Features

WLAN users still indifferent to security - report

by Richard Hollis | posted on 06 June 2003


The future is wireless. The technology has exploded in the marketplace due to its flexibility, performance and inexpensive rollout costs. One of the principle concerns associated with the technology however is the real or imagined perception of its security weaknesses.

This is largely due to media attention given to the phenomenon of "drive by hacking" and hundreds of publicised 802.11b hacks. You would think then with all the buzz about security problems that companies would start to tighten up their wireless networks. Think again.

The attached survey was conducted at a national wireless vendor exhibit where companies deploying or thinking about deploying wireless systems came in search of wireless answers. Decision makers were surveyed and asked for candid responses about their current wireless system and their answers were surprising. In spite of the rash of security warnings, European firms deploying wireless systems are still doing little to secure them.

Wireless is a "securable" technology. The security risks associated with wireless systems can be identified, minimised and managed cost effectively. The following survey however, reveals that so far, very few companies understand this and are taking the appropriate steps.

SCOPE

Orthus Ltd. a European Information Security Solutions company headquartered in London carried out this survey. The survey was conducted over the course of two days at the Rock Media, WLAN Event hosted at The Olympia in London, U.K. on May 22nd and May 23rd 2003.

Orthus wireless security engineers personally interviewed over 300 CEOs, MDs and IT, Finance and Security Directors representing hundreds of European businesses attending the event.

The purpose of the survey was to establish a snapshot of the security measures (or lack thereof) currently deployed by companies for their wireless local area networks. The intent in doing so was to raise the security awareness with corporate decision makers regarding the protection of their wireless systems. The following questions were asked: Does your organisation currently deploy a wireless local area network (WLAN)? Are you thinking of deploying or expanding WLAN in the future? How many users does the WLAN support? What type of information does your system process and/or store.

Would you know if your WLAN was compromised? Is the WLAN connected to your hardwired corporate network? Is access to the WLAN password protected? Are authentication devices required to access the WLAN? Are security policies issued and enforced for WLAN users? Is WLAN traffic encrypted? Is WLAN traffic transmitted over a virtual private network (VPN)? Does the WLAN deploy a firewall? Has WLAN ever been audited for security vulnerabilities?

RESULTS

57% of the companies surveyed are currently deploying wireless networks

46% of the companies surveyed will be deploying wireless systems over the next year

66% of the companies surveyed will be expanding current wireless networks within the next year.

27% of the companies surveyed are using wireless systems to support up to 25 users.

17% are supporting 26-50 users.

3% are supporting 51-100 users and

53% are supporting over 100 users.

34% of the companies surveyed are processing Administrative data on their WLANs.

31% are processing Operational data.

27% are processing sensitive commercial data.

22% are processing sensitive financial data.

29% are processing Personnel data.

22% are processing sensitive Intellectual Property data.

36% are using their WLANs for email and

13% are using it for local hotspots, sales and demonstrations.

37% of the companies surveyed said that they thought that they could detect if their WLANs had been compromised.

17% responded that would not know if their WLANs had been breached and

46% responded that they "didn't know"

43% of the companies responding said that their WLANs were connected to their corporate infrastructure.

50% of the companies responding stated that their WLANs were password protected.

Only 36% of the companies surveyed require authentication devices to access the WLAN.

Only 33% of the companies responding have issued security policies for their WLANs.

Only 41% of the companies responding stated that they are encrypting their WLAN traffic.

Only 30% of the companies surveyed are transmitting their wireless data over virtual private networks (VPN).

Only 41% on the companies responding are deploying firewalls on their WLANs.

Only 23% of the companies responding have "audited" their WLANs for security vulnerabilities.

CONCLUSION

The results of the survey were extremely surprising considering the amount of media attention recently given to the issue of wireless security and indicate that unfortunately far too many businesses are continuing to neglect the security issues associated with this technology.

The majority of Managers we spoke with seemed to lack a basic understanding of the inherent weaknesses of their WLANs to the extent that many had not even enabled manufacturer security features all ready provided (WEP) or even taken them off of their default settings prior to deployment. Such essential and routine network security administration leaves these networks highly vulnerable to attack.

Perhaps even more unsettling, was the number of companies connecting their relatively unprotected WLANs to their protected corporate networks creating an unseen "back door" for potential attackers. The integration of these systems was not seen as a security issue. Overall, the survey seemed to enforce the absence of information and common sense in the deployment of WLANs today in terms of network security.

Knowledge is the best security defence for any technology. Orthus strongly suggests that if you are currently using or considering a WLAN for your enterprise, you take the time to understand the associated security issues and implement simple cost effective measure to identify, minimise and manage the security risks associated with this technology.

For a comprehensive list of no-cost best security practices and example architecture for the implementation of your wireless network, contact Orthus Ltd at: 11-15 Betterton Street, Covent Garden, London, WC2H 9BP United Kingdom Tel : +44 (0) 20 7470 8711 Fax : +44 (0) 20 7621 9580

Email : info@orthus.com Website : htttp://www.orthus.com Stay secure.