This section covers the various activities you should, at a bare minimum, undertake when auditing an organization's wireless exposure. These activities are compatible with performing an OSSTMM-based security test. While attackers do not have any need for wireless policies, technical wireless auditors who simulate hacker activity during their audits do, and as part of their audit, they also have to address organizational policies, so these are included for completeness.
A security policy is one of the most important pillars of a successful information security program. Security policies play a critical role in managing an organization's security by defining the organization's desired posture—one that they strive to achieve and maintain.
Having said that, wireless security policy is probably one of the most neglected areas in many organizations. Many organizations almost always mistakenly neglect addressing wireless security policy when addressing their overall security policy. Since their organization doesn't have an established wireless infrastructure, many feel that they also have no need for wireless policies. Nothing, however, could be further from the truth.
It is virtually impossible not to find any wireless devices within the physical walls of an organization even when an organization does not explicitly deploy any form of wireless infrastructure. Other than the very common rogue AP-type devices, which may have been plugged into the organization's network by its employees, some of these other wireless devices come in the form of wireless-enabled laptops, PDAs, and handphones. In addition to that, with today's mobile workforce, no one can be certain that their employees, who are connecting back to their organization's network from an outside location, are connecting via some form of secured network and not over some unsecured wireless medium.
Although the presence of wireless security policies does not technically solve the problem of someone bringing in a wireless-enabled device or the problem of connecting via an unsecured wireless medium when accessing the organizational network from any outside location, it does provide an overall framework for demonstrating management's commitment to implementing security controls where necessary to mitigate the risk of such exposures, as well as allowing the enforcement of sanctions against any contravening acts. At the very least, an organization should explicitly state its stance on the use of any form of wireless technology within its physical premises and when connecting remotely back to its network. This stance should clearly define the acceptable use policy relating to that type of usage.
If the organization has implemented any form of wireless infrastructure within its physical premises, its wireless policies, procedures, and guidelines must then be expanded to include many other areas that might include
• Access policy
• Authentication policy
• Accountability policy
• System and network maintenance policy
• Acquisition guidelines
• Violations reporting
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.