Transcription
Wireless CyberSecurity RisksPractices for policy makers and regulatorsCo-organised and hosted by:Supported by:Presentation supported by:Ronald van Kleunen28 August 2015InternationalTelecommunicationUnion
WIRELESS CYBERSECURITY RISKSPRACTICES FOR POLICY MAKERS AND REGULATORSAgenda The Wi-Fi wireless service availability issues The Wi-Fi / Mobile / Cellular / other wireless security issues Governance – Standardization – Certification Examples of Governments in APAC adopting standardizationand certification of personnel Wireless Service and Security Management System2
The Wi-Fi wirelessService Availability issues
THEISSUES- OUTDOORTry to find theWirelessAccessPoints
THEISSUES- OUTDOORNEMA or IP-rated Enclosures Indoor equipment in an outdoor environmentSoHo equipment and temperature issuesHeat distribution ? Heatsink Fan
ANDMANY OTHER CHALLENGES TO DESIGNAND DEPLOY WIRELESS NETWORKSFor exampleChannel mapping
RF COVERAGEPLANNINGOUTDOOR / INDOOR
WIRELESS HIGH DENSITYCITIES - MILLIONSOF PEOPLEvery dense areas (apartments, hotels, houses)24x hours people are on the streets (moving crowd)One big WiFi zone in the city,No channel coordination between ISPs and it is notpossible with people managing their own WiFi athome both 2.4 GHz and 5 GHz are not enough, butwill it ever be?
MANYOTHER ITEMS TO TAKE INTO CONSIDERATIONTO DESIGN, IMPLEMENT AND OPERATEA WIRELESS LANNETWORKIEEE standards, interoperability and new standards (e.g. 802.11ac)ModulationsType of Antenna’sFrequency selection and Channel BandwidthSignal Strength and Noise valuesChannel planningCapacity planning (high density areas)Site SurveyingCabling requirements and Power over Ethernet (POE) requirementsAPs, MESH APs, Controllers and Cloud Controllers or Controller lessQuality of Service (QoS) over a Wireless Network (Voice/Video/Data)Portability vs Mobility / RoamingWireless Management tools, compliance and reportingSecurity integration9
OTHER WIRELESS TECHNOLOGIES A Mobile/Cellular Radio Network is similar in setupit is also based on Radios, Antenna, RF, Protocols, etc. 1G (Analog), 2G (TDMA-GSM), 2G (CDMA IS-95), 2.5G (EDGE),3G (HSPDA), 4G (LTE), LTE-U (in Unlicensed WiFi bands), LTE-LAA(Licensed Assisted Access) Network Function Virtualisation – NFV / SDN - Software Defined Networks And similar for any wireless network and devices: BluetoothRFIDZigBeeNFC (Near Field Communication)Microwave communicationsSatellite10
The Wi-Fi / Mobile / Cellular /other wirelessSecurity issues
SECURITY & BUSINESS IMPACTS LEVELSEXAMPLE AUSTRALIAN ernance/Documents/Business%20impact%20levels.pdf Levels1.2.3.4.5.6.LowMediumHighVery HighExtremeCatastrophic12
WIFI - WIRELESS VULNERABILITIESTypeAttacksReconnaissance Rogue APs Open/Misconfigured APs Ad Hoc stationsSniffing/Eavesdropping WEP, WPA, LEAP cracking Dictionary attacks / Brute Force / Rainbow Tables Leaky APsMasquerade MAC spoofing HotSpot attacks Evil Twin / Wi-Phishing attacksInsertion Multicast / Broadcast injection Routing cache poisoning Man in the Middle attacks (MITM)Denial-of-Service Disassociation Duration field spoofing RF jamming
MOBILE - WIRELESS VULNERABILITIESTypeAttacksReconnaissance Baseband Fuzzing (Rogue BTS)Sniffing/Eavesdropping Telco’s Protocol Analysers? Software Defined Radios SDRMasquerade IMEI spoofing (using MTK/SDK boards)Insertion IMSI Detach, send multiple Location Update Requestsincluding spoofed IMSI. Prevent SIM from receiving callsand SMS (only backend HLR is off), but still can call andSMSDenial-of-Service Request Channel Allocation(Flood BTS and possible BSC) RF jamming IMSI Flood (pre-authentication) and overload HLR/VLR IMSI Detach also disconnects user
OTHER WIRELESS SECURITY RISKS BlueTooth Virus / Worms / Malware Listening to phone calls (headset) or car audio systems Changing languages (“DoS”) Car Hacking via Bluetooth (Controlling the car) NFC (Near Field Communication) Credit Cards with NFC communication Transportation cards (“Bus”, “Train”) Toll gates using wireless cards Hotel Key cards ZigBee Home Automation equipment Floor Controllers Thermostats Internet of Things (IoT) / Everything (IoE) Limited security capabilities15
OTHER WIRELESS SECURITY RISKS It is not only the wireless or mobile/cellular infrastructure Operating Systems Android OS Apple iOS Etc. Applications Access Control to the device (Camera, Storage, etc.) Remote Command and Control Malware16
Governance – Standardization - Certification
GOVERNANCE – STANDARDIZATION - fessionalsCertified Auditors
BUILD STANDARDIZATION AT NATIONAL LEVEL PER VERTICAL MARKETGovernment(regulator / policy maker)Vertical market AWireless/Mobilesecurity requirementsand standardizationVertical market BWireless/Mobilesecurity requirementsand standardizationWireless/Mobile securitymandatory complianceat organisationsWireless/Mobile securitymandatory complianceat organisationsSupply local HumanCapacity levels inWireless/MobileSecurity (ortemporary engageoverseas experts)Supply local HumanCapacity levels inWireless/MobileSecurity (ortemporary engageoverseas experts)Invest and provide(full or partial) funding ofglobally recognisedWireless/Mobile securitycertification programmesincluding PRACTICALexperience to build up thenational Human Capacitylevels per vertical marketRecognised by thegovernmentper vertical marketGlobal and industry recognisedWireless/Mobile security certification programmes19
WIRELESS STANDARDBODIES
ISO/IEC 20000-1:2011 ITSM STANDARD (1ST VERSION LAUNCHED :2005)AND ISO/IEC 20000-2:2012 ITSM STANDARD (1ST VERSION LAUNCHED :2005)ITSMS: INFORMATION TECHNOLOGY SERVICE MANAGEMENT STANDARDCertified Service Oriented Security Professional (CSOSP) Copyright 2013
ITSM – SERVICE MANAGEMENT SYSTEMAND WIRELESS SERVICE MANAGEMENTWireless Service Management
ORGANISATIONS’ CAPABILITY LEVELS / SERVICE LEVEL AGREEMENTS (SLAS)AT WHICH LEVEL DO YOU PROVIDE WIRELESS SERVICE MANAGEMENT?Level 4Level 3Gartner Capability Maturity Model – Source: Gartner (April 2006)ServiceLevel 2Level 1ProactiveLevel 0ReactiveChaotic Monitorperformance Analyze trends Set thresholds Predictproblems Automation Mature problem,config. and changemgmt. processes Ad-hoc Undocumented Unpredictable Multiple helpdesks Minimal IToperationsBest effortFight firesInventoryInitiateproblem mgmt.process Alert andevent mgmt. Monitor availability (u/d)Value IT and businessmetric linkage IT ITandbusinessimproves business processmetric linkage Real-time infrastructure IT Businessimproves business Define services, classes,processpricing Real-time Understand costsinfrastructure Set quality goals Business planning Guarantee SLAs Monitor andreport on services Capacity planning“Profit” Mgmt.Business ManagementSvc. Delivery Process EngineeringService and Account Management User call notificationOperational Process EngineeringTool LeverageCertified Service Oriented Security Professional (CSOSP) Copyright 2013
ISO/IEC 27001:2013 ISMS STANDARD (1ST VERSION LAUNCHED :2005)AND ISO/IEC 27002:2013 ISMS STANDARD (1ST VERSION LAUNCHED :2005)ISMS: INFORMATION SECURITY MANAGEMENT SYSTEMS27002Certified Service Oriented Security Professional (CSOSP) Copyright 2013
SECURITY IN TELECOMMUNICATIONSAND INFORMATION TECHNOLOGY2012: The purpose of the ITU-T Manual onSecurityinTelecommunicationsandInformation Technology is to provide abroad introduction to the security work ofITU-T. It is directed towards those whohave responsibility for, or an interest in,information and communications securityand the related standards, and those whosimplyneedtogainabetterunderstanding of ICT security issues andthecorrespondingITU-TRecommendations.Certified Service Oriented Security Professional (CSOSP) Copyright 2013
ITU / IMPACT / GLOBERONWIRELESS SECURITYDISTANCE LEARNING FOR GOVERNMENTSINAPAC
Examples of Governmentsin APAC adopting standardizationon certification for personnel
SINGAPORE: NATIONAL INFOCOMM COMPETENCY urseDetails.do?CourseID NICF-COUR-0158
CERTIFIED WIRELESS SECURITY PROFESSIONAL (CWSP)RECOGNISED BY SINGAPORE GOVERNMENTCITREP – CRITICAL SKILL DEVELOPMENT PROGRAMME
MALAYSIA: PSMB / HRDFHUMAN RESOURCE DEVELOPMENT FUND
INFOSEC HONG KONG (CWNA CWSP)This InfoSec website is produced and managed by theOffice of the Government Chief Information Officer of the ish/technical/certifications.html
Wireless Service and SecurityManagement System
WIRELESS SERVICEANDSECURITY MANAGEMENT SYSTEMWireless Service Management Standard (WSMS)Note: Wireless Mobile/Cellular, WiFi and indoor/outdoor mission/business critical wireless technologiesWSMS auditor / Certified Wireless Service Auditor is a wireless servicesprofessional with the knowledge and skills required to assess theconformance of an organization's wireless services management systemas part of the ISO/IEC 20000 ITSM standard.Wireless Service Security Management Standard (WSSMS)Note: Wireless Mobile/Cellular, WiFi and indoor/outdoor mission/business critical wireless technologiesWSSMS auditor / Certified Wireless Security Auditor is a wirelesssecurity professional with the knowledge and skills required toassess the conformance of an organization's wireless servicesmanagement system as part of theISO/IEC 27001 ISMS standard.
TOGETHERWE NEED TO GET BETTER QUALITY WIRELESSNETWORKS FOR MISSION AND BUSINESS CRITICAL SERVICES1.Click hereWireless Service management & audit aligned with ITSM / ISO/IEC 20000:20112.Click hereWireless Security management & audit aligned with ISMS / ISO/IEC 27001:20133.Standardization is needed for: Design Analysis Security Audit(end to end service & security management)4.Accreditation Body for wireless services/technologyCellular/Mobile, WiFi, etc.
Wireless CyberSecurity RisksPractices for policy makers and regulatorsCo-organised and hosted by:Supported by:28 August 2015InternationalTelecommunicationUnion
Aug 28, 2015 · 2 Agenda The Wi-Fi wireless service availability issues The Wi-Fi / Mobile / Cellular / other wireless security issues Governance – Standardization – Certification Examples of Governments in APAC adopting standardization and certification of personnel Wireless Service and Security Manageme