[ISN] Wireless tip: Don't hide from risk

InfoSec News isn at c4i.org
Fri Sep 24 03:35:07 EDT 2004 

http://www.fcw.com/fcw/articles/2004/0920/web-wireless-09-23-04.asp

By Michael Hardy 
Sept. 23, 2004

The best wireless network security is to not have a wireless network,
according to Defense and intelligence experts who spoke today at a
conference in Washington, D.C., sponsored by E-Gov, which is part of
FCW Media Group.

But because that is not always a practical solution, they offered
other tips to keep intruders out of the network and to keep data safe.

Perhaps the most important safety precaution is acknowledging the
risk, said Kevin Marlowe, acting director of systems network
engineering at the Joint Systems Integration Command, a subcommand of
the U.S. Joint Forces Command.

"Calculate the risk, figure out whether you can accept that risk and
mitigate it," he said.

"Risk doesn't have to be zero for us to use a product," said Timothy
Havighurst, a systems architect at the National Security Agency.  
"Sometimes the convenience of these systems outweighs the risks."

No wireless device or network can ever be completely secure, said Atul
Prakash, a professor at the University of Michigan's electrical
engineering and computer sciences division.

Ask a vendor representative if a product is completely secure, he
said. "If they say yes, you're probably talking to a marketing guy or
a salesman," he said. "If you're talking to a security expert, they
will hedge."

Agency officials must deal with the real world of commercial
technology, Havighurst added. "Soon you will not be able to buy a
laptop without" wireless connectivity, he said. "Soon you will not be
able to buy a [wireless] phone without a camera. These are things we
disallow, but industry is moving on."

Agency employees sometimes push their bosses to move faster in
technology adoption, he said. When managers set a policy forbidding
some wireless devices, employees will often argue that operational
need justifies changing the rules.

"Sometimes those are legitimate reasons," Havighurst said. "Sometimes
they're not. Sometimes they just want something because it's really
cool."

Marlowe offered a list of tips for making wireless networks safer,
including:

* Change factory settings in the routers. Hackers know the common
  default passwords and other information that makes intrusion easy if
  they're not changed.

* Enable the router's session timeout feature so that if no data
  passes through it after a set period of time, it shuts down.

* Set routers to the lowest feasible power, so they keep the network
  devices connected without opening the door wider than necessary.

More information about the ISN mailing list