7/24/2019 Security Audit and Control

1/3

IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 4

Copyright 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Business DriversToday, wireless transmission is a common method of data

communication for cellular phones, wireless personal digital

assistants (PDAs), Blackberrys, text pagers and wireless local

area networks (WLANs). Business requirements are providing

the pull for wireless technology, which can offer lower

installation and operating costs, mobility and flexibility.

Technology is providing the ability for sophisticated systems

that solve real business needs to be built and sold affordably.

The lure of being able to stay connected with business,

wherever and whenever, is certainly a main driver.

Security IssuesThis push to untethered access to business is forcing

enterprises to deal head-on with security. Achieving this new

level of security requires weighing vulnerabilities against

requirements and the costs of reducing those vulnerabilities.

Wireless networks are inherently less secure than their wired

counterparts. The confidentiality of data is at risk because data

are sent through the free-space environment or into the air

where anyone with the appropriate technology can intercept

and/or spoof the data. The engineering standards for cellulartelephone availability (i.e., the probability of not getting a dial

tone when attempting a call) are lower than for wired

telephony, so availability is a concern. However, unlike

wireless voice networks, wireless data networks tend to be

always on, always ready to transmit or receive data. They face

the same vulnerabilities as do wireless voice networks, but

they tend to be always available for those vulnerabilities to be

exploited. Wireless communications also pose significant

technical challenges, as well as greater challenges in the areas

of control, security and audit, because they transcend

traditional and regulatory boundaries.

It is necessary to understand wireless technology and the

ways that it can be exploited to effectively implement security. Asecurity policy that deals realistically with the threats faced by

the network in question and is in compliance with local laws and

regulations is needed. Appropriate controls are also needed to

ensure that the measures called for in the security policy are, in

fact, implemented and that they perform as intended.

Understanding the security and quality risks that surround

wireless communications is a critical requirement for auditors.

Not only must the auditor know how the system works and

what can go wrong, he/she must also know the steps to take to

identify and correct problems when they occur. Equally

important, the auditor must have an idea of what can go

wrong, so that systems can be evaluated periodically to ensure

that all the appropriate measures are taken for each system to

assure the desired level of quality and security.

However, security is not an absolute. It is impossible to

provide unbreakable security, whether in a wireless network or

in a military setting. No matter how hard one tries, if an

adversary is willing to devote sufficient resources to

overcoming the defenses, he/she will succeed. The security

goal is to make it either too costly for an adversary to attack

the system, or to provide an incentive for the attacker to attack

another system.

Wireless networks are like radio stations because the

information-bearing signals are radiated into space or in the

air. As a result, anyone within range of the radio signal is able

to receive the network signal and, potentially, read the network

traffic and possibly connect to the network as do authorized

users. This places additional security requirements on the

network architecture and administration and may include

additional encryption and more sophisticated data handling

algorithms. Increasingly, wireless networks are used as

extensions of existing wired networks, which means that the

security problems of a relatively small wireless segment of a

network can suddenly become a security problem of the first

magnitude for the entire network. Adding a wireless extension

to a fixed network does not alter the four basic goals of

security: availability, authenticity, integrity and confidentiality.

Security GoalsConfidentiality is usually seen as a good thingthe more of

it, the better. When people think of security, they think about

confidentiality. Auditors want to make sure the information

being transmited through the air remains private.

Confidentiality does not come for free. One must invest in

cryptographic software and/or hardware to encrypt and decrypt

messages, and then deal with the continuing requirement formanaging the cryptographic keys, among other management

procedures. This is detailed, time-consuming and costly.

Unless the cost can be justified by the value of the information

to be protected, it is difficult to choose confidentiality on a

cost-benefit basis. Furthermore, there are many business

settings where confidentiality is simply not required, but other

aspects of security are.

Authenticity provides the recipient with assurance that the

message at hand truly originated with the purported sender and

that the sender is who he/she purports to be. Although

provided by cryptographic means, authenticity and

Security, Audit and Control Issues for ManagingRisk in the Wireless LAN Environment

By Richard A. Stanley, Ph.D., PE, CISSP

7/24/2019 Security Audit and Control

2/3

IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 4

confidentiality need not be part of the same package of

cryptographic services. One can easily envision situations in

which authenticity is desired, but confidentiality is not

necessary. Consider an electronic release of new tax code

documents. The issuing authority wants each branch office to

be sure that the documents at hand are authentic, i.e., they

came from the official source. On the other hand, the

documents are public information, and there is no need for

their contents to be kept secret.

Integrity provides assurance that the message received isidentical to the message sent, and that it has not been changed

either deliberately or accidentally. As it happens, the same

cryptographic tools that provide authenticity also tend to

provide integrity. Many network protocols, such as TCP, work

to provide integrity of messages sent over the network, but the

methods these protocols use are not secure enough to ensure

that the message and the integrity check were not altered.

Cryptographic integrity checks increase the level of assurance

of integrity, and are much more difficult to falsify than are

checks computed by an open protocol using data available to

anyone listening on the network.

Availability, unlike confidentiality, authenticity and

integrity, cannot be improved using cryptographic techniques.If the business relies on a wireless network to deliver messages

when and where required, the enterprise must be confident the

network will be available. It may, in fact, make it worse by

increasing the level of complexity of the system and/or by

providing another means of attacking the system. Wireless

extensions to wired networks may also degrade the overall

network availability, as wireless systems are vulnerable to

many things that reduce their availability but do not affect

wired networks, such as interference and jamming. The net

effect of these additional, wireless-specific vulnerabilities is to

decrease the availability of the entire network.

Role of Assurance ProfessionalsAssurance professionals must understand the post-design

choices that were made for the networks being audited. They

must also understand the alternatives so intelligent

recommendations can be made to the network owners

regarding modifications that might be made to security

parameters to achieve lower costs, improved availability, etc.,

within the scope of the security requirements for the network.

The wireless network is rarely separable from the wired

network to which it connects. The performance of the wireless

network directly affects the performance of the backbone

wired network, usually in a more direct way than the wired

network affects the wireless segment.

Additionally, assurance professionals must understand that a

solid security policy is the key to defining and enforcing

security within any organization. At a minimum, the policy

should involve continuous review of potential threats and

vulnerabilities and should deal with:

Overall policy

Access control

Usage management and monitoring

Security monitoring

Network security

Virus protection

Encryption

Pertinent laws

Incident response

Enforcement

Points Covered in the Security PolicyThe security policy section devoted to access control should

define the bounds, authentication and standards. For example,

if the policy is for a network, then the network should be

described. It should state who is allowed access, when they areallowed access and from where they are allowed access. For

wireless, the standards used should be identified. The policy

should also define who has the authority to grant exceptions to

the policy.

The security policy should also define user management and

monitoring. For example, if management does not permit any

personal telephone calls at work, then it is consistent to do the

same with the network. If limited personal telephone calls are

permitted, however, then it is reasonable to allow limited

personal network use. Whatever the decision, the point is to

strive for consistency. Having established standards for usage

of the network, it is wise to set out in the policy the penalties

for failure to observe those standards. For example, a bank has

a rigid policy that no one, except specifically authorized

personnel, is allowed even to attempt to access the accounts

payable directories. In the event that an unauthorized employee

attempts such access, the penalty is immediate dismissal.

Auditing data can be obtained from log files, which can in

turn be produced by many applications and services. Most

commonly, the operating system can log critical events and

make them available for review as required. The procedure for

collecting audit logs should be described in the security policy.

The network administrator often conducts periodic

monitoring of the network to ascertain the caliber of security

and compare it with the objective security levels. The policy

for doing this should be stated. If automated tools are to be

used, then it is good to describe what tools and who may use

them. The current state of intrusion detection (sometimes

called intrusion prevention) systems (IDSs) is improving, but

this technology is still immature. Network-based IDSs can

monitor the network for events that are identified by reference

to a rule set (which must, itself, be specified in the policy

someplace). When such events are identified, alarms can be

raised, to which appropriate response can be made after

investigation of the specifics of the event. Host-based IDSs can

detect illicit activities that do not transit the network, such as

installation of an unauthorized program or alteration of the

operating system database or registry. Network-based IDSs are

on the wired network backbone and cannot see much of the

problems encountered by the wireless segment. Host-based

IDSs on the wireless clients, if configured properly, can detect

many illicit connection problems and report them. Monitoring

of the radio link can also help improve the ability to detect

intrusions or intrusion attempts into wireless networks.

The decision to implement encryption in the network is not

to be taken lightly. Once chosen, the encryption parameters

and management structure should be clearly stated in the

policy document. Encryption is a valuable tool and can

contribute significantly to the security of wireless networking.

7/24/2019 Security Audit and Control

3/3

IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L, VO L U M E 3 , 2 0 0 4

However, if it is to be used effectively, the policy for its use

and maintenance must be carefully planned and thoroughly

described before attempting to encrypt the network.

Just as brick-and-mortar businesses exist within a legal

jurisdiction, so do networks. There are four areas of the law

that are of concern to wireless networks: radio regulations,

encryption, unauthorized use of the network and privacy. The

network security policy must deal with these areas of concern

adequately, coherently and consistently in the face of laws that

sometimes appear to be widely dissimilar.The security policy is the assurance professionals key

document. In it are the definition of the security goals, the

means of attempting to achieve those goals and the ways

success is monitored and measured. In a situation where

wireless networks exist, the security requirements of those

networks should be specifically described in the policy. If they

are not, there is no basis for further compliance measurement,

and the audit will be forced to proceed on the basis of the

auditors understanding of what the policy shouldsay. As every

auditor knows, that is a difficult position from which to

proceed, so it is important to first evaluate the policy before

proceeding with the audit.

ConclusionIf the security is deemed by the auditor to be insufficient,

then the responsible parties should be advised to expend more

resources on the network to assure a higher degree of security.

If those entreaties are not heeded, auditors should document

the request and the response, as they will surely be important

should a liability case arise from a breach of network security.

Richard A. Stanley, Ph.D., PE, CISSP

is vice president of Wheeler Associates Limited, a technology

and educational consulting firm located outside Boston,

Massachusetts, USA, which specializes in custom security and

educational solutions. He has more than 35 years experience

with telecommunications and security systems and has directed

research in those areas for the US government and in the

private sector. His work has taken him all over the world, and

he has lived in Belgium, Canada, Germany, Israel, Egypt,

Vietnam and the US. He is a registered professional electricalengineer in the Commonwealth of Massachusetts. Stanley is a

member of the New York Electronic Crimes Task Force and a

founding member of the New England Electronic Crimes Task

Force. He often speaks at professional gatherings, and he holds

appointment as an adjunct professor at Worcester Polytechnic

Institute, where he teaches security-related topics in electrical

engineering and computer science.

Editors Note:This article is excerpted from research being published by

the IT Governance Institute in a publication titledManaging

Risk in the Wireless LAN Environment: Security, Audit and

Control Issues, by Richard A. Stanley, Ph.D., PE, CISSP. This

research is written from a business and risk management

perspective. It provides a technical, as well as functional,

assessment of the wireless landscape and will be available in

second quarter 2004. A white paper on wireless security can be

found at www.isaca.org/wirelesswhitepaper.htm. The

publication will be offered through the ISACA Bookstore at

www.isaca.org/bookstore.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary

organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit

and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal

does not attest to the originality of authors' content.

Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the

association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles

owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,

and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the

association or the copyright owner is expressly prohibited.

www.isaca.org