Positive identification in a wireless world.

Author:Ardoin, Paul
Position:Software Intelligence - Industry Overview

The use of wireless systems for network and Web access is exploding-from wireless LANs to e-mail capable cell phones. It makes network access completely portable, and with systems starting at under $300, very affordable. But widespread wireless use has raised serious new security challenges. How can you be certain the person connecting to your wireless network is a legitimate user and not a hacker sitting in your parking lot?

In a recent study, over half of the companies surveyed didn't even use the most basic'encryption and security features of their wireless LAN systems. For those companies who choose to implement security features, solutions include access control appliances or VPNs to protect their wireless systems instead of (or in addition to) wireless encryption to establish a secure session.

Once a secure session is initiated, however, security cannot stop there The organization must be confident that users entering the secure sessions are who they say they are--they must be positively identified.

Most organizations, unfortunately, choose fixed passwords to identify users, and fixed passwords are inherently weak. Many password attacks exist today-from hacking dictionaries to sniffers, from social engineering to personal information attacks. These tools-like the LOphtCrack brute-force password cracker--are readily available on dozens of Web sites, free to anyone with a Internet access.

These attacks can easily compromise fixed passwords, no matter how stringent the organization's password policy. In fact, organizations lose millions of dollars every year due to password breaches. In late 2002, an identity theft ring was exposed is the U.S. that had victimized over 30,000 people; the suspects allegedly stole passwords from credit agencies and banks, accessing credit reports and information, and costing customers over US$2.7 million.

Best defense: strong authentication

Passwords are easily compromised because there's only one factor to possess: the password. With it, an attacker can access network systems again and again. With strong authentication, there are usually at east two factors. Often, these two factors are something you know, like a personal identification number, and something you have, which can be a hardware token, a digital certificate, a smart card, or other device. An ATM card is an excellent example of this: you must have the ATM card and know the PIN to access your accounts.

The user experience: logging on

When a...

To continue reading