Download
netw 05a applied wireless security general policy n.
Skip this Video
Loading SlideShow in 5 Seconds..
NETW 05A: APPLIED WIRELESS SECURITY General Policy PowerPoint Presentation
Download Presentation
NETW 05A: APPLIED WIRELESS SECURITY General Policy

NETW 05A: APPLIED WIRELESS SECURITY General Policy

84 Views Download Presentation
Download Presentation

NETW 05A: APPLIED WIRELESS SECURITY General Policy

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. NETW 05A: APPLIED WIRELESS SECURITY General Policy By Mohammad Shanehsaz

  2. General Topics • Objectives • Getting Started • Risk Assessment • Impact Analysis • Security Auditing

  3. Objectives • Explain necessary items to include in the creation and maintenance of a WLAN security checklist • Describe and recognize the important of asset management and inventory procedures for WLANs

  4. Objectives • Explain the importance of including WLANs in existing change management programs • Explain the purpose and goals of the following WLAN security policies: • Password policy • User training • On-going review (auditing) • Acceptable use and abuse policy • Consistent implementation procedure • Centralized implementation and management guidelines and procedures

  5. Objectives • Locate and identify WLANs within and around a facility • Explain the assets to be protected through securing a WLAN • Explain and demonstrate the inherent weaknesses in WLAN security • Given a WLAN attack scenario, explain and respond to the attack • Given a WLAN configuration, explain and implement all the necessary steps for securing the WLAN

  6. Objectives • Perform an impact analysis for a series of WLAN attack scenarios which may include the following methods of attack • Analysis, spoofing and information theft • Denial of Service • Malicious code or file insertion • Target profiling • Peer-to-peer hacking • Physical security • Social engineering • WLAN hacking hardware and software

  7. Objectives • Summarize risks to wired networks from wireless networks • Summarize the security policy related to wireless public-access network use

  8. Wireless LAN security policy • Wireless LAN security policy falls into two categories: • General policy ( Items that do not fall into specific technical category e.g. corporate networking ) • Functional policy

  9. Categories of General Policy • Getting Started • Risk Assessment • Impact Analysis • Security Auditing

  10. Getting Started • Obtain organizational sponsorship! • CEO or CIO • Wireless implementation must be part of a security plan addressing: • Resources • control access • prevent unauthorized users • limit consumption of wireless network resources (e.g. bandwidth) • Privacy • control access • prevent unauthorized users • protect confidential or sensitive death • Intrusion • monitor the environment • allows detection of unauthorized access or activities • respond with appropriate security measures

  11. Getting Started • Include input from: • End users • Network operations team • Financial people • Management • Independent/ external auditor • Among the key decisions: • What items will the policy cover? • How will the policy be enforced? • How will the policy be implemented? • How user-friendly should the policy be?

  12. Getting Started • General templates on corporate security policy can be found at : http://www.sans.org/resources/policies/ • Your textbook has included a wireless LAN security policy template in Appendix A

  13. Risk Assessment • Examine each possible scenario which may lead to loss of $ due to negative events • Rank predicted losses (level of severity) • For each scenario make decisions on $-effective responses to • Eliminate risks • Mitigate risks

  14. Risk Assessment’s four themes • What assets are we trying to protect ? • What are we trying to prevent ? • What is company’s legal liabilities? • What is the cost ?

  15. Risk Assessment’s four themes • All 4 themes require analysis prior to creating a security • Asset Protection • What assets must be protected? • What are the costs/legal ramifications if these asset are compromised? • Threat Prevention • What is the organization trying to protect by securing the network? • What kinds of attack, theft or breach of security are likely?

  16. Risk Assessment’s four themes • Legal Liabilities • What is an organization legally responsible for if the network is compromised or used to negatively impact another organization? • What legal protection does a company have? • Can the organization lose privileges (Internet service) due to abuse by intruders (spam)? • Costs • What are the costs associated with securing the wireless network? • Are security costs worth the investment, considering the risks, in implementing a WLAN? • If the network is compromised, what could the potential costs be? • How does the potential cost of infiltration and compromise weigh against the costs associated with securing the network? • May be external or internal auditors

  17. Asset Protection • Whether they know it or not - all organizations have data worth protecting • Must educate and enlighten management • What we are trying to protect are: • Sensitive Data • Network Services

  18. Sensitive Data • means different things to different organizations • Determine what is important to protect - at all levels • security professional must work with management to • Ensure appropriate data is being protected • what degree of protection is required

  19. Sensitive Data • Types of sensitive data • Intellectual property • Trade secrets • Formulas • Customer Data • Identity information • credit card information • health information

  20. Network Services • undermined network availability • critical network services include: • Email • file services • database services • directory services • Internet connectivity • web-based applications • virus/intrusion detection • custom applications

  21. Threat Prevention • when using WLANs, need to consider many threats • Consider probability of threat • Process • Types of attacks

  22. Process • identify vulnerabilities • asses likelihood of compromise • determine • How to proceed • How much to spend • Where to spend it

  23. Types of attacks ( What we are trying to prevent ) • Denial of Service (DoS) • RF Jamming • Packet Flooding • Equipment Damage, Theft, or Replacement • DEFENSE: Prioritized($) asset protection • Unauthorized Access • Access Point can be configured numerous ways • DEFENSE: • Credit Card Fraud • Organizations may protect from Internet-based attacks, but forget about local hackers • DEFENSE: Encryption

  24. Types of attacks ( What we are trying to prevent ) • Identity Theft • Information stored includes: • DEFENSE: Encryption, VLANs • Corporate Secrets • Personal Information Exposure • Malicious Data Insertion • Viruses • Invalid data • Illegal/ unethical content

  25. Legal Liabilities • Third Party Attacks • Organizations network used for third party attack (e.g. SPAM) • Result • Loss of access • Legal Liability • Other • Illegal Data Insertion • Pirated software • web-site defacement

  26. Costs • People • Employees or Contractors • Consultants - expensive, but may be worth the $ • Training • For: • End users • Administrators • Physical security personnel • Network security personnel • Management • Installation and configuration • Network Operations Training • End-user Training

  27. Costs • Equipment • Time

  28. Impact Analysis • An Impact Analysis identifies the degree of potential loss that could occur if an attack occurs, the risk includes: • Risk to wired network from wireless LAN segment • Risk of using wireless public access networks • Legal Implications of a successful intrusion

  29. Must ask the following question: • If a malicious hacker were to gain access to the most precious asset of a company, what would be the damage to the company? • Worst case scenario

  30. Must: • Identify threats • Measure impact • Direct financial terms • e.g. Lost sales due to outages • Indirect financial terms • e.g. Reputation • Regulatory • Loss of customer confidence • Exposure / exploitation of private information • Consider: • Scenario • Intent of hacker • Organizational response • Value of Assets

  31. Legal Implications • To truly understand the impact of information theft or the insertion of malicious information consider, • Dollar Amount • Legal liabilities

  32. Security Auditing • Need to conduct periodic security reviews / audits • Modifications or additions to the network might create new security holes • Independent Testing • Sources of Information

  33. Need to conduct periodic security reviews / audits • Low risk - once per year • Larger network/ sensitive data - quarterly or more

  34. Independent Testing • May want to use consultants for: • Design • After installation • Fresh perspective • Role • Use only as necessary - keep to a minimum • aid in design • locate weaknesses in existing security solutions • aid in network redesign

  35. Sources of Information • Hackers • May not be malicious • May report vulnerability to the organization • Advice • Acknowledge their help • Fix the problem