[ISN] Security through layers

[InfoSec News]

http://www.fcw.com/fcw/articles/2005/0228/web-wiresec-03-01-05.asp

By Florence Olsen 
March 1, 2005

Wireless networks are inherently insecure, but the more layers of
security they have, the less likely they are to be attacked, said
Mischel Kwon, wireless security officer for the Justice Department's
Management Division.

Speaking today at the Wireless/RFID Conference and Exhibition in
Washington, D.C., Kwon said the most secure layered approached would
use the latest wireless grid technologies in combination with wireless
intrusion-detection systems.

Because of the insecurities inherent in wireless technologies, a lot
of fear exists, said Capt. Sheila McCoy, former director of
information assurance in the Navy's Office of the Chief Information
Officer. "We're a rather risk-averse bunch," she said. But attitudes
toward wireless networks are changing as Defense Department officials
learn more about managing risk with new technologies, she added.

Dan Hickey, deputy commander for computer network defense at the
Marine Corps Network Operations and Security Command, prefaced his
remarks by saying that "wireless technology scares me." Few agencies,
he said, are using layered security or "defense in depth" correctly
when deploying wireless technologies. And on the policy side, he said,
agencies need to ask who has the authority to accept risk for the
organization when people begin using such technologies.

Wireless expert Bill Neugent, chief engineer for cybersecurity at
Mitre, a nonprofit engineering organization, said that the
proliferation of wireless technologies such as radio frequency
identification chips and nanoscale "smart dust" will cause both
privacy losses and productivity gains.

According to other wireless experts who offered tips on security
technologies and policies, open-source products are the most popular
for auditing the security of wireless networks. Auditors in the
Government Accountability Office, for example, use open-source
scanners NetStumbler and Kismet to conduct wireless audits, said Dan
Van Belleghem, technical director for the information assurance group
at SRA International.

For the most part, wireless networks become open to attack because
administrators fail to properly configure wireless access points with
password protection, use no encryption, have no virtual private
network protection, and do not disable the infrared ports and
peer-to-peer features of their wireless networks, Kwon said.

The conference was sponsored by the E-Gov Institute.