The world of wireless communications has much it can learn from the mistakes long made in the wired world, according to the information security administrator for the International Finance Corp. and a wireless security author.
Tara Swaminatha, a top security administrator for the IFC, a part of the World Bank Group, has just released her first book, "Wireless Security and Privacy: Best Practices and Design Techniques." Working with co-author Charles Elden, Swaminatha takes a look at the risks and threats that come with the ease and mobility of wireless communications. And she tries to offer security and network administrators some guidance in taming those risks.
A long-time member of the software and security communities - working previously as a software security consultant and as a developer for the U.S. Department of Justice - Swaminatha talks about the little-known privacy risks that plague cell phone calls, emails sent by PDA and documents transferred over a wireless connection. And in this exclusive interview, Swaminatha also talks about how the pervasiveness of wireless technology will change IT administrators' jobs, how wireless security should be melded in with wired security, and the dangerous assumption that encryption is the answer to wireless security risks.
Q: What security lessons can be wireless users learn from the wired community?
I try to tell people it's not too late. In the wired world, especially with the Internet surge in the late '90s, security was an afterthought. It was a market differentiator instead of a requirement. Consumers and administrators have been burned [by a lack of security] before. Everybody is requiring security. Everybody is much more aware of the need for it. They are going to demand security in applications and devices. What the wireless community can learn is that security shouldn't be a separate component, but should be woven through the entire lifecycle of the software or device.
Q: Many software applications for wired devices weren't built with security in mind. Security was always an afterthought or an addition to a later version. With wireless applications, do you think security is more of a priority?
More so but I don't think it's being done as well as it should be. But it's something that no one would dare be remiss and not include it at all. Security is typically considered, but the cost benefit analysis doesn't always warrant building all the security in up front. They can always release a patch and make money off it later... Our guess is that wireless will become the most attractive thing to begin attacking. It's not as fast as wired communications right now, so it's not as attractive a target. Once it's up to par in terms of speed and vulnerability, you'll see more exploits than anywhere else.
Q: Are most corporate users sufficiently aware of the security risks involved with wireless?
I would estimate that 18 months ago, your average corporation started pumping wireless into its network. Only about 25% to 30% were thinking about security. Now it's in the 75% to 80% range. Are people staying on top of it? Right now, the well-known risks are being taken care of it. But it's not complete. I think the average user right now is pretty cavalier about it. Do they know as much about what they're doing with wireless as they do with wired networks? No. It's still an unknown area. Even if they're trying to make wireless applications secure, they're going on the existing body of knowledge that we all know is not that great right now.
Q: How should wireless security be melded in with wired security in the corporate network?
If you've decided what your security architecture is in the wired world, you need to parallel that in the wireless world. Assume the same level of risk. If you don't leave your wired network open to attack, don't leave your wireless network open to attack. I think instead of having two separate policies. The one policy should address both - wired and wireless. In general, having two separate policies puts too much distinction between the two when they should be thought of the same way. There are differences between wireless and wired, but not more difference than between two separate wired devices. You've got to think about them together.
Q: Are people confusing cryptography with a total security solution?
With cryptography and encryption, people think once they turn it on they're fine. The critical part is in the application. Encrypting passwords is one piece of the puzzle. But you have to look at the larger picture. Don't equate good encryption with total security. You do need to use it and work it into your entire system.
But the most important thing is application security. You can't guarantee that no one will break into your network. Make sure they can't fake authentication to an application and access different pieces of data. Have security at different levels. The biggest area where people have problems is that there isn't one standard platform for wireless. The biggest problem is not knowing exactly what to code to. Do you make restrictions on types of devices? Do you code for one and ignore the others? We just don't have enough standards right now. Because of that, some holes are bound to be left open.
Q: How is wireless technology going to change the face of IT?
They'll have to juggle a lot more balls at the same time. I don't think we'll soon settle down to one platform that everyone uses. For a while it will be this multi-faceted arena. You'll have to integrate a lot of things together. Right now, the network administrator manages the Unix cluster and the servers. But he'll have to be much more well-versed in a variety of things.
Q: Who needs to worry about wireless security - just the administrator running a WLAN or even someone who has users with Blackberries?
Both. Everyone should be aware of the risks for whatever they're doing. Make educated decisions. If you have a wide open network and you're across the street from a competitor. You don't want them to get into it. Does your wireless device have access to your network? Does it have access to critical information?
Q: What privacy problems are raised by wireless technology?
Big brother. It's a where-are-you thing. The FCC required that by this fiscal year any wireless device must emit a signal that determines where that device is. The good thing about that is if you dial 911 and you pass out, they can find out where you are. But are people aware of that? Is it only activated if you dial 911? Should you be able to disable that? Do I really care if the government knows where I am? Can I make that decision or is it a decision being made for us?
Q: When it comes to wireless technology, what security issues worry you the most?
What worries me the most is that we don't have a good grasp on what security and privacy risks have already been compromised. We don't know what the wireless service providers are doing with our records. There are databases and databases full of information that is not available in the wired world. It's not really regulated yet. I'm concerned with the fact that there is this huge body of information concerning our location and our transactions and actions that is being stored by your wireless provider or your cell phone company. What are they doing with it and how are they storing it? There are records of transactions everywhere and we just don't know how they're being stored. Be aware of that. Know what is and is not being held.
Q: What technology is coming down the pike that you're the most excited about?
If it actually gets off the ground - and that's a big if - pervasive Bluetooth will be the killer appliance that people are looking for. Right now, the trend is integrated cell phone, PDAs, and laptops. I don't think the integration will work. With Bluetooth, you'll have your cell phone in your brief case or pocket and it will have a connection, and your palm pilot is in your hand making use of that connection. They just need to be in the same area of each other, sharing the same type of connection. It was supposed to hit mass deployment two years ago and that hasn't happened. We're still waiting.