Preface

Previous page
Table of content
Next page

Preface

When you're on a journey and the end keeps getting farther and farther away, you realize that the real end is the journey.

Karlfried Graf Durckheim

This book provides wireless and security professionals with a foundation on which to design secure wireless systems. Most security problems are handled reactively rather than proactively; this does not have to be the case for wireless security. In the past decade, advances in software development have outpaced advances in software security. Wireless technology still in its infancy affords the opportunity for proactive security that keeps pace with development.

Wireless Security and Privacy is intended for three types of readers:

1.       Security experts interested in wireless issues

2.       Wireless experts interested in security issues

3.       Business professionals and consumers generally interested in wireless security

We focus on the practices and methodology required to establish comprehensive wireless security. Wireless application developers, wireless device users, service providers, and security professionals are among those who will benefit from the information and analysis presented.

The message presented in this book differs greatly from that offered by most other security texts, which are typically dedicated to dissecting attacks and retroactively presenting lessons learned. Their message is, "Security should have been a priority from the beginning." Our message is, "It's not too late."

In the wired Internet world, applications are released at breakneck speed while security measures lag far behind. Security is considered an isolated step, taken only when time permits. Wireless or wired, applications are pieces of software. Wireless developers can apply certain lessons the wired development community has learned about software security. Secure software practices are an important first step toward building secure systems. If security is taken into consideration before wireless applications become widely available, the myriad problems that have occurred with wired applications can be avoided. Provisions for security must be developed throughout the lifecycles of wireless applications and systems.

Software applications, e-business opportunities, revenues, and reputations have suffered because development teams and businesses have not focused sufficiently on security. It is no accident that phrases such as Internet time have become common. The pace at which new technologies are developed is increasing at an exponential rate. Hardware and software capabilities, communications speeds, and pervasiveness within society have changed the face of IT. Developers, architects, and industry analysts could not have predicted with any degree of certainty the extent to which the wired industry would develop.

If wireless trends mirror current software trends, wireless applications and services will likely become as commonplace as desktop Internet applications. While the world waits for wireless devices and infrastructure to develop and deliver the capabilities of desktop hardware and wired networks, security professionals and wireless architects have a unique opportunity to coordinate their efforts and direct trends in the wireless world. Developers have the responsibility to design secure wireless applications. This can be accomplished only if efforts commence immediately. Software security best practices can help guide the development of effective wireless applications.

It is almost impossible to overestimate the amount of time and money that will be saved if wireless security is set forth as a guiding tenet of wireless architecture. Security will become a best practice that cannot be ignored and a critical element of all application development, with or without wires. Confining security to a single module and considering it only after market (or not considering it at all) should be unthinkable. Security is a process. As such, it must begin in the first stages of design and continue throughout the development cycle. Security must also be constantly reevaluated, even after an application's release.

When the wired Internet first emerged, its primary uses were research and development. Applications emerging on the market were intensely popular and mushroomed in scope and number. Application security, unfortunately, did not have an opportunity to keep pace. Wireless Internet on PDAs will not begin in the same fashion. Rather, it will be used in its early stages for delivering service-oriented, timesaving applications. Most existing wireless applications fall into that very category. The most popular versions of applications accessed through desktop browsers will be available in lightweight versions. Research will not be the primary focus, as consumers demand robust, convenient applications on wireless devices.

The message of this book bears repeating: "It's not too late." However, this message has a second part: "The time to start is now."

The wireless industry has been afforded a luxury that was unavailable to the wired industry: precedence turned into foresight. The catch? Consumers now share this same foresight. Consumers are increasingly aware of the risks they assume in using wired and wireless applications. They have been burned in the wired world and will not be cavalier in their use of wireless applications. Wireless developers must be able to sell their products based on the merits of usability, security, privacy, and reliability. Building verifiable security measures into a product will give it a competitive differentiator. Applications that cannot sufficiently prove their security will quickly become obsolete. Today's wireless application developers must understand that security will soon become a consumer mandate.

Investigation into security practices cannot stop at applications, however. Wireless devices, networks, and applications warrant close examination so that problems can be predicted and prevented.

This book is divided into four sections: Establish a Foundation, Know Your System, Protect Your System, and I-ADD (meaning Identify, Analyze, Define, and Design). The first introduces basic security principles, wireless technologies, and their applications. The last three explain the three phases involved in designing a robust security solution.

Part I: Establish a Foundation

Establish a Foundation is as important to security development as it is to life in general. Beginning an endeavor by learning about all its components prevents many headaches down the road. Furthermore, being mindful of security throughout an entire development process is crucial. Several standard but often ignored security principles that apply to the wired Internet world hold important implications for the wireless world.

Chapter 1 Wireless Technologies

Chapter 1 introduces the general principles governing wireless issues today. Wireless experts may find that they do not need this review. If you choose to skim or skip this chapter, however, you should read the case studies at the very end because they are referred to throughout the entire text. The chapter presents a high-level overview of wireless issues and technologies, with the intent of familiarizing you with topics essential in understanding the rest of the book.

Chapter 2 Security Principles

Chapter 2 introduces general security practices and common industry concepts. Security experts can skim this if they feel comfortable with its content. These key principles are important for understanding more complex processes introduced later in the text. In this chapter we introduce a method for developing a security analysis process called I-ADD. This process is based on industry practices but standardizes and organizes the approach. I-ADD is fleshed out beginning in Chapter 9, "Identify Targets and Roles."

Part II: Know Your System

Know Your System presents the first essential step in developing appropriate wireless security practices. This section puts its message into action by demonstrating the results of research efforts paramount to investigating system components when developing a secure system. Technologies, devices, and languages are discussed in great detail so that they can be woven into a security framework.

Chapter 3 Technologies

Chapter 3 takes you through the first phase of our process by presenting detailed information on wireless technologies such as 802.11b, Bluetooth, and Wireless Application Protocol (WAP). Each technology falls in a different place on the wireless technology spectrum and has its own security implications. In the initial phases of developing a comprehensive security solution, knowing the ins and outs of all components is extremely helpful. This chapter shows you what type of information is valuable to know about wireless technology. You have to conduct an exhaustive search of all the system's components before determining which affect security.

Chapter 4 Devices

Much in the same fashion as Chapter 3, Chapter 4 delves into physical and logical aspects of wireless devices. PDAs, cell phones, and laptops with wireless network cards are discussed. As part of the Know Your System section, this chapter teaches you the device intricacies that affect security solutions. Specific devices are investigated, and general recommendations are made. Security implementations must investigate the specific devices and client software on the devices that could affect security in any way. This chapter introduces some of these, but pursuant to its goal of teaching a process, not just a static solution, it educates you about the device issues that have to be considered when developing a comprehensive security package.

Chapter 5 Languages

Chapter 5 is more technical than its two predecessors. Project managers using this book to guide a security implementation may want to refer a developer or development team leader to this chapter. The chapter will not make you an expert wireless developer but shows you those components of wireless development languages that affect security implementations. Designating a team member as the language expert is essential in any wireless project. The language expert should know the security implications of the language backwards and forwards. This chapter helps get the language expert on her way. The languages discussed are presented in light of their potential security downfalls. Mitigations are suggested, and implementations are not complete without consulting this chapter.

Part III: Protect Your System

Protect Your System presents the intermediary step in the security process: developing a risk model. This enables a person with knowledge of a system to decide how best to protect it. By outlining the roles associated with a system, its threats, vulnerabilities, and attacks, you can develop a robust plan. The threat model you develop will help integrate security throughout a system's development lifecycle.

Protect Your System discusses technologies or procedures that affect wireless systems. Although these technologies or procedures may not be directly applicable to any particular architecture or system, the information provided indicates the issues and add-ons to be considered in mitigating security risks.

Chapter 6 Cryptography

In many cases, cryptography is confused with total security. If cryptography is not understood properly, it can be assumed to accomplish far too much or far too little. This chapter serves as an introduction to applied cryptography. Its purpose is to inform you of basic cryptographic principles that should be understood in developing a wireless security solution. This chapter is more technical than others but provides an introductory view for the layperson. It is important to be able to use cryptography as a component of a security solution without making the mistake of thinking that simply encrypting wireless network traffic will solve all security problems.

Chapter 7 COTS

When looking for security, we sometimes fall into another trap commercial off-the-shelf products (COTS). COTS products offer a false sense of security in some cases. They should be used when necessary and can offer a partial security solution, but they should be understood first and used with great care. This chapter investigates some popular, wireless industry COTS products and examines their role in protecting a wireless application or system.

Chapter 8 Privacy

No discussion of security is complete without considering privacy. Although distinct entities, the two are intertwined in many ways. This chapter teaches the wireless and security professional about the privacy policy and legal issues surrounding wireless technology security at the present time. Understanding the policies under which you are developing a security solution is essential. Furthermore, it is good solid business practice to understand the privacy concerns of consumers and be able to accommodate the changing needs of a wireless user population.

Part IV: I-ADD

The concepts governing wireless security issues are neither new nor distinct from those governing wired issues. In both cases, several steps are involved: Threats must be assessed, risk must be determined, vulnerabilities must be analyzed, and a plan for designing accordingly, based on the first three steps, should be developed.

Chapter 9 Identify Targets and Roles

Using systems set forth in our case studies, as well as generic wireless systems, Chapter 9 conducts an exhaustive search for potential targets. In this "whiteboard" phase of the analysis, you learn how to dissect components to determine what might be compromised. When this list is completed, you proceed to identify the roles or individuals associated with any of the case study systems that may attempt to compromise or take control of the identified targets. This information gives you a starting block from which to launch the rest of your analysis.

Chapter 10 Analyze Attacks and Vulnerabilities

When targets and roles have been identified, known attacks, vulnerabilities, and theoretical attacks are analyzed. This analysis examines how these threats affect the resources we want to protect. From this analysis, potential mitigation techniques and protection mechanisms are determined.

Chapter 11 Analyze Mitigations and Protections

Chapter 11 is where the security plan develops. It is also the culmination of our investigation. Mitigations are implemented against risks, and a robust system ensues. Although the most daunting part of the overall picture, developing the security model, falls into place when you understand the framework, the threats against it, and how to protect it. We systematically proceed through the threat model already developed and discuss how to build security in to places where we have found holes.

Chapter 12 Define and Design

Inevitably, there are difficult trade-offs and decisions you must make. This chapter revisits the case studies, applies a security model to each, and discusses which components of a security system are necessary, based on what needs to be protected in each case. We apply all the concepts taught in the book and come up with solutions for our cases.

 


Previous page
Table of content
Next page
Wireless Security and Privacy(c) Best Practices and Design Techniques
Wireless Security and Privacy: Best Practices and Design Techniques
ISBN: 0201760347
EAN: 2147483647
Year: 2002
Pages: 73
Authors: Tara M. Swaminatha, Charles R. Elden
BUY ON AMAZON
Beginning Cryptography with Java
Metrics and Models in Software Quality Engineering (2nd Edition)
Data Structures and Algorithms in Java
Mapping Hacks: Tips & Tools for Electronic Cartography
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Twisted Network Programming Essentials
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy