From the Security Experts

February 19, 2009

Cisco: Cyber-Criminals See Opportunities in WiFi, Mobile Workforce

By SIP Trunking Report Editor

Here’s a tenet of cops-and-robbers that Major League Baseball officials are learning well, even if they hadn’t grasped it 11 summers ago, when a pair of steroid-jacked players destroyed the game’s hallowed record for home runs in a single season: The criminals are usually at least one step ahead.

Although baseball instituted a steroid-testing program five years ago – a half-hearted effort, by all accounts, that’s now under scrutiny from federal investigators, fans, journalists and ex-players – a cloud of suspicion may forever linger over the game. Everyone will wonder: Are this player’s achievements tainted because he’s using a performance-enhancing drug that “the good guys” don’t know how to test for?
No one doubts that experimental chemists in their laboratories are working hard to produce an undetectable drug that will give the multi-millionaire baseball players the kind of competitive edge that will bring in higher-paying contracts, endorsements and incentives – such as those that beleaguered New York Yankees third baseman Alex Rodriguez was guaranteed should he destroy another hallowed record, for career home runs.
The same tenet applies to cyber-criminals, and right now, according to officials with the world’s largest maker of computer networking gear – San Jose-based Cisco Systems Inc. – those “bad guys” are seizing on opportunities created by an increasingly mobile workforce.
Scott Pope, a senior manager for Cisco’s wireless security product management, told TMCnet in an interview (printed below) that many enterprises fool themselves into thinking that WiFi Protected Access 2, or “WPA2” – a security method that’s designed to assure people that only authorized users can access their wireless networks – is all they need to protect themselves from attacks.
In fact, Pope told us, WPA2 does cannot address hackers who enter a network from rogue access points, denial-of-service attacks, user authentication and data encryption cracking methods or network reconnaissance.
Our exchange follows.
TMCnet: The last we heard from Cisco on the issue of network security, the company said that cyber-criminals – people who use computers to do things like make bogus offers or steal information, money and identities – are becoming more and more sophisticated and are developing increasingly specialized attacks. How is the increasingly mobile workforce affecting the criminals’ ability to carry out those attacks, if at all?
Scott Pope (pictured left): There are two main differences in a mobile workforce.
First, the notion of a security perimeter doesn’t really exist anymore. Whether it is corporate WLAN, the telecommuter or the dual-mode phone in someone’s pocket, you have wireless signals that go through walls of offices and homes to contend with and secure. That means a cyber-criminal no longer has to be “on your network” – they can instead try to attack what is floating across the air in the wireless environment. Trying to protect the “air” has a whole different set of specific security considerations and requirements.
Second, because the mobile worker may be telecommuting or have these handheld devices that the IT department doesn’t manage, you new have a new frontier of off-the-IT-grid infrastructure to consider from a security perspective. This is fertile ground for cyber-criminals because they can often have lower defenses.
TMCnet: Talk to us about the differences between what’s required to protect a wired network versus a wireless local area network, or “WLAN”?
SP: Because it traverses the air, wireless has unique security requirements. WLANs transmit data and extend network access outside buildings. While WLAN data encryption and strong user authentication secure traffic and access, they don’t comprise a comprehensive wireless security strategy on their own. Airwaves redefine the typical network perimeter, and this is the primary difference relative to wired security.
The same security rules of access control, traffic inspection and intrusion prevention apply to WLAN traffic once it lands on the wired network. But there are WLAN-specific threats, due to traffic traversing the airwaves, that must be considered.
First is the rogue access point, “AP,” or non-managed APs in your airwaves. If a rogue is connected to your LAN, it extends backdoor access to your network outside the building. And if that rogue doesn’t require user authentication, anyone within its range has access to, at minimum, the LAN port the rogue is connected to. Such rogues must be detected and mitigated even if you don’t have a WLAN installed in your company. Furthermore, a rogue can lure wireless users to connect to them for purposes of network profiling or stealing proprietary information.
Most other threats come from wireless hackers using the airwaves to do their work. These threats fall into three categories. First are wireless denial-of-service attacks that disrupt or disable WLANs. These attacks force clients off the network with RF noise or by abusing the 802.11 protocol. Second are user authentication and data encryption cracking methods which compromise data privacy and user access control on the WLAN. While WLANs using WPA2 and strong authentication aren’t at risk, many still use insecure protocols like WEP and LEAP to connect older WLAN clients. The last category is network reconnaissance which analyzes unencrypted WLAN management frames to discern best avenues for WLAN attack.
TMCnet: Based on your experience in dealing with enterprises’ security issues, what are some of the most prevalent myths out there?
SP: The most prevalent myth: WPA2 encryption for WLANs equates to a comprehensive wireless security strategy. While WPA2 does protect traffic from being eavesdropped upon, WPA2 does nothing to deal with the rogue APs and various wireless hacking/attack methods cited above.
The second, I wouldn’t say is a myth, but an area most often overlooked on the mobile/wireless security front is what a person sitting in front of your building with a laptop can do to you. Again, refer to the various wireless hacking/attack methods cited in the last paragraph of answer #2, above. Many enterprises understand rogue APs to some degree, but have little idea of over-the-air hacking.
TMCnet: This week, President Barack Obama is signing a $787 billion economic stimulus bill into law, which includes about $7.2 billion to support broadband Internet deployment to “underserved” and rural areas. What kinds of security issues is Cisco expecting to arise as a result of the initiative, if any?
SP: Expanding broadband is a critical economic development initiative, and an important part of stimulus and recovery. The more Americans on-line, the greater the economic opportunities for them and with that, our country. While by no means exclusive to the stimulus, new users on the Internet may be under-informed on how to protect their own computers. This stimulus represents an opportunity, since many broadband service providers already include security protection in their service offerings. Consumers who get service from service providers using stimulus funding will likewise get some security protection through their service providers, or can choose free or paid services that are otherwise widely available.
TMCnet: Finally, we’re hearing that even the world’s largest maker of software, Microsoft Corp., is offering a $250,000 reward for information that leads to the arrest and conviction of those responsible for launching the so-called “Conficker” computer worm, which has infected millions of Microsoft Windows PCs over the past two months. Is there such a thing as a company that’s immune to cyber-criminals?
SP: Every person or organization can be vulnerable if they don't take the necessary precautions to securing their information and identity. Technology is only one part of the solution. Without education and awareness, and without diligent behavior, the ROI on technology is diluted. A strong approach to security - whether it is wired or wireless -- involves the marriage of education, behavior, and technology. This is a golden opportunity for IT organizations to increase their strategic and consultative value to their exec teams and employees. IT can lead this charge, and should. 

TMC announces NGN – the new magazine for service providers building tomorrow’s communications networks. Subscribe free today.

Michael Dinan is a contributing editor for TMCnet, covering news in the IP communications, call center and customer relationship management industries. To read more of Michael's articles, please visit his columnist page.

Edited by Michael Dinan