Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Wireless Security on Context (disponible en español)
1. Wireless Security on Context (disponible en español)
Posted by Jorge Guzman Olaya on Apr 15, 2013 10:02:25 AM
Why Security?
It all started with an email account you accessed through your laptop, and now sometimes it is really hard to track all
the digital profiles you own, plus we tend to pay little attention about accessing our digital assets in secure “wireless
domains”, these factors combined form a scenario where security breaches can really hurt your digital self as it
exists. It is clear that wireless communications has allowed us to adopt technology in a new way; we can use digital
tools without being tied to a location, but the fact is that when you use technology everywhere you are exposing
yourself to that “everywhere”. Popularity of wireless technology has shifted the usage of digital tools, your mobile
device is amazingly powerful and networks are growing in complexity to cope with better services. All this power
makes it difficult on the user to keep a track of the myriad of vulnerabilities and possible security exploits.
As mentioned above we have in our hands a complex scenario; from one side we have an exponential growth and
success of the wireless technology plus an increasing exposure of personal sensitive data to the digital world plus
more physical spaces where we can use the technology that at the same time increases the number of personal and
social contexts involved in our interactions with technology. On the other side we have a user that is still adapting to
the rapid shift, possibly meaning that he is less conscious of how various factors come together to form the service,
and it is how we find the first weak link in the chain; the lack of knowledge. Another factor is the fierce competition
among industry stakeholders; they are working isolated pushing their own agendas, creating a non -cohesive
framework of security for the wireless industry. On the contrary, threats and bad-intentioned people usually
beneficiate upon gathered knowledge of collaborative open communities through the Internet.
Taking Action to be More Secure
From the user perspective, the main action must be to increase knowledge of the technology. For example, where to
tune security configurations on the device or what information is being accessed on your device by the apps installed.
It is also important to know the risks of using a non-secure WLAN network. In the final part of this blog I summarize
various security tips you can find on the Internet and my personal recommendation.
Application developers must commit more responsibly to security and inform the customer about their efforts on the
matter, especially considering privacy of user sensitive information and its management; aspects like the length of
conservation of user information even after the user has uninstalled the app or the permissions of sh aring personal
2. information with third parties. Regarding the OS developers, it is expected that SW threats are addressed not only for
the new releases of the product but also previous versions must be covered, and somehow frequency of security
updates or patches must be increased.
Other contributors to the industry take action: like national government’s initiative to extend EIR databases beyond
countries frontiers to discourage device theft, or the effort countries are making, to oblige Internet giants to comply
with international policies of user’s personal data handling. Academia presents innovative testing techniques against
security breaches including fuzzy logic and genetic algorithms to simulate real life environments. New wireless
applications like NFC and M2M also pose big questions and challenges to the industry that are being addressed;
solutions like data encryption while being transferred or stored are being integrated into architectures and regulations,
but the main path the industry must take is an improvement of the vision about security. Seurity threats cannot be
avoided - they can only be managed and management must start with a plan to achieve a clear goal.
A Framework to Achieve a More Secure Wireless Ecosystem
If security threats can only be managed at the most, then, a base framework can be formulated to then build a plan or
strategy to efficiently manage wireless security. CTIA has made a pretty good effort formulating such a framework in
which the elements are:
Consumers
MNO
Device Manufacturers
Application Market Places
Operating System vendors
Chipset Manufacturers
Network Services Systems
Support SW Vendors
VAS Service Providers
Network Equipment Manufacturers
Under its view CTIA proposes five cornerstones, around which security actions are executed and efforts should be
built around:
1. Consumers: Responsible to protect their devices through better configuration and installing applications to secure
their devices and their data, also keeping that SW Up-to-date., Ffinally the users must be aware of what they put in
their devices and what they disclosed on their social profiles.
2. Devices: Comprises all the tools and methods that the industry and you as user, can use to minimize risks from
security threats, given the high complexity of current devices and the great deal of information and activities we do
with them.
3. Network based security policies: Includes all the tools that network providers should use as countermeasures against
security threats;, examples like Policy Routing Traffic Analysis, Service provider SSL VPN, and MDM (Mobile Device
Management) capabilities for BYOD environments.
4. Authentication control: Covers the authentication methods of the device with the network and those for the user to
access the device, considering the multifactor method trend and the biometric approaches.
5. Cloud, Networks and Services: Comprehends the whole extend of the network, its functional entities and the
services that each part provides both for regular customers and enterprise users. Also the different precautions and
plans that the network has to have in place for Disaster recovery scenarios and security schemes that ensure privacy
and integrity of stored user information.
3. My Personal View on Wireless Security
Image courtesy of Paola Buelvas (papolareina@yahoo.es)
As mentioned above, a framework is only useful if there is some intention to develop something around that baseline,
and in the introduction of this post I mentioned that industry main stakeholders tend to work isolated in a non -
collaborative way, so I agree with some proposals about a push towards a multisource intelligence environment. In
order to accomplish such an environment a Multisource Intelligent System could be the center tool to allow a
collaborative effort of this kind. And so, the industry will have a transnational, multivendor, multi -technology tool,
containing well documented security threats, problem workarounds, countermeasures and possible patches and
solutions against known security breaches; all this following the best of the bread practices in IT management to
organize, produce, control and store the flow of information that comes from solving engineering problems related to
security in the wireless industry.
This multi-collaborative industry repository will be accessible to all accredited members of the wireless industry and/or
active contributors of security assets construction within the ecosystem. They will feed, maintain and update the
content of this tool. Through the use of guidelines contained in international bodies of knowledge for IT handling, it
will be possible to ensure the appropriate privacy for each industry stakeholder regarding industrial secret
information, while still helping the development of solutions from already known threats and those foreseen by
academia. The main objectives for an endeavor of this kind would be:
Provide the industry with a construct around which industry stakeholders can produce collaborative efforts to better
countermeasure security threats.
To speed the production and divulgation processes of effective and more complete security countermeasures that
better protect the customer and the industry, taking advantage of already documented knowledge, avoiding re -work
and misinformation.
Finally, I think that future technologies, like Context Aware networks can help to create a more secure environment
for the user, allowing the execution of a counter action at the precise instant of technology usage and at the precise
moment where a security threat becomes obvious, and without the need for the user to know or be prepared to all
existent risks of his ongoing wireless transaction or service at a random space and time combination. All while at the
same time optimizing the resources of the network devoted to protect the user against threats .; Ffor example, if the
network detects that certain user is connecting through its own VPN client, a network base VPN solution flow can be
allocated for another user.
A Look into the Future of Wireless Security
Fields for further study: BSN and BAN give security a totally new meaning, because this technology puts information
concerning your own body into networks that today, cannot be considered totally secured;, so if this field of the
industry is set for any success then security must be further developed and strengthen. Now MTC (Machine Type
Communications) where human intervention is not required also needs an intelligent non supervised scheme that can
ensure the basics of a secure communication network: Confidentiality, Integrity, Authentication, Non Repudiation,
Access Control, Availability and Privacy.
4. Security future concepts: like beneficial viruses, SW that in the same line of DRM remain inactive but when found in
unauthorized digital environments then proceed to delete themselves and the information attached to them. Another
concept is the Active sentinel SW that contrary to a regular antivirus this SW adapts to a certain extent to identify the
threat even if is not specified in the database but that follows a suspicious activity pattern against predefine rules.
New biometric authentication methods like brain wave authentication that is really unique and fast.
Summarized Tips for the Wireless User
As promised, here is a list of “do's” and “don'ts” for the user of wireless technology.
Do:
1. Be informed and cautious while downloading apps, clicking links, providing information to online sites, setting
passwords, and linking accounts and online profiles. Always consider installing security software on your wireless
device.
2. Check the permissions of each installed app, and take the time to read the permissions you give to apps while
installing them.
3. Be conscious when using Wi-Fi, check the type of security used, if security is absent from the access point or lower
than WPA2, avoid logging in your sensitive accounts, or do banking transactions, without a VPN client solution, if you
don’t have such solution, restrict your session to just browsing if at all.
4. Be proactive and organized with your passwords: set a strategy to generate, change and store them, there are plenty
of passwords apps.
5. Check the details of your wireless bill to identify unauthorized usage or suspicious usage patterns from your devices.
6. Update your trusted applications and OS in all the devices you run digital transactions.
7. Report stolen or lost phones.
8. Use a VPN solution for unsecure Wi-Fi
9. Use complex passwords for important accounts.
10. Set security questions that really help you protect your data.
11. Use encryption of your sensitive data while stored on mobile devices, available apps can be found on your preferred
SW provider online stores.
Do Not:
1. Publish personal information or specific information about your wireless devices (phone number, IMEI, MAC address,
etc.)
2. Root your phone or mobile device for personalization purposes.
3. Buy an stolen phone or buy it from a suspicious provider
4. Download apps from un-authorized stores different from the OS manufacturer store, like directly from the internet.
5. Be lazy, when setting passwords, logging into sensitive accounts, exchanging banking info, and protecting mobile
devices, always use what you consider is more secure for your digital asset, even if it takes more time.
6. Have one factor authentication for sensitive accounts or digital profiles.
7. Have the same password across multiple online or digital profiles.
8. Thrust blindly on third parties to secure your digital data, take your own measures, backup regularly, encrypt your
data, do not use unsecure access points can be just some examples.
9. Link social accounts all together if unnecessary, you’ll be providing a great deal of information without noticing it.
For more, follow me on Twitter @jomaguo
Read this blog post in Spanish.
For all blog posts written by Jorge Guzman Olaya, please visit his Community Profile.
For more discussions and topics around SP Mobility, please visit our Mobility
Community:http://cisco.com/go/mobilitycommunity