The security of defending today’s organization is largely based on protocols and technologies that support a wired infrastructure. The proliferation of mobile devices and wireless communication is introducing new security gaps that must be addressed. As the saying goes, security is only as good as your weakest link, and wireless systems are the weak links in the digital information infrastructure. Security practitioners need to better understand wireless technologies, protocols and standards and develop a policy to address wireless security to ensure that these technologies are not the “gaps” exploited by hackers.
Lack of user authentication, weak encryption, and poor network address management are some examples of security challenges of wireless networks. For example, an access point can authenticate hardware based on MAC or IP addresses and not require user authentication. Further, while the Wired Equivalent Protocol (WEP) may be used to encrypt wireless transmission, the encryption is weak and not difficult for hackers to break. Hackers can also monitor transmissions to determine SSIDs – these are not encrypted. SSIDs provide information on the name and availability of a wireless network.
Wireless networks are vulnerable to attacks such as:
- Man-in-the-middle attack
- Rogue access points
- Session hijacking
- Denial of Service
When is the last time your organization conducted a “War Driving for Wireless Infrastructure”? This activity is important to address compliance requirements for Transmission Security as well as determine security gaps in the infrastructure. This typically involves performing an assessment of the wireless LAN security, identification of rogue devices, as well as open/vulnerability access points. You need to clearly determine the existence of rogue networks and identify the presence of any open access points, weak authentication mechanism, and easily “crackable” encryption schemes. These can typically be easily exploited by malicious users.
To get a complimentary copy of the ecfirst.com quick reference card on the HIPAA Security Rule, please visit the compliance portal site at www.ecfirst.com/complianceportal.
Get HIPAA Certified On-line! CHP Exam is Now On-line!
HIPAA Academy, the industry’s leading provider of HIPAA training, certification and consulting, has made available on-line the content and exams for HIPAA Academy’s Certified HIPAA Professional (CHP) and the Certified HIPAA Security Specialist (CHSS). Recent clients include many hospitals, long term care organizations, BCBS, several business associates and leading firms such as IBM, HP, E&Y, Kaiser Permanente and others. Review the content and take the exams on-line. Get certified. For details, please visit www.HIPAAAcademy.Net.
For more information visit www.aha-solutions.org, contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net
HIPAA Tip
State of Your Organization’s Wireless Security
Sensitive and confidential information transmitted over wireless networks are typically not encrypted and lack proper authentication. A vulnerable wireless infrastructure is a significant risk to business. It exposes the organization’s sensitive information to liabilities that may be legal, compliance violations, or others. Security practitioners must understand wireless technologies and standards and create a security policy that addresses risks associated with a wireless infrastructure. The deployment of wireless technology components must follow policy requirements to ensure consistency and security. The critical elements of user authentication as well as encryption must be addressed to secure confidential business information.
The design of the perimeter must be reviewed to address wireless entry and exit points between internal and external (Internet) networks. End users should be better educated on wireless policies so that they use their mobile devices securely to access the network. The bottom line, do not make your wireless infrastructure the weak link in your environment.
On a regular schedule, organizations must conduct a thorough and comprehensive assessment of their wireless fabric. Critical areas to assess include:
-Detect the presence of wireless network from the publicly accessible areas
-Identify rogue access points
-Perform penetration tests
Tools typically used for wireless assessments by ecfirst.com include:
- Air Snort
- NetStumbler
- Kismet
- Ufasoft
We have also found Nessus to be a powerful tool to use as a open source remote security scanner.
For an assessment of your wireless security infrastructure, please contact Lorna Waggoner at 1.877.899.9974 x17 or Lorna.Waggoner@ecfirst.com. Typically, within 1-2 business days of work on-site and a few days of analysis off-site we can come back to you with a detailed report about the state of your wireless security.
