NEW TECHNOLOGIES, NEW VULNERABILITIES
Only a few years ago, e-mail, the Internet, and wireless networks were emerging technologies. Now, e-mail has branched out in directions ranging from instant messaging (IM) to spam. The Internet is a pipeline not just for data, but for phone calls and even video surveillance. Yet with technological progress come new threats.
Making wireless more secure
What are some of the most dangerous security threats, and what kinds of technologies are information security (IS) professionals using to deal with them?
On the wireless side, 802.11 WiFi has taken the place of old-fashioned wired local area networks (LANs). Mobile phones are used extensively for long-range voice communications, and on a more limited basis, for e-mail and Web browsing. At very close range, technologies such as infared (IR) and Bluetooth allow devices such as PCs, phones and PDAs (personal digital assistants) to share files and communicate.
Unfortunately, WiFi constitutes one of the biggest wireless security threats, experts say. The main problem? Methods of encrypting, or scrambling, wireless data have not come up to snuff, making it far too easy for wireless hackers to tap into a network.
On the other hand, the earlier encryption method, known as wireless encryption protocol (WEP), is starting to be replaced by more secure technologies, embodied in an emerging standard called wireless protocol access (WPA).
“With WEP, you have a very hackable network. WPA, though, goes a long way toward solving these issues,” maintains Brian Jenkins, vice president at AirFlow Networks.
Government agencies have a lot to lose if their communications systems are compromised. Some agencies ban wireless LANs entirely.
However, wireless LANs also have characteristics that can be particularly useful to some agencies. “Many agencies are housed in old historic buildings, where it can be costly or even impossible to install new wiring to expand or upgrade a network,” says Adam Lukaszuk, senior technical consultant for security solution provider Edgetech Services.
Information security professionals often use software known as “packet sniffers” to detect unauthorized wireless LANs.
Legislative initiatives to combat spam have gained wide attention. Not nearly as well known, except among information security specialists, are the many different technologies now emerging to stifle this electronic nightmare.
In a report issued last year, the industry research firm GartnerGroup reviewed 11 anti-spam technologies, and discovered that five shipped credible versions for the first time in 2002. Gartner found another 14 products to be too new, untried or incomplete to review at that time.
The main idea is to separate, or “quarantine,” the spam from the “good” e-mail. Instead of automatically assigning mail to a “black” or “white” folder, however, some of the newer technologies send suspicious e-mail to a “gray” folder, so individuals can inspect messages to determine whether the e-mails are actually unwanted before the messages are gone forever. Rather than being sold as software products, some of the newer anti-spam offerings are operated as subscription-based services.
All too often, spam messages contain computer viruses or other malicious software code, notes Bob Johnson, COO of SecureWave. Viruses can also be picked up by opening other sorts of e-mail, or simply by browsing the Web.
“The viruses keep getting bigger, stronger, and more capable. They can lurk hidden inside your computer, learn about your network, and morph into new threats,” Lukaszuk says.
Traditionally, experts have advised the use of anti-virus software products on all computers throughout a network. But even that may not be enough. For one thing, the authors of these bugs are working fast and furiously on new viruses.
Another reason is that anti-virus products do not necessarily fully address other sorts of malicious software — a.k.a. “malware” — such as Java applets, ActiveX controls, and spyware. In response, some software vendors, such as Hewlett-Packard and SecureWave, have created software that works either by detecting any changes to an existing software setup, or even by preventing such changes from being made.
The Federal Aviation Administration (FAA) and State Department are two federal agencies that use SecureWave’s products.
“The FAA has many dispersed computer servers throughout the United States. They are deploying our software to protect against malware. The U.S. State Department, on the other hand, uses the product mostly to guard against loss of data,” Johnson says.
IM is another technology that is getting a grip on some government agencies. IM really comes in two flavors: enterprise software, and consumer implementations from companies like AOL and Yahoo.
In 2002, the Federal Emergency Management Agency (FEMA) and the Department of Homeland Security (DHS) launched an IM service for first responders throughout the country. Other agencies that have already acknowledged formal IM deployments include the U.S. Army, Navy and Air Force.
Yet informal on-the-job use of consumer IM packages is hardly unknown in either government or business. There have been problems with the consumer products, as many of them lack IS administrative tools or encryption.
“But IM is so quick and convenient that it’s really hard to get employees to give up the technology, once they have discovered it,” contends Chris Lutz, president and CEO of Mediachase.
Meanwhile, IM software makers are starting to take security quite seriously. New products have been introduced specifically for enterprise instant messaging (EIM), including Bantu, Sprint, Microsoft, Sun, IBM’s Lotus, and both AOL and Yahoo.
Other vendors are integrating EIM with other technologies. Mediachase, for example, uses secure IM as part of its program management software, according to Lutz. Government customers include the U.S. Postal Service.
Voice and video over IP
Today, IP transmission technology is used not just on the Internet, but also on organizations’ private intranets and wireless networks.
“The main benefit of voice-over-IP is that you no longer need to use voice over separate phone or cable lines. You can also eliminate the need for a PBX (private branch exchange) machine in your office,” Lukaszuk says.
Organizations that run video-over-IP — whether for physical surveillance or other purposes — can also enjoy large cost savings. Yet unless properly protected, video-over-IP can bring the same sorts of security risks already rampant in Internet data transmissions.
The same holds true for voice-over-IP. “Just as raw data can be intercepted and manipulated, so, too can voice and video,” Lukaszuk says.
But some companies are starting to roll out software specifically designed to protect voice- or video-over-IP. On WiFi networks, AirFlow’s software, for example, guards both voice and data by using a special hardware encryption technology, according to Jenkins.
AirFlow then takes additional steps to deal with issues particularly related to wireless voice-over-IP. For instance, for security purposes, wireless devices on large wireless LANs typically need to reauthenticate — or prove that “they are who they say they are” — as they move along from one part of the building and grounds to another, Jenkins says.
Such an interruption could be especially annoying if one were disconnected while talking on the phone. Consequently, the AirFlow system eliminates the need to reauthenticate. “We tie everything together into one collective system, so that you only need to authenticate once, at the beginning of the call,” he says.