1 / 35


NETW 05A: APPLIED WIRELESS SECURITY General Policy. By Mohammad Shanehsaz. General Topics . Objectives Getting Started Risk Assessment Impact Analysis Security Auditing. Objectives. Explain necessary items to include in the creation and maintenance of a WLAN security checklist

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. NETW 05A: APPLIED WIRELESS SECURITY General Policy By Mohammad Shanehsaz

  2. General Topics • Objectives • Getting Started • Risk Assessment • Impact Analysis • Security Auditing

  3. Objectives • Explain necessary items to include in the creation and maintenance of a WLAN security checklist • Describe and recognize the important of asset management and inventory procedures for WLANs

  4. Objectives • Explain the importance of including WLANs in existing change management programs • Explain the purpose and goals of the following WLAN security policies: • Password policy • User training • On-going review (auditing) • Acceptable use and abuse policy • Consistent implementation procedure • Centralized implementation and management guidelines and procedures

  5. Objectives • Locate and identify WLANs within and around a facility • Explain the assets to be protected through securing a WLAN • Explain and demonstrate the inherent weaknesses in WLAN security • Given a WLAN attack scenario, explain and respond to the attack • Given a WLAN configuration, explain and implement all the necessary steps for securing the WLAN

  6. Objectives • Perform an impact analysis for a series of WLAN attack scenarios which may include the following methods of attack • Analysis, spoofing and information theft • Denial of Service • Malicious code or file insertion • Target profiling • Peer-to-peer hacking • Physical security • Social engineering • WLAN hacking hardware and software

  7. Objectives • Summarize risks to wired networks from wireless networks • Summarize the security policy related to wireless public-access network use

  8. Wireless LAN security policy • Wireless LAN security policy falls into two categories: • General policy ( Items that do not fall into specific technical category e.g. corporate networking ) • Functional policy

  9. Categories of General Policy • Getting Started • Risk Assessment • Impact Analysis • Security Auditing

  10. Getting Started • Obtain organizational sponsorship! • CEO or CIO • Wireless implementation must be part of a security plan addressing: • Resources • control access • prevent unauthorized users • limit consumption of wireless network resources (e.g. bandwidth) • Privacy • control access • prevent unauthorized users • protect confidential or sensitive death • Intrusion • monitor the environment • allows detection of unauthorized access or activities • respond with appropriate security measures

  11. Getting Started • Include input from: • End users • Network operations team • Financial people • Management • Independent/ external auditor • Among the key decisions: • What items will the policy cover? • How will the policy be enforced? • How will the policy be implemented? • How user-friendly should the policy be?

  12. Getting Started • General templates on corporate security policy can be found at : http://www.sans.org/resources/policies/ • Your textbook has included a wireless LAN security policy template in Appendix A

  13. Risk Assessment • Examine each possible scenario which may lead to loss of $ due to negative events • Rank predicted losses (level of severity) • For each scenario make decisions on $-effective responses to • Eliminate risks • Mitigate risks

  14. Risk Assessment’s four themes • What assets are we trying to protect ? • What are we trying to prevent ? • What is company’s legal liabilities? • What is the cost ?

  15. Risk Assessment’s four themes • All 4 themes require analysis prior to creating a security • Asset Protection • What assets must be protected? • What are the costs/legal ramifications if these asset are compromised? • Threat Prevention • What is the organization trying to protect by securing the network? • What kinds of attack, theft or breach of security are likely?

  16. Risk Assessment’s four themes • Legal Liabilities • What is an organization legally responsible for if the network is compromised or used to negatively impact another organization? • What legal protection does a company have? • Can the organization lose privileges (Internet service) due to abuse by intruders (spam)? • Costs • What are the costs associated with securing the wireless network? • Are security costs worth the investment, considering the risks, in implementing a WLAN? • If the network is compromised, what could the potential costs be? • How does the potential cost of infiltration and compromise weigh against the costs associated with securing the network? • May be external or internal auditors

  17. Asset Protection • Whether they know it or not - all organizations have data worth protecting • Must educate and enlighten management • What we are trying to protect are: • Sensitive Data • Network Services

  18. Sensitive Data • means different things to different organizations • Determine what is important to protect - at all levels • security professional must work with management to • Ensure appropriate data is being protected • what degree of protection is required

  19. Sensitive Data • Types of sensitive data • Intellectual property • Trade secrets • Formulas • Customer Data • Identity information • credit card information • health information

  20. Network Services • undermined network availability • critical network services include: • Email • file services • database services • directory services • Internet connectivity • web-based applications • virus/intrusion detection • custom applications

  21. Threat Prevention • when using WLANs, need to consider many threats • Consider probability of threat • Process • Types of attacks

  22. Process • identify vulnerabilities • asses likelihood of compromise • determine • How to proceed • How much to spend • Where to spend it

  23. Types of attacks ( What we are trying to prevent ) • Denial of Service (DoS) • RF Jamming • Packet Flooding • Equipment Damage, Theft, or Replacement • DEFENSE: Prioritized($) asset protection • Unauthorized Access • Access Point can be configured numerous ways • DEFENSE: • Credit Card Fraud • Organizations may protect from Internet-based attacks, but forget about local hackers • DEFENSE: Encryption

  24. Types of attacks ( What we are trying to prevent ) • Identity Theft • Information stored includes: • DEFENSE: Encryption, VLANs • Corporate Secrets • Personal Information Exposure • Malicious Data Insertion • Viruses • Invalid data • Illegal/ unethical content

  25. Legal Liabilities • Third Party Attacks • Organizations network used for third party attack (e.g. SPAM) • Result • Loss of access • Legal Liability • Other • Illegal Data Insertion • Pirated software • web-site defacement

  26. Costs • People • Employees or Contractors • Consultants - expensive, but may be worth the $ • Training • For: • End users • Administrators • Physical security personnel • Network security personnel • Management • Installation and configuration • Network Operations Training • End-user Training

  27. Costs • Equipment • Time

  28. Impact Analysis • An Impact Analysis identifies the degree of potential loss that could occur if an attack occurs, the risk includes: • Risk to wired network from wireless LAN segment • Risk of using wireless public access networks • Legal Implications of a successful intrusion

  29. Must ask the following question: • If a malicious hacker were to gain access to the most precious asset of a company, what would be the damage to the company? • Worst case scenario

  30. Must: • Identify threats • Measure impact • Direct financial terms • e.g. Lost sales due to outages • Indirect financial terms • e.g. Reputation • Regulatory • Loss of customer confidence • Exposure / exploitation of private information • Consider: • Scenario • Intent of hacker • Organizational response • Value of Assets

  31. Legal Implications • To truly understand the impact of information theft or the insertion of malicious information consider, • Dollar Amount • Legal liabilities

  32. Security Auditing • Need to conduct periodic security reviews / audits • Modifications or additions to the network might create new security holes • Independent Testing • Sources of Information

  33. Need to conduct periodic security reviews / audits • Low risk - once per year • Larger network/ sensitive data - quarterly or more

  34. Independent Testing • May want to use consultants for: • Design • After installation • Fresh perspective • Role • Use only as necessary - keep to a minimum • aid in design • locate weaknesses in existing security solutions • aid in network redesign

  35. Sources of Information • Hackers • May not be malicious • May report vulnerability to the organization • Advice • Acknowledge their help • Fix the problem

More Related