Many security professionals fall into the trap of dealing only with the theory and not the practice of defending a network. While it would be great to be protected from all potential attacks that a wireless network may come under, that level of protection may not be practical.
When securing your network, you must consider the risk associated with each attack and address it accordingly. The topic of risk assessment and risk management is one that could fill a book on its own. However, it is important that you understand the basics of risk assessment so you spend your time and money wisely addressing the real issues rather than waste resources on topics that present no risk.
Figuring out your risk boils down to questions like: “What can happen?”, “How likely is it to happen?”, “What occurs when it happens?”, and “How hard is it to defend against?”. The “What can happen” question has already been answered in this chapter. Determining the likelihood of any particular attack is the next step.
The likelihood of an attack depends on factors such as:
- How easy it is to launch the attack?
An attack that is theoretical today may be widely distributed in “script kiddie” code tomorrow. The problems with WEP started out as a paper that described the theoretical problems with the protocol. Very few people had the ability to take the vulnerability and write code to exploit it. Within a few months, several different exploit programs had been developed and were publicly available on the Internet. Once that code became available, the likelihood of WEP encrypted traffic being cracked became much higher
- What is the risk to the attacker?
Home WLANs are great jumping-off points for hackers because home users tend not to be as diligent as larger corporations. An attacker may stay off large corporate WLANs for fear of being discovered by full-time security systems such as IDS systems and observant network engineers.
- How big of a target are you and your assets?
A home network usually does not contain resources or people that will single out the network in the attentions of hackers. A bank network, on the other hand, may be filled with user IDs, passwords, high-profile executives, and (above all) money. Keep in mind that the prevalence of wide network scanning by hackers may make you a target simply because you are running a vulnerable service, not because of what valuable assets the network may contain.
There are other issues that affect likeliness, but this is the basic idea. When determining the likeliness of an attack, you must use some common sense and knowledge of the current state of the security industry.
Then you need to determine what you stand to lose (or gain) if a particular attack is used against your network. What kind of user IDs and passwords will be available on the network for eavesdroppers to pick up? Are there time-sensitive applications that a DoS attack can affect? Is the wireless network critical to the minute-to-minute operations of your organization? Can you afford to be sued if a hacker launches an attack from your network?
Finally, using the previous steps to prioritize your activities, you need to evaluate how difficult the attacks are to defend against. If protecting information on your network is your top priority, you must determine to what lengths you will go to protect the integrity of your data. If being sued due to illicit use is your biggest concern, then you must determine the steps you can reasonably take to detect illegitimate use.
When determining and prioritizing your risks, you do not need to necessarily go through a formal process. You need to evaluate your business requirements, your network, and your potential adversary. Most importantly, you need to think about practical ramifications as well as theoretical security.