That the latest security land mine facing it managers has been found among existing wireless networks shouldnt come as a surprise. After all, the Wired Equivalent Privacy algorithm, part of the 802.11 wireless LAN standard, was not designed as a strong security measure by todays standards.
Nevertheless, we wonder why finding the holes took so long. What alarms us about the security flaws found recently by researchers from the University of California and Zero Knowledge Systems are the procedures—or more accurately, the lack thereof—that went into creating the algorithm and adopting it as a standard. An examination of that process reveals that whats wrong with WEP is exactly whats wrong with the way technology vendors design security products.
The four types of attacks detailed at www.isaac.cs.berkeley.edu/isaac/wep-faq.html show clearly that WEP could have been made better than it was. And its all but certain that it would have been made better if it had gone through a stricter public review. In fact, there was no public review of WEP at all before it became a standard; it became a de facto standard of the vendors, such as Cisco, that put it together.
This cobbled-together approach left open several security holes, such as the use of key management techniques that rely on shared cryptographic keys between all wireless access points, as opposed to the use of multiple keys, which would ensure more robust security.
The international standards body processes may be slow, but they produce more efficient standards than those formed by rushing something out merely to build market share on the momentum of a vendor-driven technology.
Work is being done on a follow-on algorithm that can replace the existing WEP algorithm, but again, much of that work is coming from vendors trying to control the process rather than letting the best solution emerge.
As David Wagner, one of the UC Berkeley computer scientists who reported on the WEP flaws, said: “Our wireless networks are absolutely more vulnerable than our wired ones are. Maybe 10 or 20 years from now, security will be at the forefront of the process when people design wireless networks, but for now youll continue to see these problems.”
None of us can wait 10 to 20 years for the security mind-set to become part of development. Security has to be infused in that process, not an afterthought. A culture of security must guide the development of all the e-business elements —applications, protocols, algorithms and operating systems—that must work together or not work at all.