Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Wireless security? InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Wireless security?

Published: 2006-04-21
Last Updated: 2006-04-21 15:23:20 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

John at pointed out that a jurisdiction in the state of New York (United States) is mandating security requirements where wireless networking is used. Sounds like a good thing, right? The thing that perplexes me is that they stop at requiring that the SSID be changed, OR that a firewall be installed. There doesn't appear to be any mention of one of the primary protection methods for wireless, namely encryption. If you wish to secure wireless you should use authentication (preferably strong), and encrypt transmissions. Changing or disabling SSID broadcasts is essentially useless, it can be guessed or sniffed. If the threat they are attempting to mitigate is identity theft of data being passed in the clear 'through the air' encryption is a must. Encrypting data only at rest is not sufficient if it is transmitted or processed insecurely. Let's face it, a firewall will not stop anyone from capturing credit card information being passed over wireless. I wonder if the lawmakers in question truly understood what they are trying to accomplish. An MSNBC story on the subject is here. A very strong (negative) opinion has been posted here. Ensuring or encouraging basic security measures have been installed on all systems is always a good thing IMHO, however does this law miss the boat? The law in question is here.

0 comment(s)
Diary Archives