Eric PetersonVice PresidentSTARCOMPUTERSepeterson@starcomputers.com

Wireless Technology Timeline Common Terminology Home and Business Devices Common Types of Wireless Security Real World Concerns and Threats Wireless Security Best Practices Questions

Fall of 1999 wireless 802.11b products start shipping

2000 Microsoft releases Windows 2000 with built in Wireless Support

2001 Starbucks announces Hotspot launch 2002 Lucent Technologies demonstrates a

seamless handoff between Wi-Fi and 3G cellular networks, enabling users to roam between the two without interrupting their Internet sessions

142.8 million total smartphone users by end of 2011.

802.11 (802.11b) (802.11g) (802.11n) - this is WiFi WLAN - wireless local area network Bluetooth – a wireless technology used to connect

devices to each other, short range SSID - service set identifier, a 32-character unique

identifier attached to the header of packets sent over a WLAN. The SSID differentiates one WLAN from another

Hotspot –a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider

AP -Wireless access points (APs or WAPs) are specially configured nodes on wireless local area networks (WLANs). Access points act as a central transmitter and receiver of WLAN radio signals.

Mobile/Smart Phones Laptops/Tablets Printers/Scanners Televisions/Appliances Credit Card Machines Video/Surveillance Cameras

Smartphones are mobile phones(personal devices) with:

Internet access Easily-programmable OS Rich sensing and communication capabilities Extra capabilities: Sensors: camera, motion,

GPS (location) Communications: cellular, Bluetooth, Wi-Fi PC-like functionality

Blackberry IPOD/IPAD Droid O/S Devices Windows Phone Palm Symbian

OPEN – is exactly that open to all without any security WEP – (Wired Equivalent Privacy) WEP has three settings:

Off (no security), 64-bit (weak security), 128-bit (a bit better security). WEP is not difficult to crack, and using it reduces performance slightly

WPA/WPA2 – (Wi-Fi Protected Access) successor to WEP that is more difficult to crack. WPA is comparable to having a single lock on your front door, and giving a key to everyone you want to give access to. Keys can be shared. The challenge with WPA is removing someone requires the entire network to be re-keyed and new keys re-distributed to valid users.

802.1.x - enterprise-level security frequently deployed by Fortune 500 companies with a RADIUS Server, eliminates the common key problem by providing a unique key for each valid user every time they enter the network.

Sensitive information often exists on these devices.

Employees want to access enterprise data and applications from personal devices.

The use of personal devices increases the risk to any information that is stored on or that can be accessed by those devices.

Regulations associated with sensitive information (HIPPA)(SOX) drive the need for certain controls

Users ability to copy information to the devices or send information from the devices

Direct attack over a network connection Malicious software Rogue AP’s Conduit for exploits to LAN Iphone (bad apps) jailbreaking Physical loss or theft of the device ……

30% of mobile devices are lost each year (SANS Institute) 31,544 mobile phones were left in NYC taxicabs during a

6 month period in 2008 (Credant Technologies) These devices contain: corporate data, corporate e-

mail and contacts lists, enterprise access rights Threat of Bluetooth exploits: bluejacking and

bluesnarfing Bluejacking: unsolicited image, text, etc. sent to mobile phone over Bluetooth

Bluesnarfing: unauthorized phone access via Bluetooth, can result in theft of contacts, calendar, etc.

Enable Auto-Lock Enable Passcode Lock and power on lock Keep device up to date Provision for Remote device Wipe Known Ap’s with WPA (Wi-Fi Protected

Access) Security Deactivate unnecessary wireless

interfaces such as Bluetooth (only way to prevent bluesnarfing)

Use Mobile Device Management Systems: Blackberry Enterprise Server, Good Technology

Establish policies on what information can and can not ne stored on devices

Consider Company supplied devices vs. supporting employee owned devices

Handhelds no more or less vulnerable then any computer

Currently few malware or virus exploits in the wild…….. expect an increase

Keep device up to date Strong passwords, remote wipe, and use of

WPA Though the iPhone has made some significant

gains in recent days toward become a suitable business smartphone, its target user is still the consumer use third party security package

epeterson@starcomputers.com