10-Step Security and Vulnerability Assessment Plan
Use this plan to ensure your information system controls are correctly implemented.
Seattle police are currently investigating a group of criminals whose modus operandi was to cruise around in a vehicle to map out surrounding wireless networks for a subsequent break-in. Also known as "wardriving," hackers essentially made use of laptops armed with long-range antennas to search for unsecured or poorly-protected wireless networks that they could exploit. Once network access was obtained, the hackers could potentially siphon off credit card account information, redirect funds via the use of fake payrolls or even access identity information for the purpose of fraud.
The vehicle, a black Mercedes with heavily tinted windows was impounded last year after its owner tried to use stolen gift cards at a local wine bar. When the police searched the car, they found a passenger-seat laptop mount designed to allow the driver to operate the computer, while a laptop that draws its power from the car was also found together with a range-boosting antenna. The group was believed to have been doing this for five years.
While unsecured wireless networks are obviously at risk, businesses using WEP (Wired Equivalent Privacy) for security are also equally vulnerable. This is because WEP has well-known flaws that allow it to be trivially defeated. To illustrate just how vulnerable the anarchic algorithm is, a 104-bit WEP key could be cracked in as little as two minutes under the right circumstances-four years ago. Moreover, the tools to defeat WEP are widely available, and are easily exploited by criminals with only modest computer skills.
The risks could be particularly acute to SMBs. As reported by Network World, Detective Chris Hansen, a fraud investigator with the Seattle Police Department wrote in his affidavit that:
A number of area small and medium-sized businesses have been targeted in these network intrusions, which have also involved a pattern of financial and personal identifying information (such as credit card information).
As larger businesses tighten up their security with the use of WPA and more sophisticated Wi-Fi hardware, it is clear that SMBs that neglect to do so will place themselves at great risk. And security by obscurity doesn't work as long as the APs are switched on; instead, they are standing out, waiting to be hacked.