You can combat the human insecurities your wireless network faces in several ways. These come in the form of policy, education, proactive monitoring, and simple prevention. The solutions are fairly straightforward. The real trick is getting users, and most importantly, upper management to buy into them. Here’s what you can do.
Enforce a wireless security policy
The first step is to create a company policy that no unauthorized wireless systems are to be installed. The following is an example of a wireless policy statement:
Users shall not install or operate any wireless-network system (router, AP, adhoc client, etc.) within the organization.
If you choose to allow wireless systems inside your organization or allow remote users to have wireless networks at home, your wireless security policy should outline specific minimum requirements. The following is an example of such a policy:
Users shall not install or operate any wireless-network system (router, AP, adhoc client, etc.) within the organization without written permission from the Information Technology Manager. Additionally, all wireless systems must meet the following minimum requirements:
- WEP is enabled.
- Default SSIDs are changed to something obscure that doesn’t describe who owns it or what it is used for.
- Broadcasting of SSIDs is disabled.
- Default admin passwords are changed to meet the requirements of organizational password policy.
- APs are placed outside the corporate firewall or in a protected DMZ.
- Personal firewall software such as Windows Firewall or BlackICE is installed and enabled.
Train and educate
One of the best ways to get users to adhere to your wireless security policy is to make them aware of it — teach them what the policy means, along with the consequences of violating the policy.
Educate users on what can happen when the policy is not adhered to and try to relate these issues to their everyday job tasks. For example, where a project manager is using a wireless network, describe to her how a hacker could capture detailed information about the project she’s working on, such as user lists, network diagrams, costs, and other confidential information.
If management doesn’t get user sign-off on your policies showing that they understand and agree to the terms of the policies, the policies are as good as nothing. Make sure sign-off takes place.
Also, talk to your users about how a hacker can make it look like the user actually committed the crime by spoofing the user’s address, using the user’s login information, sending e-mails on the user’s behalf, and so on.
Keep people in the know
If you want to keep security on top of everyone’s minds, the training and awareness has to be ongoing. Keep people aware of security issues by passing out items (such as the following) with security messages on them:
- Screen savers
- Mouse pads
- Pens and pencils
- Sticky-note pads
- Posters in the break room
Several organizations specialize in these security awareness products.
Check out
- www.securityawareness.com
- www.thesecurityawarenesscompany.com
- www.greenidea.com
- www.privacyposters.com
Your best defense is your people, so keep them in the know and make sure you put a positive spin on your security initiatives so you don’t tire them out.
Scan for unauthorized equipment
A great way to help enforce your wireless security policy is to install a centrally managed wireless gateway or IDS system, such as the products offered from Bluesocket (www.bluesocket.com) and AirDefense (www.airdefense.net). These systems can prevent problems from the get-go through strong authentication or alerts when they detect unauthorized wireless systems, can monitor for malicious wireless behavior, and more.
Secure your systems from the start
Another great defense against people-related security vulnerabilities on your wireless network is to prevent them in the first place. Set your users and your systems up for success. You should not only make it policy to harden wireless systems but also help users do the hands-on work if possible. Also, ongoing ethical hacks and audits (comparing what is supposed to be done according to policy to what is actually being done) are essential. This can help you make sure that wireless systems haven’t been changed back to include the insecure settings you’re trying so hard to prevent.
No comments:
Post a Comment