12.3 WLAN Threat and Impact Analysis

As part of a risk assessment procedure, threats to business assets should be identified. The impact that such threats could have, if the threat resulted in a genuine incident, should be measured in direct and indirect financial terms and should quantify the value of the business assets being protected to decide on the appropriate level of safeguards.

An impact analysis is intended to help understand the degree of potential loss (and other undesirable effects) that could occur. This analysis should cover not only direct financial loss, but also many other issues such as loss of customer confidence, reputation damage, regulatory effects, and so on. Much of measuring the impact on an organization will be on exposure or exploitation of private information and, based on the scenario, intent of the hacker, how the situation is handled by security administrators and managers, and the value of the organizational assets obtained by the hacker.

Threat analysis should not focus only on the valuable corporate assets located on the corporate network behind appropriate security measures. When wireless networks are implemented, some of the most valuable information resides on exposed hosts through public access networks. Any eavesdropper can obtain all usernames and passwords used by this individual for HTTP, POP, SMTP, FTP, TELNET, SQL, instant messengers, and others. Additionally, all traffic types, destinations, e- mails , and countless other types of information can be obtained through use of a simple protocol analyzer. After obtaining the information, the hacker has full access to the other person's accounts, wherever and whatever they may be. This information may also provide a valid login for other portions of the corporate network. Instead of equating information theft or malicious information inserted from a financial standpoint, you must also consider the legal liabilities.