The Case Studies Revisited

The Case Studies Revisited

Without further ado, let us look at the first case study, the hospital (refer to Chapter 1, "Wireless Technologies").

The Hospital

In the hospital scenario, much is at stake. You are concerned with protecting a lot of information (now required by federal law see Chapter 8, "Privacy," for information on privacy and legislation), some of which is critical to Reggie's staying alive. In this case study, you are concerned with avoiding, first and foremost, loss of life, then financial loss and loss of privacy, and last, scheduling conflicts. Several pieces of data that need to be protected in transit, during storage on servers, and in presentation and storage on the device could be critical to Reggie's life and health:

         Medical records and history

         Diagnoses

         Recommendation for surgery

         Prescription information

Also, certain data that needs to be protected in transit, during storage on servers, and in presentation and storage on Reggie's device could, if compromised, cause him to incur financial loss:

         Credit card information

         Voice approval for credit card authorization

         Insurance information

Other pieces of data that need to be protected in transit, during storage on servers, and in presentation and storage on Reggie's device could, if compromised, result in his loss of privacy:

         Medical records and history (including all related events of the day)

         Insurance information

         Credit card information

Finally, certain data that should be protected in transit, during storage on servers, and in presentation and storage on his device could, if compromised, result in an inconvenience (namely, a scheduling or timing conflict):

         Surgery scheduling

         Appointment scheduling for follow-up

These groups of data fit in different places in the mitigation and protection schema. Six of the identified protection categories are most significant in this case study. In making security/functionality trade-offs, the most relevant should be considered first. For the hospital, the following should be considered:

         Protecting the wireless device

         Protecting personal data on the PDA

         Protecting corporate or third-party information

         Protecting corporate proprietary data and resources

         Protecting the network server

The next step is to integrate the data priorities with the protection categories. We will go through the identified protection categories in the bulleted list and apply our priorities in choosing mitigations. All mitigations are chosen from the information in Chapter 11.

Protecting the Wireless Device

Although device manufacturers play a certain role in this protection category, it is up to Reggie and Anne to take necessary precautions. Reggie risks losing his own personal data, which, although potentially dangerous, affects only him. Anne, on the other hand, puts many other people at risk by losing her device, so she must go to greater lengths to protect hers. Reggie could simply employ a holster so that his device is wearable, but Anne could be required by the hospital to use an external authentication mechanism to access the device to ensure that, in the event of loss, no one else can access the information available to the device. (See the protection/vulnerability matrix at the end of Chapter 11 for how we arrived at this conclusion.)

Protecting Personal Data on the PDA

In this protection category and case study, we will assume that the application on Anne's PDA that allows her to view medical records and the like is a proprietary application. Taking a look at the mitigations suggested in this category, we can be astute architects of this system and have the foresight to implement a certification program. Enforced by the OS on all PDAs used by doctors in this hospital, this would allow only digitally signed code from authorized certifiers to be loaded on the device. The software could then be validated to be secure, reliable, and functioning as intended. The authenticity and integrity of the code could be maintained, and we could mitigate the risk of a malicious application developer's compromising Reggie's surgery by inserting dangerous code into Anne's PDA.

In this hospital's budget, security is important but limited. The hospital believes that this code certification solution is enough to mitigate the application risk. It does not want to invest in a trusted OS for each device, nor the time and money involved in implementing a hardware resident integrity check of the device and OS. The hospital will, however, provide funding to purchase an additional encryption program for the PDAs so that malicious application support personnel cannot compromise stored data. There is a drawback to this added encryption program, however. Anne's battery lasts only for about 24 hours. Sometimes Anne is required to work 36-hour shifts, and on these shifts she must operate without her Compaq iPAQ PDA for 2 hours while the battery is recharging. She is not pleased with this solution because she needs constant access to her information, so she is pressing the hospital wireless security team for a better solution.

Reggie's funds are far less than those of the hospital. He spends most of his money in co-pays these days and cannot afford to purchase an extended encryption program for his PDA. He, instead, relies on himself to keep the device out of the wrong hands.

Protecting Corporate or Third-Party Information

In the hospital, device and application support personnel are one and the same. The encryption application on the device has no back doors and offers reasonable protection against these individuals' possible attempts to commandeer a device or its data. You do not have control over the WSP personnel in this case. The risks left open there are somewhat mitigated by the extra encryption. The mitigations used in the preceding section to protect information apply here as well.

Protecting Corporate Proprietary Data and Resources and the Network Server

Data on the administrative and network servers that needs to be protected is subject to malicious WSP personnel, application developers, application support personnel, and users. You do not have control over the WSP personnel, and risks there are significant. Any persons with access to the hospital's servers can access and manipulate patient data, records, X rays, scheduling, and prescriptions. This is extremely dangerous.

To protect the server, we will choose mitigations from the lists developed (in Chapter 11). Sensitive data will be stored in an encrypted form, authentication will be required before allowing access to sensitive data, access and activity on the system will be logged, and use of a physical token will be required as part of the authentication process. These will mitigate risks posed by all noted potentially malicious parties. The servers are mitigated outside the realm of a wireless system. They are secured with common wired-technology techniques. In addition to these mitigations, it is important to secure the wireless link administration interfaces that connect to the servers with the same protection afforded Internet or other untrusted traffic.

Considerations

Several mitigation techniques were selected, bearing in mind that some data is to be protected at greater cost than other data. The servers and devices in this case study contain highly sensitive data that requires integrity and privacy to a paranoid degree. The hospital does not go to the nth degree in securing its systems. Not every offered mitigation technique was employed, but an appropriate set was determined. Anne still wants to find a better solution for her necessity to recharge her device in the middle of her shift. This can be done in a variety of ways, whether it be engineering an encryption solution in a development language such as J2ME, which is less battery-intensive, employing an Elliptical Curve Cryptography encryption algorithm that is less battery-intensive, purchasing longer-lasting batteries for her device, or perhaps even switching to a less resource-intensive device, such as a Handspring Visor Edge with a Palm OS that has an expansion capability for memory expansion, as well as encryption.

Reggie, by the way, hangs on tightly to his device and recovers easily from his surgery, updating Anne periodically with status reports that allow him to minimize his trips to the hospital for follow-up visits. Because the hospital appropriately protected his credit card information (and was fortunate not to have malicious insiders compromise the system), he has not seen any unauthorized transactions on his statements and was billed correctly for his co-pay.

Using Wireless Devices in a Medical Environment Another aspect to our hospital case study is the use of wireless devices in a hospital. We do not investigate the networks and communication in great detail, but implementing a wireless solution in a medical environment is tricky. Wireless devices can cause conflicts, malfunctions, or other problems with heart monitors and other critical medical technologies. Wireless communication can be implemented in a hospital only with strict adherence to restrictions and very close communication among medical technologists and wireless technologists to develop explicit and exhaustive plans for use or prohibition of different types of wireless technology throughout the hospital system.

The Office Complex

AdEx and NitroSoft are embarking on a presentation. In this office complex case study, you do not have any data that is critical to someone's life or health. No data can cause direct financial loss. You do have time-critical messages and proprietary sensitive data. After examining a hospital situation, this seems almost pedestrian. It is business-critical, however, and businesses invest good money in wireless solutions that must work.

To close this deal, Kathleen needed to deliver the best presentation possible. Without instant communication from her team members, she would not have been able to schedule the lunch meeting and subsequent presentation properly. Losing or damaging the acquisition information Louis sent her to incorporate into the presentation would have been potentially damaging to their relationship and a potential dealkiller. If Louis saw a similar pitch from three other advertising firms and Kathleen was able to adapt the most quickly and make efficient use of Louis's time, he will choose to do business with AdEx every time. The data that needs to be protected here are the presentation slides, the information sent by Louis, and the contents (and transmission expediency) of the e-mail exchanges.

The data in this case study fits in different places in the mitigation and protection schema. Two of the identified protection categories are most significant in this case study. In making security/functionality trade-offs, we will consider the most relevant first. For this second case study, the following should be considered:

         Protecting the wireless device

         Protecting corporate or third-party information

This may seem troubling only two of the protection categories? For this isolated example, that's exactly right. The users are not accessing sensitive information on corporate servers, and they should not be storing personal information on devices used for work. The devices are used to send and receive information in this case.

Protecting the Wireless Device

In this case study, no extraordinary means need be taken to secure the physical devices. Kathleen, Louis, and their respective co-workers are conscientious and enable passwords to secure their devices.

Protecting Corporate or Third-Party Information

The presentation and e-mail messages exchanged between the players in this case study should be protected in transmission and on the device. Only designated recipients should receive e-mails, and the time stamps on those e-mails are critical. Device support personnel, WSP personnel, application developers, and application support personnel are beyond your control because this is not a proprietary application or device.

The wireless solutions used by Kathleen and the AdEx staff are Pocket PCs. They make use of the slimmed-down office products available for their devices, and their company has not engineered any solutions on top of the devices. The Pocket PCs are used out of the box and have no encryption capabilities. AdEx is operating on a limited budget, and even the few mobile devices it has consented to procure are stretching its funds.

The appropriate mitigation for this situation is institution of a checklist and an oversight procedure. This technique is typically applied for application support personnel to ensure that any security bypass settings or diagnostic modes have been properly reset to operation settings. In this case, however, it is used to ensure that the settings on each device are compliant with the company security standards. What Kathleen and her team can do to protect others from viewing their presentation is to protect the individual document with a password.

The data is at risk during transmission because no encryption is employed. The group could switch to a BlackBerry solution so that encryption is native to the device. However, they would not be able to view presentations or other office documents on their PDAs. The trade-off they are willing to make is that, although their transmitted data is vulnerable to capture by anyone sniffing the wireless network, they are afforded some protection by password-protecting the document. They accept this risk in return for being able to integrate office documents quickly and easily between their desktops and Pocket PCs.

A key point here is that the users and not just the system engineers must understand and accept these limitations. When trade-offs are made that affect how a system operates or there are areas where users may make assumptions about how the system operates, users must be informed about the risks they are assuming and the appropriate actions they should take to mitigate these risks.

The NitroSoft group does use BlackBerry devices, so they cannot view attachments but are able to forward them to the AdEx folks. Their communication is secured only between the redirector on each one's desktop and the BlackBerry device. When they forward the message, the message and its attachment can be viewed in the clear.

Considerations

In an office scenario, financial motives, incentives, and risks are often a driving force in decision-making. When other features, such as reliability, speed, profit, or commercial appeal, are at stake, security is often relegated to the lowest priority. Sometimes this is acceptable, and sometimes it isn't. Very few development projects finish ahead of schedule and under budget, so finding ways to recover time and money is important. For NitroSoft, implementing all the security solutions we suggested may or may not be financially sensible. Performing a return on investment (ROI) analysis might be a good idea here. Because you are not concerned with people's lives, you do not have the same urgency as a hospital scenario. You do want to ensure profitability and sound business practices, though, so you do not want to let security fall by the wayside. Examining the financial benefits of building security into your environment gives you information essential to making good business decisions.

The University Campus

The university case study opens the door to interesting questions of data security. The data to be protected may not be apparent at first glance, but the biggest risk is cheating. Steve, Brian, and Jessie's laptops are subject to college students' attempts to gather information about assignments, projects, and tests while online. During Brian and Jessie's NetMeetings, they are targets for streams of attacks. Additionally, if students could access Steve's grading spreadsheet, they could give themselves better grades and not worry about cheating on subsequent tests. All the data to be protected here is of an academic and integrity-oriented nature. Furthermore, Steve, Brian, and Jessie's personal data needs to be protected so that, unbothered, they can continue with their own research.

The devices are the easy part of this case study. They are all laptops with wireless NICs that operate via 802.11b. The data on these laptops can be encrypted, but the transmission cannot. If you recall from Chapter 6, "Cryptography," the WEP algorithm that encrypts wireless traffic is easily broken. Unfortunately, as of yet, not much can be done outside the university's implementing a VPN solution.

The data in this case study fits in different places in the mitigation and protection schema. Two of the identified protection categories are most significant in this third case study. In making security/functionality trade-offs, you first consider the most relevant. For the university case study, the following should be considered:

         Protecting corporate or third-party information

         Protecting user online activities, usage patterns, location, and movement

         Protecting corporate proprietary data and resources

Protecting Corporate or Third-Party Information

In this case, the corporate information and third-party information are separate. The corporate information includes files such as assignments and future tests; the third-party information includes student files stored on Steve, Brian, or Jessie's laptops for grading and evaluation purposes. In this case study, as in the previous two, you are not afforded access to the WSP personnel. Also beyond your control are the application developers and support personnel all software used in this case study is commercial and not tailored to the university setting.

The mitigation techniques used are unique here (that is, thinking outside the box) because the devices have far more processing power, memory, and space than PDAs. These laptops can be equipped with encryption software that the TAs can use to encrypt, for free, the data stored on their laptops. By simply encrypting the data, compromises by intercepting wireless traffic are negated. Students in the class could capture files but would not be able to decrypt them without knowledge of the owner's password and possession of the owner's private key. Alternatively, duplicate copies could be stored on the network or elsewhere so that comparisons could be made, or some other logging activities could be implemented so that unwanted activity could be detected.

Protecting User Online Activities, Usage Patterns, Location, and Movement

Students who know the TAs' whereabouts and habits can make them easier targets for attempted attacks. The mitigation techniques that could be employed (as noted in the explanation in Chapter 11) would fall victim to the situation in which a security solution gets tossed by the wayside because functionality will be lost. The TAs would, assumedly, trust their students to a certain degree and demand functionality instead of cumbersome processes necessary to obfuscate their data transmission and location information. This is a risk they assume that could result in students' cheating or altering grades.

Considerations

This case study uses solutions that are not present in the list of protections for their given vulnerabilities. We intentionally placed this here to drive home one of the points of this book: Everything has to be tailored. Sometimes, when following the process prescribed here, you will have to repeat steps, complete them out of order, or disregard previous research in favor of a new idea. As long as the process is documented and proper justification is seen for implementing a new solution, its inclusion warrants investigation.

Solutions introduced at this stage of the game are acceptable, but an auxiliary process should be undertaken if this is the case. When a solution is introduced at a late stage, the security/functionality trade-off process should be put on hold for a brief moment. During this hiatus, the new solution should be put to the same rigorous tests and justification process as the previously developed solutions. The new solution must meet the same strict standards set forth and must accomplish a viable goal.

If, at this stage, you are finding yourself inventing more new solutions than using already developed ones, something went wrong before the security/functionality trade-off piece. Perhaps, when investigating devices or technologies during the research phases, something was missed perhaps during the identification of the roles and targets or later at the mitigation development phase. Extra time built in to a planning schedule is a nice buffer for this kind of obstacle. Nowhere in our instructions to you about devising good, solid security solutions do we say that steps cannot be repeated or revisited. To the contrary, we state that this is an iterative process, so steps can be repeated at any time necessary, while keeping in mind final goals and objectives.

The Home

The last case study in our set is one that differs for every family's implementation. In this case, Doug, the father, uses the wireless home network for business use. He needs to protect his information both in transit and in storage so that he can maintain client confidentiality. Emily uses the Internet via her wireless laptop to conduct research for a law firm. The information she views is considered sensitive. Anyone tracking her Web surfing habits or pages accessed could learn information about the cases she researches, which could be used against the firm's clients. She needs to protect her activity, as well as her data and the transmission of that data to the firm's corporate network. The children's systems introduce some extra vulnerability to the system, but this does not supersede vulnerabilities already present by the parents' use of the wireless system.

Protection of the physical device is not important in this scenario. The devices are assumed to be safe because they are not left unattended outside the home. Protecting network and administrative servers is also not critical to this case study.

         Protecting corporate or third-party information

         Protecting user online activities, usage patterns, location, and movement

         Protecting access to network and online services

Protecting Corporate or Third-Party Information

To protect business information on Doug's laptop and legal case related information on Emily's, the two encrypt the data on their laptops. Furthermore, they offload any sensitive data before getting the systems serviced.

Protecting User Online Activities, Usage Patterns, Location, and Movement

Emily's law office is concerned enough with protecting her activity online that it is willing to negotiate with a local ISP to provide a VPN. The office realizes that several of its staff will benefit, so this is worth investing in. Emily will also encrypt her traffic by using WEP encryption, recognizing that this offers only a thin layer of protection. The combination of these two provides adequate security for her purposes.

Protecting Access to Network and Online Services

A lesser concern in this case study, but a concern nonetheless, is protecting access to the family's wireless network. The access point the family is using can be accessed from as far as 150 feet away. Their neighbors could access the wireless network in Doug and Emily's house from their own back porch. Also, someone driving by could access their network. They configure the access point to accept traffic only from the MAC addresses of the cards in each of the authorized laptops and desktops. In a corporate environment this protection would not be sufficient because it can be circumvented. Doug and Emily are sure that their neighbors will not bother. They cannot be sure that they are protected from someone driving by but are not concerned about the risk.

In this case study, you do not have control of device support personal, ISP personnel, or application developers. The family does employ passwords (which they change once a month) to access online and network services. This provides an adequate level of authentication for their situation.

Considerations

Of all four case studies, this could arguably require the least stringent security. In a typical family network, however, privacy should be considered for more reasons than protecting your private data. As of yet, sales and marketing have not been exploiting home networks to target potential customers. That is not to say that this is not around the corner. By protecting your family's information and Internet habits, you can reduce future privacy risks. The methods employed in a home network should be commensurate with your own needs. Unfortunately, this means relying on potentially amateur advice from a local technical support company. To determine the right amount of security for you, if you are a home user, learning about risks and evaluating the differences between personal and corporate solutions is the best way to go.

Case Studies Conclusion

These case studies provide real-world examples of putting security assessment and planning techniques into action. The solutions in each one were determined after the comprehensive process outlined in the preceding chapters of this book. One factor not discussed here (mostly because it instills fear into the heart of every security architect) is the human factor.

Different groups of people will inevitably arrive at different conclusions about appropriate security for identical systems. By following this process, however, the delta between two groups should be minimal. By identifying fundamental information, each group can lay out the whole system and analyze it piecemeal before making decisions. By establishing justifications for security recommendations, justifications and research can be compared to analyze discrepancies, thereby compiling the results obtained by the two groups and merging them into one security solution agreeable to all.