CyberSecurity Institute

If that weren’t bad enough, many “so called” security experts propagated these myths through speaking engagements and publications and many continue to this day. Many wireless LAN equipment makers continue to recommend many of these schemes to this day. One would think that the fact that none of these schemes made it in to the official IEEE 802.11i security standard would give a clue to their effectiveness, but time and time again that theory is proven wrong. To help you avoid the these schemes, the writer has created the following list of the six dumbest ways to secure your wireless LAN.

MAC filtering: This is like handing a security guard a pad of paper with a list of names. Then when someone comes up to the door and wants entry, the security guard looks at the person’s name tag and compares it to his list of names and determines whether to open the door or not. All someone needs to do is watch an authorized person go in and forge a name tag with that person’s name. The comparison to a wireless LAN here is that the name tag is the MAC address. The MAC address is just a 12 digit long HEX number that can be viewed in clear text with a sniffer. A sniffer to a hacker is like a hammer to a carpenter except the sniffer is free. Once the MAC address is seen in the clear, it takes about 10 seconds to cut-paste a legitimate MAC address in to the wireless Ethernet adapter settings and the whole scheme is defeated. MAC filtering is absolutely worthless since it is one of the easiest schemes to attack. The shocking thing is that so many large organizations still waste the time to implement these things. The bottom line is, MAC filtering takes the most effort to manage with zero ROI (return on investment) in terms of security gain.

SSID hiding: There is no such thing as “SSID hiding”. You’re only hiding SSID beckoning on the Access Point. There are 4 other mechanisms that also broadcast the SSID over the 2.4 or 5 GHz spectrum. The 4 mechanisms are; probe requests, probe responses, association requests, and re-association requests. Essentially, you re talking about hiding 1 of 5 SSID broadcast mechanisms. Nothing is hidden and all you ve achieved is cause problems for Wi-Fi roaming when a client jumps from AP to AP. Hidden SSIDs also makes wireless LANs less user friendly. You don t need to take my word for it. Just ask Robert Moskowitz who is the Senior Technical Director of ICSA Labs in his white paper Debunking the myth of SSID hiding.

LEAP authentication: The use of Cisco LEAP authentication continues to be the single biggest mistake that corporations make with their wireless LAN because they leave themselves wide open to attack. Cisco still tells their customers that LEAP is fine so long as strong passwords are used. The problem is that strong passwords are an impossibility for humans to deal with. If you doubt this, try a password audit of all the users in your organization and see how long it takes to crack 99% of all passwords. 99% of organizations will flunk any password audit for most of their users within hours. Since Joshua Wright released a tool that can crack LEAP with lighting speed, Cisco was forced to come out with a better alternative to LEAP and they came up with an upgrade to LEAP called EAP-FAST.

Disable DHCP: This is much more of waste of time than it is a security break. It would take a hacker about 10 seconds to figure out the IP scheme of any network and simply assign their own IP address.

Antenna placement: I’ve heard the craziest thing from so called security experts that actually tell people to only put their Access Points in the center of their building and put them at minimal power.

Just use 802.11a or Bluetooth: Fortunately, I haven’t heard this one for a while.

In light of recent developments within the last 6 months, it takes only a few minutes to break a WEP based network which makes WEP completely ineffective and a good potential future candidate for the wireless LAN security hall of shame. Where it currently fails to be in the hall of shame is that it still holds up for a few minutes, requires a little skill to launch the packet injection attacks, and isn’t propagated as an urban legend for a secure wireless LAN.

This blog wasn’t just meant to be funny, it’s serious business that so many organizations waste their time and money on worthless security schemes that give them a dangerous false sense of security.

http://blogs.zdnet.com/Ou/index.php?p=43

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

This article will help guide Computerworld readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their information security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers. Information security works on a cycle of threat, reaction and acquisition.

It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share. With measurable improvement, we’ll be able to prove the business value of spending on security.

– Is your digital asset protection spending driven by regulation?

– Are Gartner white papers a key input for purchasing decisions?

– Does the information security group work without security win/loss scores?

– Does your chief security officer meet three to five vendors each day?

– Is your purchasing cycle for a new product longer than six months?

– Is your team short on head count, and not implementing new technologies?

– Has the chief technology officer never personally sold or installed any of the company’s products?

Start by implementing a consistent set of activities, for example, standardizing on diskless thin clients, remote desktops and Windows Terminal services. Segment the network into virtual LANs, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth.

For instance, if you want to evaluate cash flow, then measure cash flow from operations or free cash flow (FCF), which is cash from operations minus capital expenditures. FCF omits the cost of debt, but it is an objective indicator that can be measured every day.

http://www.computerworld.com/securitytopics/security/story/0,10801,100413,00.html