A. EXECUTIVE SUMMARY
The global spread of information systems has demanded a networked environment using network technology, internet and wireless networks. Such complex network with different technologies makes information systems more vulnerable to various threats. Wireless communication play a critical role in education, services, government, but most importantly the business environment. Nichols and Lekkas (2002) define wireless communications as the process of communicating information in electromagnetic media over a distance through the free-space environment, rather than through traditional wired or other physical conduits. It is clear that wireless telecommunication has become a significant component in generating productivity gains for businesses.
Even though, the merits surpass the demerits, those organizations whose activities rely on wireless technology, accept the challenge of keeping the wireless network reliable, dependable, and secure. In addition, wireless devices such as cellular phones, smart phones and tablets are inherently less secure than their wired counterparts. This is due in part to their limited bandwidth, memory, and processing capabilities. Another reason is that they send their data into the air where anyone with the technology can intercept it (Jawadekar, 2006).
Summarily, wireless technology, by its nature violates fundamental security principles. It does not ensure the identity of the user and the device (authentication), nor prevent the sender of the message from denying he or she has sent it (nonrepudiation). Moreover, wireless technology is hardly new, but its application space is immature and quite possibly disruptive.
The current increasing demand in the business industry is the paperless operations, that is, wireless communications (Jawadekar, 2006). The need to gain service and network access from various places inside and outside the company is of major concern to employees, clients and customers. This has driven businesses to establish mobile computing workplaces for their employees and interested parties. Webb (2007) predicts that a convergence and thorough integration of mobile communications and the internet makes future wireless growth possible. Expectedly, mobile internet usage in companies will far surpass stationary internet access, as we know it today, through desktop PCs and modems or PCs connected to corporate servers and routers.
As often overlooked issue that has significant security ramifications involves wireless policies. Many large companies have implemented elaborate IT processes and procedures, but in the rush failed to reflect the increasing threats posed by wireless voice and data. Policies provide the foundation, rules, and guidelines for business processes with respect to system development, configuration management, access management, and so forth. Businesses have only recently faced the weighty task of deciding what to allow in their facilities and how wireless technology will be used (Nichols et al., 2002).
Therefore, companies need to create wireless policies and enforce them rigorously. Failure to do this could leave a company’s IT infrastructure at risk. The information security industry has also created confusion by focusing only on individual security threats such as viruses or denial or service without considering these threats within the larger context. Companies should then determine the relative level of risk tolerance and therefore build a wireless policy that is highly correlated with there risk profile. This must also weigh the potential economic benefits of a wireless solution against the potential increased exposure.
In addition, ethics are significant because they have control of the information assets. They also have control over a huge amount of personal information on all employees. As a result, the management information systems function must be held to the highest ethical standards. In tandem with new ways of doing business, companies and their networks are becoming increasingly exposed to new threats and higher levels of risk. Risk assessment is moving rapidly away from traditional approaches, e.g. based on specific computer systems or buildings, towards new service and cross-portfolio/ platform analysis. Additionally, the dramatic increase in financial transactions over the internet and customers becoming aware of the threats from electronic sources and, as their enterprise becomes critically dependent on networked systems, they are becoming more demanding in terms of the security capability and reputation of their suppliers, the need to address the consequent threats and risks to wireless security is evident.
This research is set to investigate the threats to wireless security systems within companies that are caused from several sources and reasons. This is classified into three classes namely; failure of system, human actions, and damage due to natural calamities.
C. LITERATURE REVIEW
Access to information and its means of distribution have been steeply accelerated through the internet explosion of the 1990s. Initially the province of an exotic community of radio buffs and phone phreaks, cellular and internet communications are now in common use among people of all ages, in all professions, with all sorts of interests.
This shift in the user base has changed society. Pervasive in business and increasingly preferred for personal communications, wireless appliances are well on their way to becoming ubiquitous personal accessories. As successive generations of users are born into and grow up within a wireless world, the average individual in our society no longer regards such devices as luxuries or toys but as part of the public infrastructure (an entitlement). The internet too has ceased to be a medium of challenges and rules and has become instead a rather casual tool for retrieving and presenting information (Nichols, 2002). The laws of economics dictate that as usage becomes more common, it becomes more affordable.
Today wireless voice and data services are on the verge of attaining the economy of scale of true mass media, incurring all the desirable and undesirable cultural impact that characterizes mass media. As we continue to change our technology, it begins to change us. It has, for instance, made us more reckless about what we say and to whom. A primary question for anyone looking at communications technology today is whether we intended its far-reaching effects along with its immediate conveniences. That question may not be what the practice of information security is about, but it is a context for many decisions about security (Palmer et al., 2009).
The following looks at the threats and vulnerability to get better insight into the security problems within a company;
a) Human actions
Information systems are more vulnerable to human actions, since they are used by internal personnel of the organization as well as by outside personnel who have been given access to it for limited purpose. Consequently, this could accidentally and unintentionally, or purposely with intention be prone to theft, copying, damaging, and corrupting the information transmitted via wireless technology. As a result of such human actions is non-availability of the system, some data and information for usage. Moreover, the loss of data to competition affecting the business is also a possibility.
Improper training of personnel and poor understanding of the system could also result to erroneous us of system – wireless network of the organization. Unauthorized access of the company’s network from within or outside the organization is a threat because it may open an opportunity of malicious virus attacks. Since most of the information systems work via wireless networks like the internet and the possibility of network penetration, the risk of system, data and information falling in the unauthorized hands of unauthorized persons has increased considerably.
Computer and network systems failures are not uncommon causing non-availability of the system to the users. Poor upkeep and maintenance by staff is one among the major causes of hardware failure in an organization. On the other hand, software failure results from bad quality, and poor maintenance, and incorrect, erroneous and incomplete user actions.
c) Natural calamities
Telecommunication network systems are also insecure in the event of destruction due to natural calamities like fire, earthquake, floods, and so on. Since natural calamities are unpredictable, this calls for high level protective security measures. In such events, impact on the system could be very large that it may result in total loss of the computer or network system: hardware and software, data files, and reports. Therefore, the effect of such impact is not easily manageable for the system to make up and run for the business, as high expenses are incurred.
Types of Wireless Security Threats
Managers must consider the possible consequences of attacks from a wide variety of threats. Each may act as a tangential vulnerability. Many exploitation attempts go unrecognized. Often threats to wireless systems are paired to a set of vulnerabilities. Therefore, any threat with no associated vulnerability, or vulnerability with no threat, results in a zero addition to risk. The following looks at various types of threats to wireless security within a company:
a) Accidental association
This occurs when a user unknowingly connects to a wired or wireless network. This is a security threat because a malicious attacker can use the link created through the unknowing user’s connection to access information in a protected wired network. To counter this threat, switch off wireless cards when not in use, maintain all access points or use powerful data encryption.
b) Denial of Service
This may involve threatening or actually flooding an internet site with millions of bogus messages or orders so that the services will be tied up and unable to perform as promised (Siegel, 2008). Unless the site operator pays extortion, the attackers threaten to keep up the interference until real consumers become frustrated and abandon the site. This is quite common among rival companies with common business interest. For example, according to a recent research in the UK, online gambling casinos mostly prove vulnerable to attack. If the attack coincides with a big sporting event such as the Super Bowl, the casinos may give in and make payments rather than lose revenue and fray customer relations.
c) Malicious association
This is where an unsuspecting sender is tricked into believing that a communications session has been established with a valid receiver. This creates a soft access point that the attacker can use to gain access to the network, compromise or steal sensitive data or create various backdoors to further compromise the network. Therefore, it is imperative for companies to monitor their networks and airwaves to ensure that their computers and access points are only connecting to the company’s devices.
d) Man in the middle
This is a weakness associated with the communication path, where the attacker emulates the authorized transmitter for the authorized sender.
These attacks are primarily geared at disrupting integrity in the form of user authentication (assurance that the party is who it says it is); data origin authentication (assurance that the data came from where it says it did); and data integrity (assurance that the data has not been modified) (Palmer et al., 2009).
Controlling Security Threat and Vulnerability
Counter measures may abate the danger even if there are malevolent and capable threats, as well as vulnerabilities, which can be exploited by those threats. To control the threats to information system and the degree of vulnerability, an organization must invest in proper wireless security network developed through security management system. The objective of such system is to reduce significantly the incidence of failures, erroneous human actions, and predict and prepare for contingencies to minimize the damaging impact of natural calamities. Security Management System, SMS is a configuration of manual and automated measures that protect information systems and assure the performance as desired. Manual measures include security policies, procedures, rules and operations discipline, which create awareness about security and enforces administrative discipline in work process across the organization. Automated measures need to be implemented in wireless technology and wireless system infrastructure. These measures are software programs designed to search, identify, declare, and stop the processing if anything is defective, erroneous, inconsistent, and not as per specification is observed in the operation.
A secure communication network is a network whose users do not feel any apprehension or anxiety while using the network. With the commercialization of the internet, the number of users tremendously increased. However, along with this increase came along security concerns. The security concerns grew manifold with the coming of age of commerce.
Let’s consider this with a concrete example. Suppose William (Client) wants to carry out a monetary transaction with his Bank (Access Bank Plc.) First and foremost, the client expects that the information he intends to send to (or receive from) Access Bank should not be accessible to anybody else. This is the expectancy of confidentiality. Next, he expects that the information he sends to (or receives from) the bank should not be altered or corrupted by anybody. This is the expectancy of integrity. Note that confidentiality and integrity are mutually exclusive principles in that the existence of one does not imply the existence (or the absence) of the other.
Since the bank is a user of the underlying network, we should consider also, the security expectations of the bank. First, Access Bank expects that the client is who he says he is. After all, you would not expect your bank to let someone else operate or access your account. This is the expectation of authentication. The bank also expects to have proof of the transaction that William carries out so that he cannot deny having withdrawn money from her account in the future. This is the expectation of nonrepudiation.
Both William and Access bank also expect that they would be able to carry out transactions without losing connection or communication with each other. At its face value, this appears to be a networking problem rather than a security problem. However, denial of service attacks in the recent past has exploited weaknesses in network security protocols to completely bring down servers and networks, thus bringing this problem into the security domain.
To summarize, a secure communication network provides the following facilities to its users:
a) Authentication: The receiver’s ability to ascertain the origin of a message. An intruder should not be able to masquerade as someone else.
b) Confidentiality: The non-occurrence of the unauthorized disclosure of information. No one except the sender and the receiver should have access to the information being exchanged.
c) Integrity: The non-occurrence of the unauthorized manipulation of information. No one except the sender and the receiver should be able to modify the information being exchanged.
d) Nonrepudiation: The receiver’s ability to prove that the sender did in fact send a given message. The sender should not be able to falsely deny later that he sent a message.
e) Service reliability: The ability to protect the communication session against denial of service attacks.
It is extremely important to realize that these are distinct independent requirements and the presence or absence of any one of them does not in any way guarantee the presence or the absence of the other(s)
a) Impact of security on business
The impact of a successful attack depends upon the value of target. If the impact of a security failure is small, allocation of scarce and expensive resources to security systems and process can also be small. Conversely, the consequences of some security failures can be exceptionally dire. Therefore, it is crucial to emphasize the importance of security for the organization’s business. The management must show how the organization’s reputation and business would be affected if it becomes known that employees engage in behavior which, for instance, might endanger confidentiality of customer data. In this case, Access bank employees must be aware of the consequences associated with exposing William, their client, confidential information. Moreover, they must realize that lost business means work loss. This gives the ‘fear appeal’ as Temple et al. (2002) describe and the associated punishment, a rational motivation that will raise users’ acceptance of it.
The management should appropriately punish behavior, not its consequences. This is by making it clear that they cannot monitor all the employees all the time, but that they will make detailed enquiries about their past behavior in a case of break-in through their account. Consequently, this behavior will definitely be punished, whether it led to the actual break-in or not. The same applies to Access bank staff.
c) Security awareness
Employees should report security transgressions rather than trying to keep them secret in an attempt not to lose face. Currently, there are few rewards for security-conscious behavior; if regulations are to be taken seriously, failure to observe them must be dealt with, and seen to be dealt with. This is effectively learning by negative reinforcement, which can only be effective if security failures are made known to users.
Jawadekar. (2006). Management information systems: Texts and cases. New York, NY : McGraw Hill.
Nichols, R. and Lekkas, P. (2002). Wireless security: models, threats, and solutions. New York, NY : McGraw Hill.
Palmer, C. & Shenoi, S. (Eds.). (2009). Critical Infrastructure Protection III. New York: Springer Berlin Heidelberg.
Siegel, L. (2008). (10th ed.). Criminology. California: Cengage Learning
Temple, R. & Regnault, J. (Eds.). (2002). Internet and wireless security. New York: BT Communications Series.
Webb, W. (2007). Wireless Communications: The Future. West Sussex: John Wiley and Sons