Ben's Book of The Month: Review of "Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise"


Posted on by Ben Rothke

The great thing about wireless networks is that they are so easy to set up and use. For the most part, they are plug and play - you can set it and forget it. When I was doing PCI work, I often went to a client and would find their wireless access points (WAP) functioning well, but in a deep pile of dust.

 

From an operations perspective, plug-and-play is excellent. It also makes sending a WAP to a remote office without technical users and getting it running with minimal effort. But from a security perspective, the ease of installing wireless networks can introduce significant risk to the organization. Even with wireless security, many organizations think that all that is required is setting up WiFi Protected Access (WPA) for the wireless network. But wireless security is a lot more than that.

 

In Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise (Wiley), Jennifer Minella has written an incredibly detailed technical reference that provides the reader with pretty much everything they need to know about wireless security. This is an indispensable reference that will show you how much there is to know about wireless security.

 

By the time you get to page 100 in this nearly 600-page book, you realize that while plug and play wireless may work well for a tiny office at the enterprise level, it is a security disaster. The book makes it eminently clear that the greatest trick the devil ever pulled was convincing the world that wireless security does not take much work.

 

The keyword in the title is architecture. Security without architecture is insecurity. As Dr. Ross Anderson of Cambridge University writes in the definitive text on the topic Security Engineering: A Guide to Building Dependable Distributed Systems, the use of effective design to build networks must be approached from an engineering perspective. And this encompasses a broad range of areas. Leave any of those areas out, and you have a network that transmits packets, albeit insecurely.

 

Minella is a stickler for details, and she shows that wireless security entails myriad details. And which, if done incorrectly, can affect the underlying security. This includes wireless hardening, protocol selection, key management, and much more.

 

While wireless might be synonymous with WiFi, there are many more wireless protocols than that, which the book details. If you use these, from Bluetooth, cellular networks, and more, you need to understand how they work and how to design security around them. There are countless attack vectors that the various flavors of wireless can introduce, and your network must be resilient enough to defend against them.

 

Finally, IoT devices are being deployed en masse. Enterprises need to understand them and design security around them. IoT devices use many non-traditional endpoints on a network (temperature sensors, vending machines, HVAC systems, and much more), introducing significant security problems if not effectively dealt with.

 

If you take wireless security seriously, this $50 book can save you much heartache. The infamous TJ Maxx breach of 2007 that affected over 100 million customers occurred in large part due to poor wireless security. That breach ultimately cost The TJX Companies hundreds of millions of dollars in losses. So yes, wireless security is a big deal. That is why those tasked with wireless security should have this book as required reading.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Technology Infrastructure & Operations Security Strategy & Architecture

controls critical infrastructure endpoint detection visibility & response endpoint detection visibility & response endpoint security infrastructure security network access control network access control network security web security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community