Wireless security query

Hi, I was looking for a bit of advice. I have just recently carried out an audit on a wireless network. One of my findings was the guest SSID (which has no passcode so you can just connect) is able to route to some of their main production networks. I raised this as high risk. I should state this was an implementation issue due to limitations of the wireless kit and lack of knowledge from the company who implemented this. The client is disputing the high grade stating "any potential security breach would require high level networking skills to firstly identify the devices and usernames and passwords to these specific devices, which is seen as highly unlikely and therefore not high risk." I have high level knowledge of wirless networks and in my opinion you should not be able to route to production networks from an unprotected wireless network. Does anyone have any opinions on this? - See more at: http://globalriskcommunity.com/#sthash.YM0mC4oM.dpuf

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

Votes: 0
Email me when people reply –

Replies

  • For fun, I include the following likelihood analysis:

    There are 3 billion Java installation on the Internet.  If 1/1000 persons are potential felons, then there are 3 million potential felons with Java on the Internet.  If their are 7.1 billion people in this world, then the odds than any customer, employee or internet visitor is a potential felon with Java on the Internet is 0.04%.

    Let us look at the felony IT implications of 0.04% by computing the odds that no staff will have felony intent at this time:

    Staff Count:       Cherry Picking Odds of no felony Risk:

    100                   95.8%

    300                   88.1%

    1000                 65.5%

    3000                 28.2%

    10,000              1.5%                

    Consider now the number of customers per staff member a firm needs to process to make money.  Is this 20 to 1, 2000 to 1?

    Consider now the number of Internet systems that staff contact by Web Access during their lunch break per day?

    Consider now the number of persons in the corporate parking lot that are either staff, customers, visitors, associates of the firm next-door, maintenance support, UPS, FedEx, Sparklets Water, Break Room Vending Machine support or Staples Office Supply delivery staff.

    Ever notice how many Staples staff actually know their IT stuff?  Ever notice how effective the UPS guy is at entering your building without a key, badge or access rights?  99.9% of them could be wonderful human beings.

  • The comment is a drop dead People and Process red light:  DANGER WILL ROBINSON.

    "any potential security breach would require high level networking skills to firstly identify the devices and usernames and passwords to these specific devices, which is seen as highly unlikely and therefore not high risk." - See more at: http://globalriskcommunity.com/forum/topics/wireless-security-query...

    1) Any network access beyond a network segment authorized for unrestricted guest access is dangerous simply because it violates fundamental access controls.

    2) Any risk reduction based on need for user ID and password after network access must show that all such systems are flawless and without vulnerability to attack that would circumvent user ID and password Logical Access controls.

    The very idea that a team imagines that Logical Access control is a compensating control for violated Network Access Control, when there is not even working Network Access Control, would make it fair to ask, is there even working Logical Access control?  Do you have proof of this too?  

    The Highly Unlikely and therefore there is no risk must have proof.  Example, it is Highly Unlikely that Target stores would allow hostile software to install on its Credit Card readers.  But, that breach was 110 million identities and 61 million credit cards.  (No, the bad guys did not have a valid User ID or Password.)

    More to the point, It was highly unlikely that TJMax would allow rogue wireless to be installed to enable thieves to defraud their credit card network with wireless access to the parking lot.  (Initially, the bad guys did not have a valid User ID or Password.  But, as TJMax staff began to wrongly see them as authorized IT staff, they were wrongly given valid User ID and Passwords.)

    Recommendations:

    A) Have an Attack and Pen Test done on the scope of networks that can be reached by the guest Wireless.  If the test shows that no system reachable from that context can be exploited from a Black Box Testing Position without any valid User ID or Passwords, then the risk reduction is valid.  If systems can be exploited.  Have the fact based meeting about genuine Risk Management rather than under baked thought experiments.

This reply was deleted.

Introducing the Global Risk Series - Book 1 Risk Management How Tos

Dear GlobalRisk Community member, Our community’s mission is to foster business, networking and educational explorations among members. Learn from some of the top experts in the industry as they clearly explain how to approach the most important Risk management concepts. Check out their expert tips and use the link at the end of each article to navigate back to the website to leave your comment or ask a question.   Some of the topics include: How do you Explain Risk Appetite?  How to Prepare a…

Read more…
16 Replies · Reply by GlobalRiskCommunity Mar 21
Views: 1126

[Free COVID-19 Framework] What's the path to recovery look like?

We created a free presentation (attached), which discusses both global and organizational impacts of the COVID-19 pandemic, along with critical actions organizations should take immediately. This presentation introduces a framework that helps regions and organizations navigate a path to recovery via 9 potential scenarios. These scenarios capture outcomes related to GDP impact, public health response, and economic policies. The presentation also breaks down 6 immediate and critical actions…

Read more…
4 Replies · Reply by Steve Diaz Jul 8, 2023
Views: 243

If risk management is about decision making, are current risk management solutions irrelevant?

Now that the updated COSO and ISO risk management standards emphasize a connection to enterprise objectives and decision making, does this mean ERM and GRC solutions focused on risk registers and regulatory compliance are missing the true value of risk management?Will current risk management solutions evolve to integrate more decision support functionality or will standalone prescriptive analytics and other technology solutions take a more prominent role in enabling risk-informed…

Read more…
3 Replies
Views: 172

A question related to classification of instruments between trading and banking book.

We have an interesting question from one of our members.       "We usually perform OTC FX transactions with clients backed-to-back on the market (with Banks). Now we are going to perform a FX swap (i.e. Spot + forward) JPY/EUR for the Bank account for 1 week at the longest. The purpose is to get EUR place @ CB for LCR compliance purpose (no trading purposes). Bank's Management think that this should be considered as a trading position and therefore be classified within the Bank's trading book.…

Read more…
5 Replies · Reply by Prisha Singh Dec 26, 2023
Views: 380

Plunging oil prices: curse or blessing in disguise?

The recent sudden crash of oil prices has had a major impact on the world economy, leading to many troubled faces in the international arena. The Russians fear the effects of yet another powerful hit on their economy, Venezuela seems to be considering default and the Americans are weary of the consequences for its young and emerging shale oil industry. And then you have the Middle East, where the smallest match is enough to ignite the largest fire. But are these worries really justified or…

Read more…
1 Reply
Views: 112

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!

lead