Study reveals lack of financial wireless computer security

By Marcia Savage, Features Editor, Information Security magazine 14 May 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A study by AirTight Networks Inc. of financial districts in seven cities revealed numerous wireless vulnerabilities and a lack of wireless computer security best practices.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Researchers at the Mountain View, Calif.-based wireless security vendor conducted five-minute wireless vulnerability scans at 30 random locations in the financial districts of New York, Chicago, Boston, Wilmington, Del., Philadelphia, San Francisco and London. More than 3,600 wireless network access points were scanned near banks and stock exchanges.

Access points that were open or using weak WEP encryption made up 57% of the airspace scanned, putting them at risk for data leakage, according to the study. Almost 40% of those open or WEP-secured access points were enterprise grade. The rest were consumer or SOHO grade, which can't be centrally managed, AirTight executives said.

Wireless computer security: Deploying secure wireless LANs: Wireless networks have taken a beating in the financial world since it was discovered that the massive TJX data breach was enabled by an insecure Wi-Fi network. Data leakage detection and prevention: While corporate data loss is not a new concern, newer technologies are emerging to help combat the threat Mobile payment adoption risks: As mobile banking grows in popularity, financial institutions need to weigh the adoption risks to determine whether it's a product they want to offer.

"A lot of best practices were simply being skipped," said Mike Baglietto, director of product marketing at AirTight Networks.

Twenty percent of the open wireless network access points were simply hiding their service set identifier (SSID) for security, he said. The SSID is a character sequence that names a wireless network.

"Open access points create a front door to your enterprise; hackers can gain access to your infrastructure and scan devices for vulnerabilities," Baglietto said. Researchers saw instances in which open access points leaked unencrypted packets attached to a financial internal network, he said.

"We're just using commonly available tools that you can download from the Internet," he added. "People with more sophisticated tools pose a bigger threat."

Also, researchers found that more than half of Wi-Fi clients were broadcasting SSIDs and 34% were willing to connect to free and highly insecure Wi-Fi.

"To me, this indicates that the major unsolved problem is risky user behavior and misconfigured clients," said Lisa Phifer, president of Core Competence Inc., a Chester Springs, Pa.-based consulting firm specializing in network and security technologies.

"Employees may be improperly using their own or another company's open visitor WLAN without a VPN or SSL to protect their data. Far too many are apparently willing to associate with hotspot, home or ad hoc SSIDs without really knowing to whom they've connected."

Many businesses today understand how to lock down their own access points, even those that decide to allow open or WEP access for certain applications and devices, Phifer said.

SearchSecurity radio:

"But I don't think enterprises fully appreciate -- much less take steps to remedy -- these client-side vulnerabilities. And that gap will only grow wider with the proliferation of unmanaged Wi-Fi enabled mobile devices like iPhones."

Phifer noted that of the 39% of open or WEP access points that were enterprise-grade in AirTight's study, many could have been private guest/visitor networks that rely on other security measures such as SSL, VPN or WEP-protected VoIP networks.

Baglietto acknowledged that the districts obviously include other types of businesses, but said the study indicates that financial institutions would do well by implementing wireless security best practices. Those include using strong standards for authentication and encryption like WPA, conducting ongoing wireless security audits and monitoring guest Wi-Fi access.

"With the financial crisis, financial institutions already have one black eye," he said. "They don't need anymore headaches."

Tags: Secure wireless networks,  Mobile device security in financial institutions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure wireless networks Top NAC challenges include cost, interoperability issues Deploying secure wireless LANs Experts: Security no excuse for avoiding mobile devices Experts: Place wireless security on equal footing with wired Credit union goes wireless for business continuity Where to go to eavesdrop on wireless networks Mobile device security in financial institutions Secure communications Security on the street with SearchFinancialSecurity.com: Mobile banking How to build Web application security into your mobile banking policy Policies for reducing mobile risk Virus onslaught sickens smartphones BlackBerry flaw highlights growing mobile device risks Mobile device security in six simple steps

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary