Effect of SOX and GLBA on Wireless Security
Introduction
SOX and GLBA (Sarbanes-Oxley and Gramm-Leach-Bliley Act) are two most famous and important act in United States which have profound effect on ‘Financial Institutions’. Under these Act institutions have to disclose their policies and practices for protecting the privacy of nonpublic as well as public information. They are also required to conduct periodic assessment of their IT Infrastructure regarding these issues. In this article we make our effort to know about the accountability of Wireless Networks for compliance of these regulations.
Section 404 of Sarbanes-Oxley
Section 404 requires financial institutions to establish and maintain their internal control and procedures for financial reporting. It also requires to assess the effectiveness of such control and procedures at the end of most recent fiscal year.
Gramm-Leach-Bliley Act of 1999
Purpose of this act is to protect consumers personal data, termed in the act as “personally identifiable financial information” or PIFI. PIFI in general includes information provided by consumer to obtain credit, a loan or other financial product and services. GLBA requires organizations to develop, implement and maintain a information security program to protect PIFI from unauthorized access and utilization.
The penalties for violating SOX includes fine of $10 million to $ 100 million and corporate executives (CEO and CFO) can face stiff jail terms whereas for GLBA fine could be cost up to $ 11,000 per day to $ 10,000 per violation.
Such stiff penalty shows how much U.S. Government and Financial Institution working in U.S. are committed to protect its citizen/consumer privacy.
How Section 404 and provisions of GLBA applies on Wireless LAN
Since most of the organization (financial/non-financial) are IT enabled and 40 percent of them utilize Wireless Systems as their mode of communication but they hardly know about its security loopholes (source, The Gartner Group).
It is a well know fact that, Wireless systems are very insecure in nature because they share a common medium for their purpose i.e. Air. However several cryptographic algorithms and techniques are currently in practice to make them secure like WEP (Wired Equivalent Privacy), IPSec and SSL, but they have been already cracked within few months of their release. This does not mean that we didn’t have strong crypto algorithms and techniques but employing them in current wireless systems will make the transmission bulky and hence slow.
Danger from Internal and External Threats
Internal and external threats like unaware employees and hackers make the situation worst for example; an unaware employee can put an inexpensive Access Point (AP) to facilitate his slow internet connection due to long distance of organizational AP from his cubical. A hacker can take benefit of this miss-configured AP and can obtain his AP SSID (service set identifier) and penetrate the organizational network by mining useful information from employee’s computer and AP.
Other common external threats are:
1. Mac Spoofing
2. DoS (Denial of Service)
3. Malicious Association
4. Man-in-the-middle attack
Biggest danger to WLAN security is its useful nature i.e. mobility. This is due to different configuration and security policies different organizations have. For example, a executive from organization A with strict internet usage policy roam for business purpose to another organization B with very liberal internet usage policy where he can expose his Laptop / PDA to attack of Trojan or viruses which in turn can effect his network a lot when he return back to his organization.
Mobility is also the reason for which it is difficult to create and implement a ‘Global Information Security Policy’ for a organization where Wireless Systems are important or critical for business process.
Solution to the problem
We cannot deny the leaky nature of wireless systems but to make them efficient and with compliance with national laws like SOX and GLBA we have to be more careful, for this we have to follow guidelines provided by NIST (National Institute of Standards and Technology) for securing WLAN and other wireless connections such as Bluetooth. We also have to follow suggestions given by experienced System Administrators like:
1. Properly configuring AP’s
2. Disabling the automatic SSID
3. Using software and hardware that can detect rogue AP
4. Use of VPN and SSL for sensitive communication etc.
Conclusion
However it’s true that current wireless systems are not as much secure as wired one and awareness regarding security of wireless systems is also very rare but this is only due to fact that wireless systems as far as implementation in public domain is concerned is in its infant stage. For coming years we are surely going to see the advancement in wireless technology and hence better and reliable security features in Wireless Systems.
by Tripurari Rai, MS CLIS, IIITA.