Wireless security skills “must be prepared for the Internet of Things era” asserts SANS Institute

The proliferation of new wireless communication technologies in consumer electronics and smart devices is overtaking the skills present within the information security industry

The proliferation of new wireless communication technologies in consumer electronics and smart devices is overtaking the skills present within the information security industry

The proliferation of new wireless communication technologies within consumer electronics and smart devices is overtaking the skills present within the information security industry. That’s the considered view of Larry Pesce, a leading expert in the field and SANS instructor.

“There’s a great deal of disparity between the security of the different wireless standards, particularly when you compare the 802 family that was predominately built for business use and emerging technologies that came from the consumer landscape such as Bluetooth, Zigbee and Z-Wave,” explained Pesce, who co-authored the ‘Linksys WRT54G Ultimate Hacking’ and ‘Using Wireshark and Ethereal’ reference books.

“For example, Bluetooth has some solid maths around encryption but many of the security decisions are left in the hands of the users which means that things can go horribly wrong. Zigbee has a poor design for how it handles pass-phrase and replay packets which are highly vulnerable, while security in some of the proprietary formats like Z-Wave is almost non-existent.”

Pesce – who also develops real-world challenges for the Mid-Atlantic Collegiate Cyber Defence Challenge – is complementary about newer wireless protocols such as 802.15.4 which uses baseline profiles to help deliver enhanced security. That said, Pesce commented: “The technology is probably ahead of the skill sets out in the field and the problem is also somewhat underestimated.”

Pesce highlighted the privacy issues that wireless-enabled devices are starting to confront. “If we look forward, a large number of devices in the workplace and the home will be wirelessly-enabled and communicating autonomously between each other and back to manufacturers. Unless more consideration is given to securing both the devices and the communication links, there are likely to be breaches that will burrow into this Internet of Things infrastructure and start to gather private information or act as a staging post for more damaging attacks.”

Standards perspective: arriving at a crossroads

Pesce will be teaching the upcoming SANS Institute course SEC617: Wireless Ethical Hacking, Penetration Testing and Defences which is debuting in Europe at Pen Test Berlin 2015 during the end of June.

The hands-on course takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker.

Using readily available and custom-developed tools, students navigate through the techniques attackers use to exploit WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS and other systems.

The course also examines the commonly overlooked threats associated with Bluetooth, ZigBee, DECT and proprietary wireless systems.

“From a standards perspective we’re now at something of a crossroads,” outlined Pesce. “The vendors are still mostly obsessed with ‘bigger and faster’, but there’s increased pressure from a privacy perspective and many are having a hard time figuring it out. As far as information security professionals are concerned, the skills needed to secure these new types of wireless connections are in high demand.”

*Further information on Pen Test Berlin 2015 is available at: http://www.sans.org/event/pen-test-berlin-2015/

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts