to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Wi-Fi: Are you broadcasting personal data?

compliance and privacy

Current News Updates

Are you broadcasting personal data?

Hundreds of thousands of businesses, large and small, world-wide now use Wi-Fi to connect PCs to their network. Millions of homes have Wi-Fi to connect their PCs to the Internet and, of course, millions more use laptops, with Wi-Fi in public places the length and breadth of virtually every country. From where I'm sitting, writing this right now I have no less than nine wireless networks I could connect to.

So, what's the problem?

Wi-Fi uses an easily interceptible frequency to transmit/receive data to and from a PC - if it didn't it wouldn't work without huge antennae. So anyone could easily intercept whatever you send or receive to or from your PC. Secondly when you connect to a network via Wi-Fi you are then dependent on the security of that network to protect you from anyone trying to access your PC. In your office or at home the chance are you have a Firewall between your PC and the network (a Firewall is a device or software that only allows certain very limited types of data through and in theory prevents someone “hi-jacking” or loading viruses onto your PC or extracting data from it). Here's what the FBI say:

"The FBI views wireless networks as very insecure, software allows you to set up security, but most people leave it open. It only takes a few extra steps to make it secure, but even it you take the extra steps, a skilled hacker can get into the system."
LaRae Quy, FBI, Northern California

Data Protection legislation requires that organizations take “appropriate steps” to prevent unauthorized access to personal data or data loss. Given this requirement to what extend and where might companies be liable? Interestingly there are three areas:

  1. Company uses Wi-Fi for its internal network
    There are two issues here - firstly Wi-Fi is inherently insecure in that the transmissions can easily extend way beyond the confines of your office. While these can be encrypted using WEP (wireless equivalent protocol) to prevent casual interception it is acknowledged that this is nowhere near secure enough to prevent deliberate interception or access. So any organization using Wi-Fi and holding personal data, in order to meet its obligation under data protection legislation will need to ensure that transmissions do not extend beyond the confines of the office building at the very least. And any sensitive data (health, financial etc.) should NOT be accessible or transmissible over the Wi-Fi part of the network. Practically this means holding the data on a separate sub-network with another firewall between it and the Wi-Fi network. Sounds technical but is actually not difficult or expensive in practice - which is another reason why it is important to do it because the authorities will take a very dim view of companies that fail to do the cheap and simple! (and in this category turning on WEP encryption is the simplest and cheapest of all = it's free, takes all of two minutes and requires little technical skill)
  2. Company provides Wi-Fi for visitors to its premises
    Many companies make Wi-Fi available to people visiting their site - for some its simply a courtesy, for others - such as hotels or restaurants it's a device for attracting customers and encouraging them to stay a while and drink more coffee! From McDonalds to Starbucks and Travelodge to the Ritz, Wi-Fi is on offer. In most cases these offerings are completely open with no WEP security enabled. Now this raises two questions - firstly should the company offering the service make the lack of security clear? After all, many users are totally ignorant about security. Do they have a duty of care anyway to take appropriate steps to protect their visitor's data? After all, when I'm on someone's premises they have a duty of care towards my personal safety. If you are going to offer the service we'd recommend turning WEP on.
    But secondly companies providing Wi-Fi access to visitors are actively encouraging people to access their corporate network - thus heightening the potential security risk. For not only will someone on site see their public Wi-Fi network, they'll see all the private ones too - thus exposing you to even greater risk.
  3. Laptop User accessing a Public Wi-Fi service
    Most public Wi-Fi services do not offer any form of security - few use WEP. So anything you send or receive can, in theory, be received by anyone nearby. Furthermore they will be able to access the same network and thus potentially access your PC. So, if your organization provides staff with Wi-Fi enabled laptops some basic security may be in order. Firstly, ensure that a software Firewall is installed and enabled. Secondly set password-controlled access onto all the hard drives and, thirdly, consider end to end data encryption - for example by using a Virtual Private Network (VPN) so that anything sent or received is protected. This will be especially important where the data is sensitive data.

Should you Use Wi-Fi at all?

The fundamental question remains whether you should be using Wi-Fi in any event. This is going to depend on the sensitivity of your data and the likelihood of you or your organization being targeted. In most circumstances there are simple steps that can be taken to minimize the risks. And if you are offering Wi-Fi access as a service to visitors to your company then consider implementing Wireless Protected Access (WPA). Finally, you may want to consider the advice from the Wireless Ethernet Compatibility Alliance (WECA) whose security recommendations include the following:

  • use the largest WEP encryption key permitted, and change the key regularly;
  • use session encryption keys, if available;
  • change the SSID (wireless network name) from its manufacturer-supplied default, and disable broadcasting of the SSID;
  • restrict access to specified MAC addresses (the unique identifiers assigned to each 802.11 device), by enabling MAC filtering; and
  • set passwords for drives and folders on the connected devices.

Organizations with highly sensitive data should consider additional protections, in addition to the above: end-to-end encryption, authentication (by password, token), firewalls, etc.

See also:

Discuss This Article



This site is sponsored by VeriSign - world leaders in Managed Security Solutions.
The contents of the site, however, do not necessarily reflect the views of VeriSign. Much of the content is independently authored.