Auditors Need To Consider Wireless Security Risks
by Rob Harmer PCProfile
As an auditor you are probably heavily reliant on technology in terms of performing your audit duties, gathering data, writing up reports, and submission of audit summaries to clients. In many cases this means travel and travel means mobility, which in most cases requires a wireless type connection for collecting email/Internet and report submissions etc.
As a mobile warrior you may be equipped with a notebook PC, a USB flash drive, and/or Tablet or Palm-like device for touching base with the office for emails, calendar etc and tools for data examination, gathering and report writing aspects whilst “on the road”. Depending on security arrangements you may even be permitted to insert USB devices into the client’s computer, with their permission of course.
This feature article examines some of the key technology areas that an auditor needs to keep in mind when conducting audits in client sites and using the technology tools provided. Rapid changes in technology and the varying manner in which they are deployed in the field, means that auditors need to keep up with these changes and then to examine the implications as they can be far reaching.
The following information is focused on SME (Small Medium Enterprise/Business) sites but can be equally applied at larger sized sites and government accounts or school systems. You would be surprised at how many “technology savvy” medium, to large enterprises aren’t paying attention to the issues.
Auditors need to focus on the risks addressed in this article and scale up or down accordingly depending on the size of the target organization being audited and adapt audit plans to suit to make sure that these areas of risk are addressed in audit plans.
Security Tips for Wireless Devices
Wireless computing devices that offer technology advances to SMEs are now widely accepted as a cost effective means for the Small Business owner/manager to connect computers and peripherals as the business grows in size.
Wireless computing technology is instant on, now, and it comes straight out of the box, ready to use.
As the owner/manager of an SME, a key consideration is how much is saved in time and cost, by being able to “do it yourself” and the device can be ready in minutes.
Wireless Technology Issues
There are some key technology issues with wireless computing devices that owner/managers of SMEs need to be aware of that need to be considered to make sure that the SME business and data, is adequately protected against a range of risks.
What risks? Wireless networks (and associated devices) can be attacked through rogue access points e.g., ad hoc or free WiFi networks, or by accidental discovery, or malicious association, through unprotected access points and wireless network monitoring devices, that can be easily installed in public areas and/or are located nearby your office or place of business.
Plug and Play
All the latest wireless devices come with a “plug and play” capability inbuilt, so in most cases, hooking wireless systems together is a breeze, when you know how.
With wireless computing devices, the retailer (and the manufacturer) will tell you, that it’s just
a question of selecting the right device for your needs, opening the box, turning on the power and presto, the device discovers and connects to your existing system such as Vista or XP.
It’s as simple as that, you can have the wireless router, printer, laptop or PDA connected in minutes rather than hours.
Back to Basics
Wireless devices can transmit over a distance without the use of hardwired data cable. The distances involved for wireless computing devices may be short (a few metres as in wireless mouse and keyboards, & television remote controls), longer for routers and telephones, Blackberries/PDAs etc.
“Wireless” has been around for years in one form or another with some of the earliest “consumer related” examples being garage door openers, along with cordless telephones.
Wireless is booming
In the last quarter of 2007, sales of wireless computing devices such as GPS, iPods, Bluetooth and 3G telephones, Blackberry and personal digital assistants (PDAs), along with wireless routers, mice, keyboards, digital cameras, wireless printers, etc were at an increased tempo.
Wireless devices for use in the wider consumer market such as; TV remote controls, wireless security alarm systems, stereo headsets, LCD, Plasma and satellite television and state-of-the-art digital cordless telephones were also high on the sales list, but these aren’t as big an issue for SMEs in terms of security issues.
Out Of The Box Installation
If you are a typical owner/manager of an SME, unless you already know this, most of the devices will be installed using the Out-Of-The-Box settings, known as the “manufacturer default settings”.
This is “manufactured by design” to allow and enable the new device to automatically detect the wireless access point closest to the new wireless device, so that the functionality and operation can commence immediately once charged up, if battery driven, or powered on at the mains.
SMEs are typically time poor when it comes to administrivia, and may have overlooked or not be aware of the default settings risks in their rush to use the new wireless computing device.
There are 3 key areas containing around 12 different aspects containing default settings that need to be considered; Authentication, Encryption & Access Control.
Within these areas there are some vital keys or settings that can be a single point of risk for an SME/SOHO business, and when more than 2 of these items are left unchanged (or are set inappropriately) then the level of risk increases significantly.
In practise, most wireless devices in the SME/SOHO environment are rarely altered from factory settings by SME/SOHO users, hence the risks of loss of data, or malicious use of information can be potentially damaging for the small business owner/manager.
Not to be overlooked is the impact of “reverting to the default settings” after a service or support issue, or some major outage, (or advised by the Helpdesk at the ISP – who should know better!) which then returns the settings back to factory defaults. This is often done by inexperienced personnel or through lack of knowledge. Reverting to factory default settings without considering the issues and implications, will overturn any levels of protection previously employed over data and exposes you to risk.
So why is the above information relevant for auditors?
It’s easy with the speed of technology changes to lose sight of the fact that the wireless device that is in use may not be as secure as you would experience when connected to a larger corporate based system. The rapid deployment of PDAs and hand held devices including mobile phones that now carry significant computing capability, means that you could well be carrying in transit as well as sending and receiving, data, records and information of a confidential nature that is subject to easy access IF you haven’t set the security settings to the correct level relevant for the device in use.
Imagine what will happen should this data be intercepted (farmed, phished or harvested) whilst in wireless mode from a device that was not securely set with the correct level of security layers.
Audit Principles 101
If you are a member of the Institute of Internal Auditors worldwide body then Internal auditors are expected to apply and uphold 4 key principles: Integrity, Objectivity, Confidentiality, Competency sourced http://www.theiia.org/guidance/standards-and-practices/professional-practices-framework/code-of-ethics/code-of-ethics---english/
Integrity defined
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
Confidentiality defined
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
The Bottom line?
Extend this to the ownership of wireless devices and using these for client data and information over wireless based systems and its easy to see that if the risks aren’t addressed then this places your role of integrity and confidentially in question, even if its an innocent slippage that causes data to leak out.
As an audit professional, can you afford to lose customer database information, credit card data, membership lists, designs, and documentation, and other sensitive financial data etc that is on your systems through lack of knowledge about the technology issues presented by the use of wireless computing devices, flash drives and other USB connectable devices?
It’s time to check your work practises and your systems and make sure that you have security measures in place, appropriate to your level of business risk, as it could be a “Plug and Pray” environment that now exists at some sites!
Practical Wireless Security Tips
PCProfile offers the following key tips for SME owner/managers from a whitepaper titled “Security Tips for Wireless Devices for SMEs” when using Wireless computing devices - It is recommended that multiples of these techniques (not just one only!) be employed at all times for a high level of protection!
· ALL Factory default settings should be changed and unique keys used;
· Default User name and Password must be altered;
· Service Set IDs (SSIDs) must be changed to something that is meaningless to outsiders;
· Beacon intervals need to be set to a reasonably long length to minimise exposure;
· WEP and WPA keys must be altered from factory settings;
· Infrared ports need to be disabled,
· Encryption may need to be enabled;
· File sharing needs to be TURNED OFF!;
· Make sure all wireless access points are securely firewalled and;
· Ensure that recommended manufacturer patches and fixes are promptly applied as security vulnerabilities are detected from time to time!
Finally if you don’t need access 24 hours a day 7 days a week, switch off the wireless access points across the business (e.g. after hours and on weekends) to minimise potential exposure to malicious activity. PCProfile is mindful of the fact that for SMEs the business “hours of operation” is a 24 hours a day / 7 days a week affair in most cases!
The above article is written by PCProfile. AUDITNET readers can register at www.pcprofile.com/sme.htm to receive further information on the topic listed here.
Published by PCProfile.com
Worldwide Copyright Notice
Copyright © 2007-2008 PCProfile trading as Rob Harmer Consulting Services Pty Ltd ABN 77 035 134 400 All rights reserved worldwide.
Guidance For Publishers
Publishers are encouraged to publish this report as free content resource in accordance with the following guidelines:
1) Articles must be published "as is" (unedited);
2) Articles must be published with the author's bio paragraph and copyright information included;
3) URLs listed should be set as hyperlinks, with no redirection;
4) Whenever possible, authors should be notified of intent to publish;
5) This Published Article cannot be used in spam communications or sold;
6) PCProfile prohibits the use of copyrighted material in a manner that violates the copyright owner's rights;
7) Publishers who violate copyright law are legally liable and subject to possible fines under Copyright Laws worldwide.
Disclaimer
The content of this report is provided for informational purposes only as “guidance notes” and for redistribution as outlined in the “Guidance For Publishers” paragraph and Copyright Notice above. PCProfile does not represent that all technology aspects have been outlined as a complete position and does not accept any responsibility or liability for the use or misuse of the content of this report or reliance by any person of the publishers contents.
Wireless Security Issues
For more information you can download the complete article at www.pcprofile.com/sme.htm
About the Author - PCProfile is an Adelaide based company with over 30 years practical computing experience in small, medium and large enterprises and offers managers and business owners in SMEs, and SOHO businesses practical tips and advice on how to get the best out of the technology used by your SME/SOHO business.
Other Self Help “Tips and Tricks” Tutorials and feature articles are available on;
· Outlook Express,
· email Tips and Tricks,
· Wireless Tips and Tricks.
PCProfile also runs seminars on technology topics for SME and SOHO business owners.
www.pcprofile.com email enquiries@pcprofile.com Mobile +61 448 650 227
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®
