning to change, he acknowledged.

Jamie Bodley-Scott, regional operations manager for AppGate UK, said the demand to open up networks had to be weighed against the threats that this could bring. “It’s becoming harder and harder to achieve a balance between these two,” he said. “Information technology’s next challenge is, having locked out the bad guys, to let in the good.”

He proposed a different concept: an infrastructure for secure flexibility. He explained: “It’s more to do with securing the transaction than with who owns the device and where it is located.” Bodley-Scott claimed with this framework, it would be possible to access a service via a laptop at work and then restore the same secure connection later at home. This approach differs considerably from traditional security where a policy is set — allowing certain users to do certain tasks on the network — and then exceptions are made to it, such as permitting other devices to access the network.

Jennifer Sundberg, European channel manager for PatchLink, spoke about a problem many beleaguered IT managers are surely familiar with: keeping software up to date to protect against the latest threats. A balance must be struck between ensuring any new vulnerabilities are patched, or fixed, and having the time and resources to do so.

In theory, patching should be imperative. “More than 90pc of security exploits are carried out through vulnerabilities for which there are known patches,” said Sundberg. In practice, it’s not as simple as that. Patches need to be tested to ensure they will work and that they are compatible with all of the applications on a network. Another question is whether a company can afford the time to take an important computer offline while the patch is installed. “You’re damned if you do and damned if you don’t,” Sundberg wryly noted.

Pictured at the Global Secure Systems (GSS) security seminar in Croke Park were : GSS managing director David Hobson and GSS Irish sales manager Eoghan Johnson

By Gordon Smith