Wireless Regulations and Legislation
A recent survey conducted by Northern Sky Research, a satellite and wireless technology and applications market research and consulting firm, shows that 2006 will be a critical year for broadband wireless technologies, with the likely release of the first ZigBee, UWB and WiMAX-based products. As wireless technologies continue to advance, one would think that federal legislation and regulation would be continuing to advance as well. However, it seems that regulation lies in the hands of the technology developers and vendors. Over the past five to 10 years, the FCC Wireless Telecommunications Bureau has gradually become more flexible, pro-competitive and less regulatory with licensing spectrum for companies. However, wireless technologies that operate on the unlicensed band, like Wi-Fi or Bluetooth, are frequently confronted with attacks and may benefit from more regulation.
“Wi-Fi and Bluetooth without a doubt suffer the most intrusions. Implementations of both of these technologies are designed to be open and simple for users to get connected by default, and this leaves users who fail to properly secure the wireless connections open to attack,” said Devin Akin, chief technology officer for the CWNP program. “Additionally, some wireless implementations, such as Wi-Fi hotspots, are designed to be unsecured. The popularity of Wi-Fi hotspots only increases the risk of attacks.”
The fact is that Wi-Fi and Bluetooth vulnerabilities and attacks are a real and increasing threat to the security of companies and of everyday end users. This is because wireless networks based on the 802.11b, 802.11a and 802.11g standards are commonly implemented in corporate America today. “Security measures are available for almost every wireless technology, but in many cases, implementers do not use them. The most vulnerable networks are the ones implemented by those organizations who do not put a high priority on data security,” Akin said. “In my opinion, some of the wireless data technologies that are typically not secured are Wi-Fi, Bluetooth and Infrared. Of course, this varies between user groups—home users secure their Wi-Fi networks much less often than organizations do.”
Wireless developers are increasingly trying to meet the requirements of growing technology legislation and standards—implemented not only by the government, but also by vendors. “Many wireless intrusion prevention system (WIPS) vendors are integrating tools into their enterprise-class products that allow administrators to demonstrate compliance with GLBA, HIPAA, SOX and others,” Akin said.
The Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) was one of the first pieces of legislation to modernize the U.S. financial industry by breaking down barriers between banking and related areas such as securities and insurance. But more legislation was needed, and the Sarbanes-Oxley Act (SOX) of 2002 was enacted in response to the high-profile Enron and WorldCom financial scandals. The legislation defines which records are to be stored and for how long, which affects both the financial and IT sides of corporations.
In the health insurance industry, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted not only to ensure and protect health insurance coverage for people who lose their jobs, but also to standardize health-care-related information systems as well. HIPAA established standardized mechanisms for electronic data interchange security and confidentiality of all health-care-related data that required extensive changes to the way that health providers conduct business.
“There are a number of strong authentication and encryption techniques in the marketplace—each with strengths and weaknesses,” Akin said. “My preference is for standards-based security methods such as 802.11i, which is designed to be scalable, very secure and to minimize security protocol overhead. But this depends specifically on the environment where the wireless device is used. For example, in the enterprise, the most secure and scalable solution type is 802.11i compliant 802.1X/EAP. In remote-access environments where a user is accessing a corporate network from a wireless hotspot, VPN technology is the best solution because it is end-to-end. But if a wireless user is checking e-mail and browsing the Internet from a hotspot, he might simply use secure applications, such as POP3/SSL or HTTPS.”
According to the NSR survey, in 2006, WiMAX vendors are slated to deploy the first certified 802.16d solutions primarily for the licensed spectrum, and Wi-Fi will see the approval of the 802.11n spec. These projections, although extremely exciting, will also have their ramifications if not installed and secured properly. Because the bandwidth, spectrum and performance of these technologies are increasing, there is wider room for attacks as well.
Therefore, technology developers and vendors need to continue to strive to surpass their regulation, authentication, encryption and compliance efforts. Akin said IT wireless professionals should continue their personal development in order to better the security of these technologies as well. “Choose a training program that provides the fundamentals of the technology, which include administration, security, analysis/troubleshooting, QoS and design. Take in as much information as you can through instructor-led courses, CBT, study guides and certification exams,” Akin said. “This process should include the building of a home lab of hardware and software for the purpose of hands-on skill building. These professionals should continually read the newest whitepapers and books on the technology you have chosen, and maintain their wireless certifications. This will force professionals to take a look at areas where they are technically weak.”
–Cari McLean, firstname.lastname@example.org