Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Wireless security? SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wireless security?

John at pointed out that a jurisdiction in the state of New York (United States) is mandating security requirements where wireless networking is used. Sounds like a good thing, right? The thing that perplexes me is that they stop at requiring that the SSID be changed, OR that a firewall be installed. There doesn't appear to be any mention of one of the primary protection methods for wireless, namely encryption. If you wish to secure wireless you should use authentication (preferably strong), and encrypt transmissions. Changing or disabling SSID broadcasts is essentially useless, it can be guessed or sniffed. If the threat they are attempting to mitigate is identity theft of data being passed in the clear 'through the air' encryption is a must. Encrypting data only at rest is not sufficient if it is transmitted or processed insecurely. Let's face it, a firewall will not stop anyone from capturing credit card information being passed over wireless. I wonder if the lawmakers in question truly understood what they are trying to accomplish. An MSNBC story on the subject is here. A very strong (negative) opinion has been posted here. Ensuring or encouraging basic security measures have been installed on all systems is always a good thing IMHO, however does this law miss the boat? The law in question is here.

I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - Cyber Defence India August 2021

Adrien de Beaupre

353 Posts
ISC Handler
Apr 21st 2006

Sign Up for Free or Log In to start participating in the conversation!