Wireless Security Best Practices Guide for Business - Essay Example

WIRELESS SECURITY BEST PRACTICES GUIDE FOR BUSINESS INDEX TABLE OF CONTENTS PAGE NO INTRODUCTION 2 2. WIRELESS DEVICES 2 3. TECHNICAL CONFIGURATION OF WIRELES DEVICES 2 4. PHYSICAL LAYER SECURITY 3 5. TRAINING FOR WIRELESS ACCESS 3 6. GUEST PRIVILEGES 3 7. SECURE DEFAULT CONFIGURATION OF DEVICES 3 8. REQUESTING FOR WIRELESS NETWORK 4 9. AUTOMATIC DISCOVERY OF NETWORK 4 10. PROCUREMENT OF NETWORKS 4 11. AVOID PROCESSING SENSITIVE DATA 4 12. APPROVED PERSONNEL ONLY 5 13. LOGICAL AND PHYSICAL SECURITY OF ACCESS POINTS 5 14. SOFTWARE FOR ACCESS POINTS 5 15. TESTING NETWORKS 6 16. STABILITY AUDIYS 6 17. CONROLLING THE CHANGES 6 18. EQUIPMENT INVENTORY 7 19. LOSS AND RECOVERY TECHNOLOGY 7 WIRELESS SECURITY BEST PRACTICES GUIDE FOR BUSINESS 1. INTRODUCTION The day by day improvement in the technology in every field sometimes creates a sense of fear that will there be an end to it? Till what extent should we have to follow it? Forget about the new trends, managing and maintaining the existing ones is so important that any misuse will lead to a drastic situation which might tumble down any big organization. Keeping this in mind every organization is in search of a good security policy to be jotted down which when followed keeps the company in safe hands. This paper is all about the security policy which when best deployed after research will keep the company abreast its competitors and has hassle free security policy. Every company in today’s world is run on wireless network technology. Local Area Networks, generally called LANs, are privately-owned networks within a single building or campus of up to a few kilometers in size. They are widely used to connect personal computers and workstations in company offices and factories to share resources and exchange information. Deploying wireless LAN or wireless network is something like a pilot without instructions to fly an aircraft. One will probably get off the ground; the next thing is probably a matter of chance, someone is likely to get hurt. As it is defined in RFC 2196, the IETS’s site Security Handbook, a security policy is a formal set of rules through which people who are given access to organization’s technology and information assets must abide to. There are many kinds of security policies such as Password Policies, Remote Access Policies, Mobile Device Policies, Vulnerability Assessment Policies, Acceptable Use policies and Wireless Communication Policies. The assets protected by each one of the policies are different but, they all share common agenda. The security policy has the following important specifications to follow for the best benefit. 2. WIRELESS DEVCES Devices such as notebooks, handhelds, portables, personal digital assistants, smart phones, etc. which are issued by the Information Technology Department should be permitted to get access to the company internal network through wireless technology. Devices should be checked to have pre-configured with necessary operating system and security software which provides an encrypted tunnel (virtual private network) for network traffic; encrypts device hard drives; screens and removes virus and other malware; supports extended user authentication dialog; supports remote file backups; updates software when the software resident on the device is out of date; prevents the user from reconfiguring a device’s software and that which logs security relevant events. 3. TECHNICAL CONFIGURATION OF WIRELESS DEVICES The access is allowed only to those who have requested and received approval from Information Technology Department for wireless network access. The people using this are expected to employ properly configured machines whose internal hardware address (MAC address) is recognized by the wireless network to have a perfect access. No user should be allowed to set up own wireless networks without the approval process even if these networks are connected with the company’s internal network. Other instances such as access to company’s internal networks through a wireless connection shall be further permitted if the end user employs extended user authentication technology approved by the Information Security Department. These are password tokens, biometrics etc. This technology is beyond the traditional fixed password and also aids to ensure that only authorized people can gain access to company’s network. Those users who have lost connection to an internal wireless network for more than five minutes due to have moved beyond the wireless network coverage area should compulsorily reauthenticate with the same technology once they wish to reestablish a connection. 4. PHYSICAL LAYER SECURITY The EIRP should be in legal power output range. An appropriate level of emission power should be used to restrict the spread of the network far beyond the boundaries. The antenna position should be chosen to minimize signal spread to the coverage area. If necessary parabolic reflectors can be used to block wireless signal propagation in undesirable directions. All sources of interference should be checked and eliminated. 5. TRAINING FOR WIRELESS ACCESS In addition to having access to the company’s internal wireless network one should complete a brief wireless network training and awareness program developed and delivered by the Information Security Department. Once they have completed the program all the users should sign a usage agreement promising that they will abide by the company’s information security and privacy requirement. Network usage shall be enabled only to those users who have successfully passed the tests and have signed the usage agreement. 6. GUEST PRIVILEGES The policy till now says that the guest access is not possible or rather not allowed. To allow some exceptional conditional usage of the network certain public areas such as, headquarters building reception and meeting room are facilitated. Care should be taken that these exceptional areas should have obtained approval from the Information Security Department and should provide only public internet access and no direct access to the company’s inter network system. 7. SECURE DEFAULT CONFIGURATION OF DEVICES Few systems such as data synchronization process which is also known as docking process between a personal digital assistant and a personal desktop computer that usually exchange data between devices through wireless connections should not be allowed access until unless they have been approved by the Information Security Department. If this is not followed as said it could lead the transmitted data to interception by authorized parties, and even generate signals that could interfere with authorized wireless networks in the immediate surroundings. Based on the same reason, the communications capabilities found in machines and other company related computers must remain disabled till they are not evaluated and approved by the Information Security Department. 8. REQUESTING FOR WIRELESS NETWORK If the business seems to have wireless network as a solution for the problems in the company, request should be made to conduct feasibility study examining the use of wireless network and submitted t the Information Technology Department. If the study results that wireless technology is a prudent technology that will serve the company’s business need a risk assessment should be performed by the Information Security Department prior to the deployment of any wireless networks. The use of wireless networks for the production application exceeds in cost compared to those of wireless networks alone which should be kept in mind by the workers who use them. An alternative backup networking technology should be employed for all wireless networks used for production applications. This helps in the crisis supposedly when the wireless network is inoperable for instance due to radio frequency interference. The backup technology developed should be thoroughly tested and get approved by the Information Security Department before it is permitted to operate with a production application. 9. AUTOMATIC DISCOVERY OF NETWORKS To put this policy into practice the company should detect the presence of all inter network connected devices and the network communication services of those devices is halted who have not been formally approved by both the Information Technology Department and the Information Security Department. To ensure that all the equipment in use in the internal wireless network is approved the company conducts tests periodically such as ‘war Driving’ to detect unauthorized wireless access points. 10. PROCUREMENT OF TECHNOLOGY All users are suggested not to purchase, rent or procure wireless equipment on their own. The procurement of any hardware and software services related to wireless networks should be channeled through the Purchasing department. This helps in ensuring that the purchase is consistent with existing internal technical standards and security requirements. 11. AVOID PROCESSING SENSITIVE DATA Workers who are considering making a request for a wireless network should be aware that wireless networks are not appropriate for company applications that process sensitive data (credit card numbers, bank account numbers, mergers and acquisitions plans, etc.). Reflecting the fact that the security of wireless networks is not as strong as the security of wired networks, the Information Technology Department will deny all requests for wireless networks that are intended to transmit or receive sensitive information. 12. APPROVED PERSONNEL ONLY The wireless access points should be installed and configures by one of the authorized members of the company’s system administration staff or an authorized contractor. These are accepted to follow the Information Security Department’s installation, configuration and management guide of wireless network. The guide has varied topics like changing default passwords so that unauthorized personnel can not gain internal access, turning on encryption so that the transmissions are always obscured from wiretappers and disables identifier broadcasting so that unauthorized personnel can not readily detect the presence of a wireless network. Any repair and administration of the company’s wireless network should be rectified by an authorized system administration staff or an authorized contractor. While performing the, authority is expected to follow the procedures defined in the Information Security Department’s installation, configuration and management guide for wireless networks. To confirm that the wireless networks have been properly configured and managed, regular audits should be conducted by the Internal Audits Department. 13. LOGICAL AND PHYSICAL SECURITY OF ACCESS POINTS Care should be taken while defining the areas of access for both guests and the regular staff at work. To avoid tampering, reconfiguration, theft and some other unauthorized activities all wireless network access points should be physically secured in areas only accessible to authorized personnel. Each and every access point is to be distinguished from the main internal company network using configurations approved by the Information Security Department. Company’s wireless network access points should be configures such that it consistently employs communications encryption, firewalls, hardware device address (MAC address) filtering, intrusion detection systems and other security measures defined by the Information Security Department. 14. SOFTWARE FOR ACCESS POINTS Latest version of the vendor supplied operating system and security software should be adopted in running the access points. Similarly the mobiles that are authorized to access company’s wireless networks should have an up-to-date suite of operating system and security software defined by the Information Security Department. Those which are not abreast with the technology are not allowed to access the company’s internal network system. Default download facilities should be provided to enable these machines to securely and quickly update the new software. In case if any device has not got the software installed properly it will be isolated from the internal network using blocking technology so that any further intervention is prevented. Every new technology surpasses the older one in its drawbacks so, one should take care that security measures on company production wireless connected systems should not be backward compatible. If the backward compatibility is forbidden the company helps to ensure that only the latest versions of operating system and security software is employed. Backward compatibility means the older software can be still used which indirectly says that certain security measures are turned off, unavailable or inactive. 15. TESTING NETWORKS Before cutting over to production usage of a wireless network, an extensive test should be performed to ensure that all security and availability control mechanisms are working to their best and as intended to work. Only after the Information Security Department approves the successful completion of these tests the wireless network can be used for production information processing activities. 16. STABILITY AUDITS Corporate wireless security audits should be performed on a periodically by an external authorized personnel with established reputation in the relevant field along with appropriate specialization and industrial accreditations. Network stability and audits should include: Surveying the site. Overall network operation and stability assessment. Security policy assessment Rogue wireless device detection and stability assessment. Systematic wireless penetration tests. 17. CONTROLLING THE CHANGES Any changes to the configuration or to the setup of a wireless network should follow the standard change control process that is required for the production information system. The access to the company’s internal network is blocked if the authorities such as authorized contractors and system administrators make changes without following the change control process. This blocking is done with the help of network based auto discovery software and security auditing software. The wireless access points should have sufficient disk space and internal resources to support the logging and systems monitoring software which is specified by the Information Security Department. Any intrusions and incident responses should be managed and coordinated by the Information Security Department. In response to all security events like denial of service attack, a system virus infestation or an intrusion by unauthorized personnel system administrators are responsible via wireless access points which should follow the Information Security Department’s lead. 18. EQUIPMENTS INVENTORY The Information Technology Department is responsible to keep up to date inventory record of all internal network connected equipment which also includes authorized wireless access points and authorized mobile devices that have wireless computing interfaces. Auto update systems should be employed so that regular updates are downloaded from time to time. 19. LOSS AND RECOVERY TECHNOLOGY Devices with wireless communications interfaces which are reported to have got stolen should be automatically halted from accessing the company’s Internal Network. Another interesting technology which helps in erasing the resident data on them when reported lost is Poison pill Technology which should be employed with no second thought to have an effective security. The Physical Security Department should be reported of any object is misplaced or lost. If a wireless enabled computing device such as a notebook, portable digital assistant, smart phone etc. which is granted access to the company’s internal network is lost it should be immediately reported to the Physical Security Department. Lost, theft and tampering is to be strictly taken care of. To be in a safer position the effort that should be put in is not leaving unattended devices in the open in public areas like airports or trains, not leaving these devices in hotel rooms when they are unattended instead they should be deposited in the hotel room safes, locked in file cabinets when not being used in the office and locked in the trunk of the car whenever the car is parked If the devices reported stolen can be recovered by the police or the third party if all the wireless access points and mobile devices have been etched with identifiers that will allow to get returned to the company The wireless security policy set is expected to get followed by the companies to keep them abreast with the changing trends in the society and protect their institution from any mishaps in terms of data theft or wireless beak over. Read More