litrature rewiew old 2
TRANSCRIPT
1
Table of Contents
TABLE OF FIGURES...................................................................................................................... 3
LIST OF TABLES............................................................................................................................ 4
1.1 BACKGROUND ........................................................................................................................ 5
1.2 PURPOSE OF THE STUDY...................................................................................................... 7
1.3 IMPORTANCE OF THE STUDY............................................................................................... 8 1.3.1 STATEMENT OF THE PROBLEM............................................................................................... 8 1.3.2 RESEARCH QUESTIONS ......................................................................................................... 9
1.4 RESEARCH HYPOTHESES..................................................................................................... 9
1.5 RESEARCH METHODOLOGY............................................................................................... 10
1.6 LIMITATIONS.......................................................................................................................... 11
1.7 OVERVIEW OF THE PAPER.................................................................................................. 11
2.1.0 INTRODUCTION .................................................................................................................. 13
2.2.0 WIRELESS LAN OVERVIEW.............................................................................................. 14
2.3.0 CLASSIFICATION OF WIRELESS LAN............................................................................. 15
2.4.0 WIRELESS IN INDIA ........................................................................................................... 16
2.5.0 SECURITY REQUIREMENTS AND THREATS .................................................................. 19 2.5.1 PASSIVE ATTACK: ............................................................................................................... 19 2.5.2 ACTIVE ATTACK: ................................................................................................................. 20 2.5.3 MALICIOUS WIRELESS SERVICE PROVIDER (WSP)............................................................... 23
2.6.0 RISK MITIGATION............................................................................................................... 24
2.7.0 MANAGEMENT COUNTERMEASURES............................................................................ 25
2.8.0 THE ESSENTIAL SECURITY EVALUATION ..................................................................... 26
2.9.0 REMEDIAL ACTIONS: LAYERED ARCHITECTURE ........................................................ 27 2.9.1 FIREWALL:.......................................................................................................................... 27 2.9.2 INTRUSION DETECTION SYSTEM (IDS): ................................................................................ 28
2.9.2.1 Limitations of SBID ................................................................................................... 30 2.9.3 HONEYPOTS ....................................................................................................................... 31
2.9.3.1 Limitations of Honeypot ............................................................................................ 33 2.9.4 WEP (WIRED EQUIVALENT PRIVACY) AND WPA (WI-FI PROTECTED ACCESS)........................ 33
2.9.4.1 Advantages of WPA.................................................................................................. 35 2.9.4.2 Disadvantages of WPA............................................................................................. 35
2.9.5 VIRTUAL PRIVATE NETWORK (VPN) .................................................................................... 37 2.10.0 THE COST OF DATA BREACHES: LOOKING AT THE HARD NUMBERS ................... 38
2.10.1 TANGIBLE COSTS .............................................................................................................. 38
2
2.10.2 REGULATIONS AND LOST EMPLOYEE PRODUCTIVITY............................................................ 39 2.10.3 STOCK PRICE.................................................................................................................... 39 2.10.4 OPPORTUNITY COST ......................................................................................................... 39 2.10.5 REGULATORY REQUIREMENTS AND FINES........................................................................... 40 2.10.6 BOTTOM LINE.................................................................................................................... 40
2.11.0 THE SCENARIO IN INDIA................................................................................................. 42
2.12.0 SECURITY PROTECTIONS FOR ORGANIZATION......................................................... 43
2.13.0 SUMMARY ......................................................................................................................... 44
3.1 INTRODUCTION .............................................................................................................. 45
3.3 DATA COLLECTION / COLLECTED .............................................................................. 46
3.4 LOCATION OF THE DATA.............................................................................................. 49
3.6 METHOD OF INQUIRY........................................................................................................ 49
3.7 ANALYSIS TO BE PERFORMED ON THE DATA....................................................... 50
3.8 SUMMARY ................................................................................................................... 50
REFERENCES .............................................................................................................................. 51
GLOSSARY OF TERMS............................................................................................................... 54
3
TABLE OF FIGURES
FIGURE 1-WIRELESS TECHNOLOGY IN USE........................................................................................ 14 FIGURE 2 – TYPES OF WIRELESS CONNECTION.................................................................................. 14 FIGURE 3 - TAXONOMY OF SECURITY ATTACKS ................................................................................. 19 FIGURE 5- MESSAGE MODIFICATION ATTACK..................................................................................... 21 FIGURE 6 – DENIAL OF SERVICE ATTACK........................................................................................... 21 FIGURE 7 – MAN IN THE MIDDLE ATTACK........................................................................................... 22 FIGURE 8 - FIREWALL ....................................................................................................................... 27 FIGURE 9 – INTRUSION DETECTION SYSTEM...................................................................................... 28 FIGURE 11- HONEYPOTS .................................................................................................................. 31 FIGURE 12- MAC LAYER.................................................................................................................. 34 FIGURE 13 - VPN ............................................................................................................................ 37 FIGURE 14: SELECTION OF DATA COLLECTION METHOD ................................................................... 47
4
List of Tables Table 1…..………………………………………………………………………………16
Table 2…………………………………………………………………………………...23
Table 3……………………………………………………………………………...……36
Table 4…………………………………………………………………...………………40
Table 5…………………………………………………………………………...………41
Table 6…………………………………………………………………………...………42
Table 7…………………………………………………………………………...………44
5
CHAPTER 1 INTRODUCTION
1.1 Background Information is one of the key assets of any business. Information is essential to
an organization’s business and consequently needs to be suitably protected. This
is especially important in the increasingly interconnected business environment.
As a result of this increasing interconnectivity, Information is now exposed to a
growing number and a wider variety of threats and vulnerabilities.
Information can exist in many forms. It can be printed or written on paper, stored
electronically, and transmitted by post or by using electronic means. Whatever
form the information takes, or medium by which it is shared or stored, it should
always be appropriately protected.
Information security is achieved by implementing a suitable set of controls,
including policies, processes, procedures, organizational structures and software
and hardware functions.
Information theft has become a concern due to the increase in usage of Wireless
communication. Wireless communications offer organizations and users many
benefits such as portability and flexibility, increased productivity, and lower
installation costs. Wireless local area network (WLAN) devices; allow users to
move their laptops from place to place within their offices without the need for
wires and without losing network connectivity. Risks are inherent in any wireless
technology. Some of these risks are similar to those of wired networks; some are
exacerbated by wireless connectivity; some are new. Perhaps the most
significant source of risks in wireless networks is that the technology’s underlying
6
communications medium, the airwave, is open to intruders, making it the logical
equivalent of an Ethernet port in the parking lot.
The loss of privacy and integrity and the threat of denial of service (DoS) attacks
are risks typically associated with wireless communications. Unauthorized users
may gain access to organization systems and information, alter the
organization’s data, consume network bandwidth, degrade network performance,
and launch attacks that prevent authorized users from accessing the network, or
use organization resources to launch attacks on other networks.
All the vulnerabilities that exist in a conventional wired network apply to wireless
technologies.
• Malicious entities may gain unauthorized access to an organization’s
computer network through wireless connections, bypassing any firewall
protections.
• Sensitive information that is not encrypted and that is transmitted between
two wireless devices may be intercepted and compromised.
• DoS attacks may be directed at wireless connections or devices.
• Malicious entities may steal the identity of legitimate users and
impersonate as them on internal or external corporate networks.
• Sensitive data may be corrupted during improper synchronization.
• Malicious entities may be able to violate the confidentiality of legitimate
users and be able to track their movements.
• Malicious entities may deploy unauthorized equipment (e.g., client devices
and access points) to surreptitiously gain access to sensitive information.
• Viruses or other malicious code may corrupt data on a wireless device and
subsequently be introduced to a wired network connection.
• Malicious entities may, through wireless connections, connect to other
agencies or organizations for the purposes of launching attacks and
concealing their activities.
7
• Interlopers, from inside or out, may be able to gain connectivity to network
management controls and thereby disable or disrupt operations.
• Malicious entities may use third-party, untrusted wireless network services
to gain access to an organization’s or other organization’s network
resources.
1.2 Purpose of the study
There are still a lot issues that hamper the enterprise use of wireless
technologies, such as security issues, appropriate applications, connection
stability and transmission capacity. A study by Internet Security Systems (ISS)
identified the following security problems related to WLAN implementations
• Insertion attacks
• Interception and unauthorized monitoring of wireless traffic
• Jamming (DOS)
• Client-to-Client attacks
• Brute force attacks against access point passwords
• Encryption attacks
WLAN implementation is even more complex because of breach in security in
existing and commonly used security protocols.
The purpose of this study is to understand current business practices with
respect to WLAN deployment and security management. It is expected that the
8
conclusions drawn in this study can help us understand how wireless networks
are being deployed, managed and used in what areas, meanwhile offer
perspectives that will help the design and development of wireless.
1.3 Importance of the Study
The number and nature of threats is increasing at a faster pace than organization
ability to evade them. This is primarily driven by the endemic imperfections in
wireless technology, the continuous emergence of devices with ever more
technical wizardry and their increasing affordability. All of these factors are just
what the doctor ordered for certain people itching to exploit those flaws. Wireless
is best the example of latest communications technologies. Though they have
got the advantage of accessing information remotely, it also has its share of
danger with hackers waiting to intercept the data and use it for their own
nefarious designs. Organizations have to be always ready with security plans
with regards to emerging technologies and that is very demanding task.
1.3.1 Statement of the Problem
Based on the problem definition, the objectives of the research will be:
• To identify and examine the current IS landscape pertaining to Wireless
networks prevailing in various organizations.
• To identify the information risks and security concerns threatening
organizations.
• To determine the cost in the IRSMS implementation pertaining to Wireless
network.
9
1.3.2 Research questions
• What are the information security risks in using a wireless network?
• What would be the ideal characteristics of Information security
management system to manage wireless network?
• What functions must ISRMS fulfill to support users?
• What will be cost of ISRMS implementation?
1.4 Research hypotheses
The following hypotheses have been developed based on above discussions:
• H1: IT-related businesses are more likely to have wireless networks
than other types of businesses.
• H1a: Financial Services would be least likely to implement wireless
network.
• H2: The main concern in deploying wireless networks would be
security concerns.
• H2a: Those wireless networks that have AP self-broadcasting feature
enabled would be less likely to have encryption implemented.
10
• H3: An important consideration in enterprise use of wireless networks
is whether the wireless network is used for business or for non-
business activities.
• H3a: Many companies will prefer to deploy a wireless network for non-
critical or non business applications.
• H4: If an organization wants to restrict network access, it would be
more likely to have one or more authentication methods implemented.
• H5: If a business was monitoring its wireless usage, it would be more
likely to track the wireless users.
• H5a: A wireless network should have security equivalent to wired
networks to be considered for critical business applications.
1.5 Research methodology
The method of inquiry involved both primary as well as secondary data collection.
Questionnaire was prepared taking into account the necessity of qualitative as
well as quantitative analysis. Primary data collection is done by inviting
responses through means of a questionnaire, from the IS Officers/ IT officers,
Certified Information Systems Auditors, Certified Information Systems Managers,
Compliance officers, etc., with a minimum of 1-3 years of experience in the ‘IS
Risk Management’ field. Secondary data was gathered from various published
sources, authentic journals, past research papers, newspapers, magazines and
articles.
11
1.6 Limitations • The findings are based entirely upon the research conducted in India and
hence may not be applicable to other countries of the world on counts of
technological diversity and contextual forces.
• These kind of researches need to be done periodically to gauge the
authenticity of the wireless security risk management program designed in
an sensitive organization such as banks, due to the constant changing
technology and its vulnerabilities.
• The research may not be able to provide the exact financial figures or the
financial impact due to the occurrence of the IS Threats and the Risk that
is followed because of the reputation risk involved in it. The respondents
might not provide complete, incomplete, partial or authentic information
regarding the questions posed for the survey.
1.7 Overview of the Paper An introduction to the topic of research “IS Risk Management in wireless
network” is provided in Chapter 1. The introduction focuses on aspects such as:
• Background of the Research Study,
• Purpose and Importance of the Study,
• Problem Statement,
• Research Questions With Certain Assumptions,
• Research Methodology.
It also throws light on the limitations of the study research.
In the Literature Review, the research provides a close look and feel of the
similar incidents in the past and in the present amongst various organizations
across the country and the globe. The basic intention of this academic report is to
spread awareness regarding Wireless Threats and the Risk which follows them.
12
The researcher has tried to collect several examples from within the country or
across the globe which are on similar lines.
Chapter 1 This chapter also highlights the method of inquiry and the method of
analysis when the data is collected.
Chapter 3 is dedicated to the methodology of the research. It points towards to
sources of the data and information collection through surveys, questionnaires,
personal interviews, authentic articles on the web, magazines, etc. This chapter
re-visits the research questions, research hypotheses, etc. mentioned in chapter
1
.
13
CHAPTER 2
Literature Review
2.1.0 Introduction This chapter provides further insights regarding the history of Wireless
security. The focus would be at the emerging trends in use of Wireless and
changes made to secure the Wireless network. The chapter also defines the
scope of Information Security in Wireless Network.
The literature review shows how the IS and Risk Management is applicable to
organizations using Wireless networks. Why is it essential to take the
responsibility and subdue the threats causing the financial losses to the business
sector? In order to achieve this feat it becomes even more important to
understand what kinds of attacks are possible and the manner in which they
should be dealt with? Due to the scope and limited constraint, this academic
research is unable to throw light on all the threats or mention the remedies for
them. But, even so, a wide range of threats have been mentioned with some
actual facts.
The literature also covers an earlier research conducted in India with the
objective to understand the state of adoption of Wireless among enterprise users.
India is growing as a world-class manufacturing hub, geared to produce for both
local and global markets. Shop-floor automation and work-flow, inventory and
material handling are expected to be fully automated with computer controlled
special purpose machines and enterprise Wireless networks managing
production schedules and assembly lines. Experts expect that these facilities will
14
become a major driver for enterprise applications including Wireless networks on
and off the shop-floor, in the campus and across the offices.
2.2.0 Wireless LAN Overview
WIRELESS technology and the WIRELESS industry date back to the mid-1980s
when the Federal Communications Commission of the U.S (FCC) first made the
RF spectrum available to industry. During the 1980s and early 1990s, growth
was relatively slow. Today, however, WIRELESS technology is experiencing
tremendous growth. The key reason for this growth is the increased bandwidth
made possible by the IEEE 802.11 standard.
Figure 1-Wireless Technology in use
Figure 2 – Types of Wireless connection
15
2.3.0 Classification of Wireless LAN 4
In wireless LANs with infrastructure, there is a high-speed wired or wireless
backbone. Wireless nodes access the wired backbone through access points.
These access points allow the wireless nodes to share the available network
resources efficiently. Prior to communicating data, wireless clients and access
points must establish a relationship, or an association. Only after an association
is established can the two wireless stations exchange data.
Issues over Wireless LAN: Since wireless devices need to be small and wireless
networks are bandwidths limited, some of the key challenges in wireless
networks are:
a. Data Rate Enhancements: Improving the current data rates to support future
high speed applications is essential, especially, if multimedia (voice and video)
service are to be provided.
b. Low power networking: The complexity and the power consumption of wireless
devices vary significantly depending on the kind of wireless spectrum technology
being used to implement the wireless.
c. Security: Big concern in wireless networking, especially in mcommerce and e-
commerce applications. Mobility of users increases the security concerns in a
wireless network. Current wireless networks employ authentication and data
encryption techniques on the air interface to provide security to its users. The
IEEE 802.11 standard describes wired equivalent privacy (WEP) that defines a
method to authenticate users and encrypt data between the PC card and the
wireless LAN access point. In large enterprises, an IP network level security
solution could ensure that the corporate network and proprietary data are safe.
Virtual private network (VPN) is an option to make access to fixed access
16
networks reliable. Since hackers are getting smarter, it is imperative that wireless
security features must be updated constantly.
d. Radio Signal Interference: Interference can take on an inward or outward
direction. A radio-based LAN, for example, can experience inward interference
either from the harmonics of transmitting systems or from other products using
similar radio frequencies in the local area. Microwave ovens operate in the S
band (2.4GHz) that many wireless LANs use to transmit and receive. These
signals result in delays to the user by either blocking transmissions from stations
on the LAN or causing bit errors to occur in data being sent. Newer products that
utilize Bluetooth radio technology also operate in the 2.4GHz band and can
cause interference with wireless LANs, especially in fringe areas not well covered
by a particular wireless LAN access point. The other issue is the outward
interference, with wireless network’s disrupting other systems, such as adjacent
wireless LANs and navigation equipment on aircraft.
e. System Interoperability: With wireless LANs, interoperability is taken as a
serious issue. There are still pre-802.11 (proprietary) wireless LANs, both
frequency-hopping and direct sequence 802.11 versions, and vendor-specific
enhancements to 802.11- compliant products that make interoperability
questionable. To ensure interoperability with wireless LANs, it is best to
implement radio cards and access points from the same vendor, if possible.
2.4.0 Wireless in India Table 1- Tribune News Service1
1 http://www.tribuneindia.com/2005/20050216/cth1.htm 14-Dec-07
17
Mohali, February 15 2005.
Anti-virus software developers might never be able to catch up with hackers. You
have secured your computer from information theft and criminal hacking but in
the end it just might be your mobile phone that lets you down.
A new breed of criminal hackers called the "war drivers" is becoming a serious
threat to wireless network users.
"Anyone with a notebook computer, an inexpensive wireless network card, freely
downloaded software and an antenna made from something as simple as a can
of packed food can hack into wireless networks in homes and companies from
hundreds of feet away," warned Mr Ravinder Singh Zandu, a senior scientist with
the Centre for the Development of Avanced computing (CDAC), Mohali today.
War driving is more than just a prank that makes your private conversation
public.
"Some intruders seek to access files and damage systems. Most wireless
networks are completely unsecured. The easiest way to avoid mobile telephone
hacking is encryption but manufacturers of wireless devices leave encryption
turned off by default and give no information to the users about wireless
encryption or any other added security measures. This makes it an easy task for
anyone with a wireless setup to find and exploit the connection,” he said.
Talking to a set of IT professionals who had gathered from all over the country to
participate in the skill and technology upgradation seminar held at CDAC today,
Dr Zandu said that for PC users, however, ensuring internet security remained
the biggest challenge. "Most of the hacking server attacks are from dedicated
amateur attackers known as script kiddies, who, without much knowledge, use
tools that are freely available on the internet to probe networks for weaknesses.
These tools scan the internet randomly looking for vulnerable systems, then
exploit any weaknesses they find.
With such tools available, a small anonymous company is potentially as much at
risk as a well-known multinational corporation. Taking sensible precautions in
general, and using up-to-date software in particular, would have easily prevented
the attack," he told The Tribune.
18
'Live life wirefree', 'productivity with no strings attached'; those were just some of
the taglines pushing the Wireless enterprise LAN a couple of years ago.
However, the fact remains that Wireless deployment in Indian enterprises is still
immature when compared to its counterpart in Europe and U.S.
When examined closely, it can be seen that a majority of organizations that have
Wireless in place belong to the hospitality and travel (airports) verticals. In these
cases, it is a simple case of providing additional value to their clients by providing
Wireless access. "Wireless adoption in India is still at a primary level although
organizations have started adopting wireless technology selectively. Early
adopters are organizations for whom it's business critical to have Wireless, such
as hotels and airports," said Satish Pendse, CIO, Kuoni Travel Group, India.
Apart from these verticals where Wireless is of 'cosmetic appeal' or a factor
providing competitive advantage, Wireless implementations have been need-
specific. For instance, many Indian manufacturers use Wireless on the shop floor
to avoid strewing cabling across the work area while ensuring that users are
mobile. "Wireless solutions are more feasible for organizations where the
network infrastructure is already in place and there is no buffer for extra cabling.
It can also be helpful for the campus LAN kind of environment where line of sight
is not an issue," said Hilal Khan, Manager Information Systems, Honda Siel Cars
India Ltd.
Concerns about security have also hampered widespread Wireless adoption.
The first 802.1x standard, 802.11b, is better known for its lack of security than
anything else. With 802.11b vulnerabilities emerging every other week,
enterprises have become doubtful about just how secure Wireless truly is.
"The key reasons behind organizations not deploying Wireless could be due to
investment in existing infrastructure. Another reason is security concerns, since
19
the data travels through air and not over wires. This is not a technology problem,
but one of perception," said Shrikant Patil, Director (Solutions), South Asia, Intel.
2.5.0 Security Requirements and Threats
5
Figure 3 - Taxonomy of Security Attacks
Network security attacks are typically divided into passive and active attacks.
These two broad classes are then subdivided into other types of attacks. All are
defined below.
2.5.1 Passive Attack: An attack in which an unauthorized party gains
access to an asset and does not modify its content (i.e., eavesdropping).
Passive attacks can be either eavesdropping or traffic analysis (sometimes
called traffic flow analysis). These three passive attacks are described below.
• Eavesdropping: The attacker monitors transmissions for message
content. An example of this attack is a person listening into the
Attack
Passive Attack Active Attack
Masquerade Replay Message Modification
Denial Of
Service
Eavesdropping Traffic Analysis
20
transmissions on a LAN between two workstations or tuning into
transmissions between a wireless handset and a base station.
• Traffic analysis: The attacker, in a more subtle way, gains intelligence
by monitoring the transmissions for patterns of communication. A
considerable amount of information is contained in the flow of
messages between communicating parties.
• Replay: The attacker monitors transmissions (passive attack) and
retransmits messages as the legitimate user
2.5.2 Active Attack: An attack whereby an unauthorized party makes
modifications to a message, data stream, or file. It is possible to detect this type
of attack but it may not be preventable. Active attacks may take the form of one
of four types (or combination thereof): masquerading, replay, message
modification, and denial-of-service (DoS). These attacks are defined below. 2
• Masquerading: The attacker impersonates an authorized user and thereby
gains certain unauthorized privileges.
2 http://www.smallnetbuilder.com/images_old/myimages/howto/wepcrack_pt1/wepcrack.png (05/01/2008)
Figure 4 - Masquerading
21
Figure 5- Message Modification Attack
3
• Message modification: The attacker alters a legitimate message by
deleting, adding to, changing, or reordering it.
Figure 6 – Denial of Service Attack
4
3 http://i47.photobucket.com/albums/f185/hinhup/13-10-7.gif (05/01/2008)
22
• Denial-of-service: The attacker prevents or prohibits the normal use or
management of communications facilities.
• Rogue Access Points: A more sophisticated sniffer can setup a rogue
access point (evil twin) to intercept all data and relay it back and forth to
the legitimate network without user’s or organization’s knowledge. In this
process, even more data can be extracted from organization’s network
user.
The “phishing” attack starts with a fake web site that mimics legitimate site
to capture login credentials. The attacker can also try to force software on
your PC to re-connect to services that require passwords and extract them
when they are sent.
Figure 7 – Man in the Middle Attack
5
4 http://www.ristinet.com/artikel/Keamanan%20WLAN%204.gif (05/01/2008)
23
Table 2-Report: "Sidejacking" session information over WiFi easy as pie6
Users may think that their personal data is safe when they use a secure login
page online, but that's quite far from the truth. In fact, everything from the
contents of your e-mail, who your friends and acquaintances are, and almost
anything else you can think of could be easily exposed by hackers if browsed via
WiFi network, security firm Errata Security pointed out in a recent paper
presented at this year's Black Hat 2007 and seen by Ars Technica.
The method by which this data could become exposed is nothing new, but it is
simpler than most "man-in-the-middle" attacks, says Errata. Many web services,
such as Gmail, BlogSpot, Facebook, MySpace, LinkedIn, and Google Adsense
use cookies to identify session information after the user has already logged in.
Using a basic packet sniffer over a WiFi network and a proxy server to pass the
information through, a determined hacker can easily "sidejack" the session
information as his own by stealing session IDs straight out of the WiFi signal. He
could then use that session ID to represent himself as the original user, says
Errata, which would allow him to do things like make blog posts, unfriend all of
your Facebook friends, and read or send e-mails.
The risks associated with wireless are the result of one or more of these attacks.
The consequences of these attacks include, but are not limited to, loss of
proprietary information, tarnished image, and loss of network service.
2.5.3 Malicious Wireless Service Provider (WSP) They are in the business of providing wireless services, so performing any
untoward activity would be counterproductive. However, consider the following
example, based on the office complex scenario suppose that AdEx Inc., as a
5 http://www.itechnote.com/2006/10/26/public-wi-fi-network-threats/ - 05-Jan-08 6 http://arstechnica.com/news.ars/post/20070801-report-sidejacking-session-information-ov... 11-Dec-07
24
courtesy to its clients, offers wireless access through its network. NitroSoft is
visiting AdEx for a presentation of a proposed new marketing campaign. During
breaks in the presentation, the NitroSoft representative sends and receives e-
mail via his wireless PDA. This information is related to the campaign, including
price limits and current bids from other representatives attending similar
presentations around the country. The connectivity is much appreciated by the
Nitro- Soft representative because he can discreetly communicate the current
status to his NitroSoft co-workers to ensure that NitroSoft receives the best
marketing campaign for the money. What the NitroSoft representative doesn’t
know is that someone from the AdEx IT staff is monitoring the NitroSoft
representative’s communications and relaying any pertinent information to
AdEx’s marketing staff so that they will be well informed of her feelings about the
presentation, any misgivings she may have, what NitroSoft’s bottom line will be,
and possibly what the bids are from other marketing firms.
In this example, is AdEx just doing smart business? After all, AdEx owns the
wireless connectivity hardware, and by extension, everything it transports. Or is
AdEx a malicious WSP? Unless AdEx had the NitroSoft representative sign an
agreement to access its wireless network and this agreement contained a waiver
granting AdEx access to anything transmitted over the network, we would vote
for the latter. Therefore, personal data transmitted by the device may be
vulnerable to a malicious WSP.
2.6.0 Risk Mitigation Management countermeasures combined with operational and technical
countermeasures can be effective in reducing the risks associated with WLANs.
The following guidelines will not prevent all adversary penetrations, nor will these
countermeasures necessarily guarantee a secure wireless networking
environment. This section describes risk-mitigating steps for an agency,
recognizing that it is impossible to remove all risks. Additionally, it should be clear
that there is no “one size fits all WIRELESS NETWORK SECURITY solution”
when it comes to security.
25
2.7.0 Management Countermeasures Management countermeasures for securing wireless networks begin with a
comprehensive security policy. A security policy and compliance therewith, is the
foundation on which other counter measures, the operational and technical
should be rationalized and implemented. A WLAN security policy should be able
to do the following:
• Identify who may use WLAN technology in an organization.
• Describe who can install access points and other wireless equipment.
• Provide limitations on the location of and physical security for access
points.
• Describe the type of information that may be sent over wireless links.
• Describe conditions under which wireless devices are allowed.
• Define standard security settings for access points.
• Describe limitations on how the wireless device may be used, such as
location.
• Describe the hardware and software configuration of all wireless devices.
• Provide guidelines on reporting losses of wireless devices and security
incidents.
• Provide guidelines for the protection of wireless clients to minimize/reduce
theft.
• Provide guidelines on the use of encryption and key management.
• Define the frequency and scope of security assessments to include
access point discovery.
• Agencies should ensure that all critical personnel are properly trained on
the use of wireless technology.
• Network administrators need to be fully aware of the security risks that
WLANs and devices pose. They must work to ensure security policy
compliance and to know what steps to take in the event of an attack.
• Finally, the most important countermeasures are trained and aware users.
26
2.8.0 The Essential Security Evaluation For an existing WLAN, or one in the planning stages, a number of key factors
must be evaluated before deciding the security approaches that are needed.
These factors include:
• Network topology and infrastructure
• Types of users and requirements
• Applications to be supported
• Value of the data (and financial impact if compromised)
• Existing security management solutions and policies across the
organization
• Existing standards support
• Building structure and other devices in use or transmissions occurring
in the vicinity (for potential of interference and to determine required
bandwidth)
Cost analysis is a key element. The value of the data, and the financial impact
if compromised, must be balanced against the price of combinations of
security measures.
User convenience and speed of access must also be evaluated. Clearly, a
major goal in creating a WLAN is the freedom and flexibility of mobile access
to enhance business productivity. Some very stringent security measures
could be self-defeating if users fail to cooperate because they are complex or
time-consuming.
27
2.9.0 Remedial Actions: Layered Architecture
Figure 8 - Firewall
7
2.9.1 Firewall: In the near future, organizations will be even more
interconnected, leading to an increase in security vulnerabilities. While
maintaining firewall and other perimeter defenses, focus on security where
7 http://oriol.joor.net/article_fitxers/1574/wpa-eaptls.gif -6th Jan 08
28
users access the Wireless network. Prevention and containment are
essentials; precision to do this, placement of different security components is
of utmost importance. Firewalls are typically implemented using a dedicated
or a non-dedicated firewall hardware and system platform. The dedicated
firewall hardware and software provide protection mechanisms built in by the
manufacturer. But security means more than screening out via firewalls It
means guarding against illicit data access and preventing users from
misusing resources.
Figure 9 – Intrusion Detection System
8
2.9.2 Intrusion Detection System (IDS): IDS accounts itself to be a
second line of defense. Designed to watch either a system for filesystem
changes or traffic on the network, this system, with the help of a human,
8 http://www.skullbox.net/ids.php- 6 January 2008
29
learns what normal traffic looks like, then notes changes to the norm that
would suggest an intrusion or otherwise suspicious traffic. Notification can be
via e-mail or a Mobile SMS. Intrusion Detection is the art of detecting
inappropriate, incorrect, or anomalous activity. An ID is a system that detects
burglary attempts. Firewalls perform the role of door and window locks. These
types of locks will stop the majority of burglars but sophisticated intruders may
circumvent security devices that protect an intended target. Therefore, most
people use a combination of sophisticated locks with alarm systems.
An IDS performs the role of such an alarm system and adds the next
preventive layer of security by detecting attacks that penetrate IT systems.
Network-based IDSs monitor an entire, large network with only a few well-
situated nodes or devices and impose little overhead on a network. Network-
based IDSs are mostly passive devices that monitor ongoing network activity
without adding significant overhead or interfering with network operation.
They are easy to secure against attack and may even be undetectable to
attackers; they also require little effort to install and use on existing networks.9
Recently Intrusion detection has received considerable attention and the
Intrusion detection is being performed with respect to the Internet as well as
wireless mobile networks. There are basically two types of existing threat
detection strategies: anomaly detection and misuse detection. Anomaly
detection approach analyzes the user’s current session and compares them
to the profile representing the user’s normal behavior. Since it catches
sessions which are not normal, this model is referred to as an ‘anomaly’
detection model. A typical anomaly detection system takes in audit data for
analysis. The audit data is transformed to a format statistically comparable to
the profile of a user. Thresholds are normally always associated to all the
profiles. any comparison between the audit data and the user’s profile results
in deviation from a set threshold, an alarm of intrusion is declared. This type
of detection system is well suited to detect unknown or previously not
encountered attacks. Anomaly detection bases its idea on statistical behavior
9 http://manageengine.adventnet.com/products/wifi-manager/images/home_zoomed.gif 6 Jan 2008
30
modeling and anomaly detectors look for behavior that deviates from normal
system use. Hence this type of detection is also known as Statistical Based
Intrusion Detection Approach (SBID)
2.9.2.1 Limitations of SBID
There are costs associated with creating audit trails and maintaining user
profiles, there are several risks and limitations associated with SBID
technology:
Figure 10
31
• User profiles are updated periodically, it is possible for an insider to
slowly modify his behavior over time until a new behavior pattern has
been established within which an attack can be safely mounted.
• Determining an appropriate threshold for "statistically significant
deviations" can be difficult. If the threshold is set too low, anomalous
activities that are not intrusive are flagged as intrusive (false positive).
If the threshold is set too high, anomalous activities that are intrusive
are not flagged as intrusive (false negative).
• Defining user profiles may be difficult, especially for those users with
erratic work schedules/habits.
2.9.3 Honeypots
Figure 11- Honeypots
10
10 http://www.securitylab.ru/_article_images/farms.jpg - 7 Jan 2008
32
The user’s Prevention is invariably a better approach than treatment for both
living beings and computer networks. Just as it is with living beings, it is
impossible to prevent all maladies from occurring on a computer network. But
unlike the human body, computer networks do not have an autonomic
immune system that differentiates self from non-self and neutralizes potential
threats. Security engineers have to establish what behavior and attributes are
"self" for networks and deploy systems that identify "non-self" activities and
neutralize them. Thus the old phrase stands very true: information is the
power. Panacea could be proactive approach leading to better understanding
the threats. Knowledge delivered out of this helps administrators to use
arsenal with full strength against hackers. Honeynet is technology, which
uses proactive approach, based on military doctrine. Honeypots are closely
monitored network decoys serving several purposes: they can distract
adversaries from more valuable machines on a network, they can provide
early warning about new attack and exploitation trends and they allow in-
depth examination of adversaries during and after exploitation of a honeypot.
Honeypots are a highly flexible security tool with different applications for
security. They don't fix a single problem. Instead they have multiple uses,
such as prevention, detection, or information gathering. Honeypots all share
the same concept: a security resource that should not have any production or
authorized activity. In other words, deployment of honeypots in a network
should not affect critical network services and applications. A honeypot is a
security resource and its value lies in being probed, attacked, or
compromised. Honeypots are simple concept, which gives them following
powerful strengths.
1. Small data sets of high value: Honeypots collect small amounts of
information. Instead of logging huge data they only log information of high
value, as it is only the hacker community, which interacts with them. This
means it is much easier and cheaper to analyze the data and derive value out
of it.
33
2. Minimal Resources: Honeypots require a minimal resource that is any
Pentium graded machine is good enough to handle entire network of 256
users.
2.9.3.1 Limitations of Honeypot
Deploying honeypots to fool attackers, it will have to perfectly simulate reality.
Many counter papers have recently been released on the Internet because
hackers want to prove that they are not afraid of honeypots and that they are
stronger than their creators. New paths of research have been drawn to resolve
the stealth problems.
Wireless honeypots suffer from the same stealth problems that classic honeypots
do, and also from specific, additional ones related to this environment. Skilled
attackers may be afraid of "too open" networks. The better simulated reality, the
more skilled attackers (but in this case, intrusions rarely occur) get caught;
Lesser the stealth, users observe successful attacks (but they are often done by
inexperienced attackers).
2.9.4 WEP (wired equivalent privacy) and WPA (Wi-Fi Protected Access)
The security of a wireless LAN is very important, especially for applications
hosting valuable information. For example, networks transmitting credit card
numbers for verification or storing sensitive information are definitely candidates
for emphasizing security. In these cases and others, proactively safeguard
wireless network against security attacks.
34
Figure 12- MAC Layer WEP (wired equivalent privacy) is 802.11's optional encryption standard
implemented in the MAC Layer that most radio network interface card (NIC) and
access point vendors support. When deploying a wireless LAN, be sure to fully
understand the ability of WEP to improve security.
WEP specifies a shared secret 40 or 64-bit key to encrypt and decrypt the data.
Some vendors also include 128 bit keys (know as "WEP2") in their products.
With WEP, the receiving station must use the same key for decryption. Each
radio NIC and access point, therefore, must be manually configured with the
same key.
Despite the flaws, WEP is better than nothing, and user should enable WEP as a
minimum level of security. Many people have taken to the streets to discover
wireless LANs in neighborhoods, business areas, and colleges using protocol
analyzers, such as AiroPeek and Airmagnet. Most of these people are capable of
detecting wireless LANs where WEP is not in use and then use a laptop to gain
access to resources located on the associated network.
By activating WEP, however, user significantly minimizes this from happening,
especially if users have a home or small business network. WEP does a good job
of keeping most people out, at least those that are honest. WEP is not a
deterrent to a real hacker.
35
WPA is wireless security with greater protection than WEP. Most wireless
networks should use either WEP or WPA. WPA-PSK is not much more difficult to
configure than the older WEP, but is not available on some older products. All
computers, access points, and wireless adapters must use the same type of
security.
WPA operates in either WPA-PSK mode (Pre-Shared Key or WPA-Personal) or
WPA-802.1x mode (WPA-Enterprise). In the Personal mode, a pre-shared key or
password is used for authentication. In the Enterprise mode, which is more
difficult to configure, the 802.1x RADIUS servers and an Extensible
Authentication Protocol (EAP) are used for authentication. The enhanced WPA2
uses Advanced Encryption Standard (AES) instead of Temporal Key Integrity
Protocol (TKIP) to provide stronger encryption mechanism.
2.9.4.1 Advantages of WPA
WPA adds authentication to WEP's basic encryption. It is backward compatible
WEP support for devices that are not upgraded. It integrates with IDS to allow
administration and auditing.
2.9.4.2 Disadvantages of WPA • Complicated setup is required, unsuitable for average users.
• Network Administrator has to spend valuable time in setting up the
system.
• Wireless link works slower than in WEP and require more network
resources.
• WPA remains vulnerable to Denial of Service attacks.
36
Table 3-Cafe Latte attack steals credentials from Wi-Fi clients11 Hackers have refined a new technique for breaking into Wi-Fi networks protected
by the aging Wired Equivalent Privacy (WEP).
The so-called 'Cafe Latte' attack aims to retrieve the WEP keys from the PCs of
road warriors. The approach concentrates its attack on wireless clients, as
opposed to earlier attacks that cracked the key on wireless networks after sniffing
a sufficient amount of traffic on a network.
An attacker can then present his machine as a bridge to the internet towards
prospective victims, inspecting their traffic and potentially installing files on
compromised PCs.
Despite this, WEP remains widely used in consumer, small business and retail
environments. WPA (Wi-Fi Protected Access) system replaced WEP years ago
but an estimated 41 per cent of businesses continue to use WEP, Infoworld
reports.
Early Wi-Fi technology fitted in retail point-of-sale terminals, and warehouses
reportedly support only WEP. Hackers who obtained millions of credit card
records from TJX, the giant US retailer, are thought to have used these
shortcomings to break into its systems.
"This presentation debunking the age-old myth that to crack WEP, the attacker
needs to be in the RF (radio) vicinity of the authorised network," Ramachandran
and Ahmad explain
11 http://www.theregister.co.uk/2007/10/18/cafe_latte_wi-fi_attack/ - 7 Jan 2008
37
2.9.5 Virtual Private Network (VPN)
"A virtual private network is like your own encrypted tunnel from your computer to
the computer you're trying to reach," said Marc Rotenberg, director of the
Electronic Privacy Information Center. "Using VPNs is one of the best ways to
secure" your connection on Wi-Fi networks, he said12
Figure 13 - VPN
VPN and Wi-Fi security each has its role in network security. VPNs allow users to
connect securely over any network (including the Internet) whether they are user
has a dial-up modem or a Wi-Fi hotspot connection. This allows VPN to work
from virtually anywhere in the world that provides Internet access. Wi-Fi security,
on the other hand, offers user security only at the data link layer between user’s
WiFi device and the organization’s wireless access point, which usually means it
can only work locally in a LAN environment. But Wi-Fi security solutions provide
38
significantly more speed, less overhead and less complexity. The purpose of Wi-
Fi security is to give an user equal or better security than using a wired
connection to the LAN with an equal level of functionality.
2.10.0 The cost of data breaches: Looking at the hard numbers As the frequency and gravity of security breaches has increased over the past
few years, there have been several attempts to estimate the costs associated
with them.
The estimates, however, have churned out vastly different figures, further adding
to the confusion. For example, a U.S. Department of Justice study, published in
August 2006, determined that the average loss per incident was $1.5 million.
These calculations conflicted with a 2005 survey done by Computer Security
Institute/Federal Bureau of Investigation estimated the cost to be $167,000.
Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8 million
per breach, while some Chief Information Security Officers put the cost to
recover from a security incident at $1,000 per hour.
And if that dizzying array of estimates wasn't bewildering enough, a recent
Forrester survey done in the US, found that 25% of respondents do not know, or
do not know how to determine, the cost of data security breaches. Puzzlingly, of
companies that confirmed a personal data loss, 11% said that they did not incur
any additional costs.
2.10.1 Tangible costs Tangible costs are the unbudgeted expenses resulting from a security breach.
These costs typically include legal fees, mail notification letters, calls to individual
customers, increased call center costs and discounted product offers.
12 http://money.cnn.com/2006/07/06/technology/wifi_security/index.htm - 6th Jan 2008
39
Surprisingly, most estimates agree on this cost to be around $50 per record. This
cost has increased slightly over previous years, but will continue to be
somewhere around this number.
2.10.2 Regulations and lost employee productivity When employees and contractors are diverted from their normal duties in order
to address data breach controls, a company loses money. According to a
Ponemon Institute survey, this cost had increased 100% in 2006 from $15 per
record in 2005, to $30/record in 2006. The primary reason for this increase has
been the growing number of entities and regulations that must be satisfied.
Previously, if a company had a data breach, a security team fixed the problem,
tested the mitigation and then the company resumed normal activities. Now, the
threat of a data breach forces companies to satisfy the industry regulators, like
the Payment Card Industry (PCI) Security Standards Council for credit card
breaches, or the HIPAA auditors for healthcare regulations.
2.10.3 Stock price In the long run, a security breach does not have a significant effect on a
company's stock price, but it could. A stock typically dips immediately after a data
breach, but the price rebounds quickly, and after one year there is very little
evidence of the breach affecting the stock.
2.10.4 Opportunity cost Companies also typically experienced customer losses after a breach, but the
severity varies significantly as well. Typically, banks and hospitals have had the
lowest churn rates, and retail outlets have had the highest.
A more significant issue at hand is the difficulty in acquiring new customers -- or
new customer opportunities -- after a security breach. This number is hard to
quantify, but most estimates compare these expenses to tangible costs. A
40
Ponemon study, for example, puts opportunity cost at $98 per record, a 31%
increase from 2005. This number is expected to grow as customers' security
expectations increase and businesses compete on data protection technology.
2.10.5 Regulatory requirements and fines When a breach occurs, both customers and regulators need to be satisfied.
Regulators may impose additional security requirements or fines. For example,
Visa levied $4.6 million in fines, penalizing companies that mismanaged sensitive
customer data; the company levied $3.4 million in 2005. As laws and regulations
increase, this cost will become much more significant.
2.10.6 Bottom line A security breach can cost organization $50 to $250 per record. Depending on
how many records are at stake, individual breach costs may run into millions or
even billions of dollars -- and organizations still aren't prepared to protect their
wireless environments. Although studies may not be able to determine the exact
cost of a security breach in an organization, the loss of sensitive data can have a
crippling impact on an organization's bottom line.
Table 4-ROI
Most Indian enterprises 13still don’t calculate Return on Investment (RoI)
when it comes to investing in network security. Access control, encryption,
firewalls, intrusion detection systems (IDS), vulnerability assessment tools
and virtual private networks (VPN) are some of the methods being used.
Interestingly, around 12 percent of corporates are using Public Key
Infrastructure (PKI) technologies (encryption). “Though PKI will become very
critical in non-physical banking, problems in implementing PKI still remain the
biggest challenge,” says Milind V Dikshit, head, technology solutions and
security, Bangalore Labs.
41
Table 5-Mobile Workers Globally, two-thirds of employees are cognizant of security risks when working
remotely on company machines. That's the good news. Of course, the converse
is that one-third connect blindly to the Internet(This includes Public Wi-Fi), in
spite of hacking, theft and malware threats.
According to "Perceptions and Behaviors of Remote Workers & Security
Considerations for IT Organizations," a study by Cisco Systems and Insight
Express, end users are aware of security concerns, but often act contrary to best
practices for protecting themselves, their machines, corporate networks or their
data.
The online survey, conducted in year 2006, queried more than 1,000 remote
workers in 10 countries from every region of the globe. Users in China (78
percent), Australia (75 percent) and the United Kingdom (72 percent) reported
the greatest level of security awareness. India (52 percent) and Japan (59
percent) posted the lowest awareness level. The United States was slightly
above average, with a 68 percent awareness rate.
Cisco/InsightExpress study reveals the often contradictory actions of end users
who unnecessarily expose them and their work computers to security threats.
Key Findings:
13 http://www.expresscomputeronline.com/20020624/network5.shtml - 7 Jan 2008
42
2.11.0 The Scenario in India Table 6- Techscope 2003: e-Security14 India Inc has finally woken up to the security threat. But merely deploying
firewalls or anti-virus solutions isn't enough. Here's how organizations need to
strengthen their defences in the wake of new threats. by Vishwajeet Deshmukh
A global study by KPMG in 2000 reveals that Indian companies achieved the
dubious distinction of having the highest number of e-commerce security
breaches in the world at 23 percent, followed by UK and Germany at 14 percent.
Of the 60 percent companies that were victims of some security breach, 21
percent recorded actual loss in revenue. About 58 percent have still not been
able to quantify their loss. According to a Price Waterhouse Coopers /
Confederation of Indian Industry (PWC-CII) study, only five percent of the survey
respondents reported a revenue loss of over Rs 5 million.
43
2.12.0 Security Protections for Organization
If organization wants to establish proper security protections, here are some
important guidelines to follow.
Wireless security policy and architectural design: The security policy of an
organization should include wireless networking as a part of overall security
management.
• Enterprises have to take a top-down approach to frame a comprehensive
security policy rather than treat it as a technological issue in the realm of
CIO, CISO etc. The Board and the CxOs must show commitment to
security with a clear mandate through policies.
• Treat access points as untrusted: There is need for evaluating access
points at regular time periods to find out whether they can be treated as
untrusted devices. This will involve placing the appropriate firewalls, VPNs
and IDS between the access point and intranets or the internet.
• Access point configuration policy: One needs to define the standard
security settings for access points before deploying them.
• Access point security assessments: With the help of regular security
audits, one can identify poorly configured access points.
14 http://www.networkmagazineindia.com/200301/cover7.shtml - 7 Jan 2008
44
Table 7-The PWC-CII survey 2002-03 The PWC-CII survey 2002-03 illustrates the lack of framework of comprehensive
security policy across India Inc and hence lack of effective security
implementation. To quote from the report: Though 68 percent of the respondents
accorded a high priority to security, only 41 percent had a comprehensive
security policy in place. Worse, about 47 percent of the respondents continue to
operate without a security policy.
2.13.0 Summary
Ultimately, security is everybody's business, and only with everyone's
cooperation and consistent practices will it be achievable. Wireless security is a
work in progress, so it is essential to administer a wireless network so that it
becomes more and more secure. And with more organizations focusing strongly
on wireless security, we can only expect to see many more secured wireless
networks in the future.
45
CHAPTER 3
METHODOLOGY
3.1 Introduction This chapter elaborately discusses the methodology of this study. The research
questions and assumptions (hypotheses) proposed in Chapter 1 are presented
here. All phases of the research design, data collection, location of the research
performed, method of inquiry and statistical analysis are reviewed. Finally,
summary of the whole chapter is done. The research can be categorised as a
combination of exploratory and descriptive study seeking insights into the IS and
Risk Management in Wireless networks in India.
3.2 Research Questions and Research Hypotheses
The research assumptions (hypotheses) framed in the study posses a strong
background of the literature review. The combination of the research
assumptions (hypotheses) and the literature review prove their importance in the
study for answering the research questions. The answers to the research
questions would provide a good in-sight for the IS professionals and executives
regarding various scenarios and complexities posed prior to designing an IS and
Risk Management System for wireless network
Research questions
• What are the information security risks in using a wireless network?
• What would be the ideal characteristics of Information security
management system to manage wireless network?
• What functions must ISRMS fulfill to support users?
46
• What will be cost of ISRMS implementation?
3.3 Data Collection / Collected Primary data collection is done on the basis of personal interviews along with
responses based on the questionnaire filled by the IS / Management personnel,
Information Systems Auditors, Information Systems Inspection Personnel,
Network Security Professional, Network Administrators, Information Systems
Administrators, etc. The data is also collected from the students of wi-fi enabled
collages in order to understand the awareness among them, which might
instigate quick development, deployment and improvement in the IS and
Management methodologies and techniques in the respective organizations. The
data collected from the customers is a value addition to the research in order to
achieve certain insights regarding the IS threats which might have been
overlooked as they might not have been informed or not registered. These
customer inputs would also help us analyze the overall success of the
organizations in terms of IS and Risk Management in wireless network.
The choice of an adequate data collection method should mainly be based on the
type of research problem investigated (Kiplinger 1986). Figure 3.1 indicates
which choices were made at various decision levels related to the data collection
method. At each level, the option selected is shaded.
47
Figure 14: Selection of Data Collection Method
• Cross-Sectional Research
Research can either be cross-sectional or longitudinal. In this study, a cross-
sectional design research has been applied. Cross-sectional research involves
the collection of information from any given sample of population elements.
Longitudinal research on the other hand provides an in-depth view of the
situation and the changes that take place over time. Scholars recognise that
representative sampling and response biases are serious problems of
longitudinal research. In longitudinal research, the cooperation of panels is
required. Respondents’ refusal to co-operate, panel mortality, and payment of
panel members increase the lack of representative sampling. Furthermore,
response bias is increased as a result of the fact that panel members more
consciously perform the investigated behaviors and that new panel members
tend to increase the investigated behavior. Finally, longitudinal research implicitly
requires long data collection periods. Based on these arguments and the
Survey
Data Collection
Longitudinal research Cross-Sectional
Experimental research Non-experimental
Observation
TelephonePersonal Mail Internet
48
objective of this study, a cross-sectional research is considered to be adequate in
order to provide the required information in a valid and representative way.
• Non-Experimental Research
In this study, a non-experimental method as opposed to an experimental
research method is used. Non-experimental research is generally defined as
“systematic, empirical inquiry in which the scientist does not have direct control of
independent variables because their manifestations have already occurred or
because they are inherently not manipulable”. While experimental research
generally allows obtaining high levels of internal validity as a result of the
possibility to control, randomly assign, and manipulate, its lower external validity
and artificiality are considered to be weaker elements. As this study aims at
generating generalizable results for a wide range of IS and Risk Management
situations, external validity is an important, additional evaluation criterion.
Consequently, the use of non-experimental research is suitable for the purpose
of this study.
• Survey Research
Survey methods are generally classified into mail, internet, telephone, and
personal surveys. Non-experimental research designs can consist of observation
as well as survey methods of data collection. In this study, survey research
design was chosen, which is defined as “interviews with a large number of
respondents using a pre-designed questionnaire”.
• Personal Interviewing
In this study, personal surveys were conducted in order to gather the required
data. A personal interview is generally defined as “a questionnaire administration
method in which the interviewer and respondent have a face-to-face contact”.
According to many experts, the personal interview “far overshadows the others
as perhaps the most powerful and useful tool of social scientific survey research”.
Personal interviews outperform mail, internet, and telephone surveys on nearly
all criteria, except for interviewer control and bias, cost, and social desirability.
Several efforts were made in order to overcome these potential weaknesses. The
49
use of structured questionnaires that included detailed respondent instructions
automatically diminished the risk of interviewer bias. Further, interviewers were
not aware of the underlying hypotheses of the study and could therefore not
consciously influence the responses.
Thus the data collection involved in this study used non-experimental research
based personal surveys and telephonic interviews on a cross-sectional basis.
3.4 Location of the Data The data will be collected from Inspection Departments of various Wi-Fi enabled
collages , IS and Risk Management cells, Information Systems Auditors, Network
administrators, Information Systems Administrators, IS Specialist (Project
Managers, Quality Assurance, Development Head for any IS software or
hardware solutions), etc., Apart from this the data is also collected from the
customers regarding their awareness about the IS threats in wireless networks.
With a responsible and critical team of intellectuals forming the basis of this
research, the remaining part of the questionnaires will be filled by a large number
of students using wireless networks in their collage campus.
3.6 Method of Inquiry A self-administered survey was utilized to collect data. The questions were
developed in a manner, which would help in analyzing the various IS threats and
the Risk Management methodologies used to mitigate, transfer, avoid or accept
the risks. Based on past researches, the data was gathered from both primary
as well as secondary sources. The questionnaire was a blend of open and closed
ended questions, which provided a range of possible responses to almost all
questions, which made it easy for the respondent to select from a range of
possible answers.
50
3.7 Analysis to be performed on the Data Different statistical methods were used for the data analysis using
Microsoft Excel and Statistical Package for the Social Sciences (SPSS).
Descriptive statistics were generated to evaluate the distribution of variables and
appropriate statistical techniques were used to study the data collected.
3.8 Summary This methodology chapter has provided a discussion related to the methods and
procedures applied in this proposed dissertation. The chapter has discussed the
objectives of this dissertation, research questions in order to fulfill the objectives,
and methods used to collect and analyze the data required by the research
questions.
51
References
1. Faria, D. B. and Cheriton, D. R. 2002. DoS and authentication in wireless public access networks. In Proceedings of the 1st ACM Workshop on Wireless Security (Atlanta, GA, USA, September 28 - 28, 2002). WiSE '02. ACM, New York, NY, 47-56. DOI= http://doi.acm.org/10.1145/570681.570687 (December 13 2007)
2. Godber, A. and Dasgupta, P. 2002. Secure wireless gateway. In Proceedings of the 1st ACM Workshop on Wireless Security (Atlanta, GA, USA, September 28 - 28, 2002). WiSE '02. ACM, New York, NY, 41-46. DOI= http://doi.acm.org/10.1145/570681.570686 (December 13 2007)
3. http://www.winlab.rutgers.edu/~trappe/Papers/WiDoS_Wise04.pdf (December 13 2007)
4. Eagle, Steven J., "Wireless Telecommunications, Infrastructure Security, and the NIMBY Problem" . Catholic University Law Review, Vol. 54, No. 2, pp. 445-496, Winter 2005 Available at SSRN: http://ssrn.com/abstract=591249 (13-Dec-07)
5. http://www.securityfocus.com/infocus/1761 (06-Jan-08)
6. http://paper.ijcsns.org/07_book/200710/20071045.pdf (06-Jan-08)
7. http://www.sei.cmu.edu/str/descriptions/sbid_body.html(06-Jan-08)
8. csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf ( 05-Dec-08)
9. http://www.pcworld.com/article/id,119568-page,1-c,hubsswitchesrouters/article.html (06-Jan-08)
10. http://money.cnn.com/2006/07/06/technology/wifi_security/index.htm (06-Jan-08)
11. http://www.acm.org/crossroads/xrds11-1/wifi.html?searchterm=Intrusion+detection+in+w... (10-Dec-07)
12. http://iase.disa.mil/wireless/wirelessfaq.html (06-Jan-08)
13. http://www.wi-fiplanet.com/tutorials/article.php/1368661 (07-Jan-08)
14. http://kbserver.netgear.com/kb_web_files/n101190.asp (07-Jan-08)
52
15. http://www.sigmobile.org/phd/2000/theses/heinzelman.pdf (10-Dec-08)
16. http://www.itechnote.com/2006/10/26/public-wi-fi-network-threats/ (05-Jan-08)
17. http://www.expresscomputeronline.com/20020624/network5.shtml (07-Jan-08)
18. http://www.networkmagazineindia.com/200301/cover7.shtml (07-Jan-08)
19. http://www.networkmagazineindia.com/200304/cover1.shtml (14-Dec-07)
20. http://www.practicallynetworked.com/tools/wireless_articles_security.htm (02-Dec-07)
21. http://pcquest.ciol.com/content/topstories/2007/107120421.asp (25-Dec-07)
22. http://www.ciol.com/cgi-bin/printernew.asp?id=99399 (04-Dec-07)
23. http://www.acadjournal.com/2006/v19/part6/p3/ (05-Dec-07)
24. http://www.devx.com/wireless/Article/22160/1763/page/1 (11-Dec-07)
25. tnc2007.terena.org/core/getfile.php?file_id=527 (06-Dec-07)
26. http://www.acmqueue.org/modules.php?name=Content&pa=printer_friendly&pid=36&pa... (10-Dec-07)
27. http://issj.sys-con.com/read/80915_p.htm (10-Dec-07)
28. Ian F. Akyildiz, Xudong Wang and Weilin Wang(March 2005) Wireless mesh networks: a survey Computer Networks, Volume 47, Issue 4, 15, Pages 445-487
29. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html (07-Jan-08)
30. http://www.crn.com/article/printableArticle.jhtml?articleId=193105450 (14-Dec-07)
31. http://crystal.uta.edu/~kumar/cse6392/termpapers/Vijay_paper.pdf (12-Dec-07)
32. http://www.tribuneindia.com/2005/20050216/cth1.htm (14-Dec-07)
53
33. http://wbt.sys-con.com/read/471261_p.htm (10-Dec-07)
34. http://www.acmqueue.org/modules.php?name=Content&pa=printer_friendly&pid=222&p... (10-Dec-07)
35. http://www.networkmagazineindia.com/200501/coverstory03.shtml (16-Dec-07)
36. www.devx.com/assets/download/4069.pdf (11-Dec-08)
37. http://www.devx.com/wireless/Article/22160/1763/page/2 (11-Dec-07)
38. images.cxotoday.com/cxoimages/pdf/ResearchReport1.pdf 14-Dec-07)
39. http://www.networkmagazineindia.com/200111/focus2.htm (10-Dec-07)
54
Glossary of Terms
ActiveX Controls
These controls link to any object--traditionally dynamic content such as tables
and buttons that react to mouse clicks--embedded within a Web page. Although
ActiveX controls help Web pages spring to life, malicious programmers can
easily use them as vehicles for downloading spyware. Install a sturdy browser
and firewall that screens your ActiveX Controls, and download them with care,
accepting ActiveX only from trusted Web sites.
Adware
Typically, adware components install alongside a shareware or freeware
application. These advertisements create revenue for the software developer and
are provided with initial consent from the user. Adware displays Web-based
advertisements through pop-up windows or through an advertising banner that
appears within a program's interface.
Antispyware software
This is a broad term for programs designed to protect a computer from adware
and spyware. Almost all antispyware applications feature a scanning engine,
which detects suspicious items and removes them from the infected machine.
Some antispyware applications also include a real-time-protection module, a
shield that alerts users when suspicious programs attempt to install themselves
and allows users to deny them.
Backdoor programs
This refers to any software program that allows other users to control machines
remotely while hiding any evidence of the fact. Software developers are the most
common authors and users of backdoor programs, adding them to make testing
easier. Backdoor Trojan horses are spyware programs that sabotage your PC.
These specific Trojan horses force a backdoor program onto your machine and
infiltrate your system to collect information or install spyware.
Bot
55
An Internet robot, shortened to "bot," is an automated program that performs a
specific timesaving function in lieu of a human operator, such as a spider that
trolls Web sites collecting data for market research. Spyware bots secretly install
through worms, Trojan horses, and drive-by downloads. They are mostly used to
carry out remote attacks, such as denial-of-service (DoS) attacks.
Botnet
A botnet is a network of bots installed on multiple computers, each running
identical malware. A botnet can be controlled remotely via an IRC (Internet Relay
Chat) server or a peer-to-peer application.
Browser-helper object (BHO)
BHOs are files--most frequently DLLs--that add additional functionality to Internet
Explorer. Although many useful programs such as Adobe Acrobat employ BHOs,
these files also can be used for unsavory purposes. BHOs associated with
adware or spyware can monitor your browsing activities, hijack your home page,
or replace certain advertisements with others.
Cracker
Cracker is a shortened name for a criminal hacker. Read more at hacker.
Denial-of-service (DoS) attack
Denial of service is an attack designed to block user access to a Web site or
network by flooding it with bogus information (such as a surplus of requests). The
information overload maxes out the Web site or network's processing
capabilities, resulting in the user's inability to access Internet services and
making it appear inaccessible. These DoS attacks damage productivity and can
be highly frustrating, though the hacker's primary purpose of such attacks is
generally disruption and not identity theft.
Distributed denial-of-service (DDoS) attack
This variety of DoS attack enlists multiple compromised computers to flood a
single target with bogus information. A criminal hacker can hijack your computer
and force it and others to perform a DoS attack against other computers, users,
or networks.
Dialer
56
Traditional modems use a program called a dialer to connect a computer to the
Internet, but dialers are perhaps most well-known for their illegitimate purposes.
Bad dialers cause your PC to call long-distance or for-pay numbers, rather than
your ISP. This most often results in a large telephone bill for the user and a tidy
profit for the dialer's creator.
Drive-by
This term is loosely used for a stealth software installation the user does not
initiate. In some cases, simply visiting a Web page can download malicious
programs to a PC without a user's knowledge or consent. In other cases, a pop-
up ad might be used to initiate a drive-by installation.
Evil twin
A spoofed doppelganger of a legitimate wireless access point is known as an evil
twin. Often home constructed, the evil twin hotspot offers wireless access for the
purpose of collecting the user's data, which can then be exploited or sold.
False positive
False positives can fall into several categories. In an effort to sell software,
unscrupulous antispyware programs often will mislead a user into believing his or
her machine is infected with spyware when no problems actually exist. The term
false positive also can be used when legitimate antispyware applications
mistakenly label a benign program as a threat.
Firewall
A firewall is a crucial component in a computer's line of defense, as firewalls
prevent unauthorized services or programs from accessing a computer or
network resources. Although virtually every corporate network has its own
firewall, every personal computer should have one as well. Personal firewalls can
come as standalone products or as components built-in to a larger security suite.
Hacker
"Hacker" is a term that often requires more qualification than is given, as hackers
can act with intentions and outcomes ranging from beneficial to malicious. To
hack a file or a program is simply to deconstruct it or tweak its performance.
Therefore the term hacker has neutral connotations, encompassing those who
57
tinker with computer programs with no malicious intent, such as computer
programmers or security researchers, as well as criminal hackers (also called
crackers) who seek to damage your system, gain from stored data, or control
your PC remotely. Hacking taxonomy is associated by color--black hat hackers
are malicious, white hat hackers are benign, and gray hat hackers are
characterized by varying motivations.
Hijackers
Often installing as a helpful browser toolbar, hijackers may alter browser settings
or change the default home page to point to some other site.
Keylogger
Keyloggers are just what they sound like--programs that record every keystroke
made on a PC. Though some parental-control applications include keyloggers for
monitoring purposes, the ones that come bundled with spyware are far more
insidious. These types of keyloggers send sensitive information to a remote
computer, where thieves can access data such as credit-card and bank-account
numbers, as well as passwords and social-security numbers.
Malware
Malware is generally used to describe a piece of software that exploits or
inconveniences the user. It usually refers to the most malicious forms of adware
and spyware.
Man-in-the-middle attack
In this particular type of attack, a third party piggybacks on valid user privileges to
gain unapproved access to a computer or network. The man-in-the-middle
(MITM) attack exploits the authentication process of a one-way authentication
(user approved by the network) wireless access point (WAP). MITM attacks are
orchestrated by intercepting a valid authentication granted by a network with a
one-way authentication setup to any valid Media Access Connection (MAC). With
the user's legitimate access as a shield, the MITM has full access to the data
flowing in and out of a user's computer.
Pharming
58
Like phishing, pharming preys on socially conditioned patterns of human
behavior to coax sensitive information from victims. Whereas phishers
masquerade as legitimate organizations, pharmers hijack sites' domain names to
redirect traffic elsewhere. In this way, visitors to an online banking site can be
channeled to a mirror site and prompted to provide personal data that crackers
can collect and use.
Phishing
Spoofing legitimate organizations to lure users into giving up sensitive data is a
favorite technique among security fraudsters. In a common phishing scam, users
receive a look-alike e-mail message purportedly from a trusted institution like
their bank, alerting them to an urgent need. Users follow the embedded link to a
convincing site that requires them to sign in using account information.
Among the subsets of phishing scams, spear phishing targets a specific user
demographic, such as gamers. In VoIP phishing, users are directed to verify their
account information over the phone rather than on a Web site.
Phreaking
Combining the words "phone" and "freak," phreaking refers to a wide subculture
of hacking that involves manipulating and exploiting telephone systems.
Rogue antispyware software
Posing as legitimate antispyware applications, these malicious programs scan a
computer and induce false positives to scare users into buying a product.
Rogues often attempt to distribute themselves via ominous pop-up ads and can
be very difficult to manually uninstall.
Rootkit
Although an exact definition of what constitutes a rootkit is still under debate, it is
generally regarded as a piece of software that allows intruders to conceal
malicious files and programs from users or system administrators. Rootkits can
be extremely hard to uninstall and allow troublemakers to go about their dirty
work undetected.
Spam
59
Originally, the unsolicited bulk messages that inundate a user's account took the
form of e-mail messages (mostly advertisements) in which the sender attempted
to engage the user in a purchase. Spam has evolved, and unsolicited bulk
messages crop up in instant messages (spim), blog comments (splogs), mobile
texts (SMS spam), forums, and so on. More than merely annoying, spam
attachments can contain viruses and malware or link to dangerous Web sites.
Spam is the principle vehicle for phishing scams.
Spoof
Spoofs are misleading Web addresses, spam e-mails, and IP addresses forged
by a malicious hacker to look identical to the legitimate organization's materials.
They are used to trick users into responding to alerts that appear to be issued by
trusted organizations such as banks. Users who respond to the visual fakery and
urgency of the requests are prompted to give up private data, which is then often
used in identity theft. Spoofs are instrumental in carrying out phishing, pharming,
and phreaking scams.
In a pharming exploit, a spoofed IP address of a legitimate company might be
scripted to float over the culprit's actual, nonlegitimate IP address in order to
make the user believe the site is valid.
Spyware
Spyware refers to programs that gather and transmit the user's personal details
or behavior to a third party, often without the user's knowledge or consent. Like
adware, it often installs as a third-party component bundled with freeware or
shareware, creating a fuzzy distinction between the two.
Tracking cookies
Internet browsers write and read cookies, files with small amounts of data (such
as site passwords and settings) based on instructions from Web sites. In many
cases, cookies provide a benefit to users. However, in some instances cookies
are used to consolidate and track user behavior across different sites, which
provides marketers with private information about an individual.
Trojan horses
60
Trojan horses slip into an individual's system and run without the user's
knowledge. They can have many functions. For example, some use a computer's
modem to dial long-distance, generating huge phone bills for the computer
owner. Unlike viruses and worms, Trojan horses do not make copies of
themselves.
Virus
Like human viruses, the computer varieties contain harmful code and spread
easily to infect multiple hosts. Viruses are notorious for corrupting hardware,
software, and personal files. Viruses cannot spread on their own, requiring users
to share infected files through e-mail attachments, flash drives, disks, P2P, Web
sites, or any other file-transferring mechanisms.
Worm
Often conflated with viruses, worms also are self-replicating programs; however,
they propagate independently of user interaction, often through a shared or direct
network connection. Worms may destroy data on individual machines, but mostly
inflict their damage by siphoning users' bandwidth or shutting down their
computers.
Zombie
Using viruses, Trojan horses, and worms, criminal hackers can remotely operate
a compromised machine without the knowledge of its owner. Zombie computers
often host programs that allow them to be conscripted by a remote controller into
bot armies, called botnets, to launch DDoS attacks.
Zero-day exploit
Malicious hackers have discovered they can increase their level of destruction by
cracking the defenses of a product on the same day that news of a vulnerability
breaks and/or an ensuing patch is released. Disclosure practices compel
software and security vendors to publicly announce flaws, which informs fast-
acting exploiters. The resulting zero-day attacks affect users who haven't applied
a patch to fix the vulnerability.