Securing wireless networks - it's the people, not the kit

IT Priorities Conference: Wireless security vendors shone a bright light on the weakness of today's mobile communications networks, and criticised the poverty of current voice over IP authentication models
Written by Dan Ilett, Contributor
Founder of the Jericho Forum and global information security director Paul Simmonds criticised wireless vendors' approach to security in a panel discussion at the ZDNet IT Priorities Conference in London today. Simmonds said that vendors need to think more about their customers' needs.

"Vendors are missing a trick," said Simmonds. "We need to build security from the ground up. You can tell a board that you've got Deep Packet Inspection and that you're secure, but it's a fallacy."

Simmonds added that companies are not doing enough to protect their mobile devices and that most companies had an immature approach to wireless security.

"I think a lot of what we do are just knee-jerk reactions," he said. "A lot of security solutions are like sticky plasters. But they do no good because they have 300 holes in so you can connect to your customers, partners and vendors."

Dutch bank ABN Amro's global head of technology risk management, Paul Stimpson, called for better management tools to control wireless security.

"It's all a balance," said Stimpson. "But the management overheads can be horrendous. [IT managers] believe they are secure, but the specific tools aren't there."

Alex van Someren, CEO for security firm nCipher, agreed that managing wireless security required better tools.

"You can get reliable service with mobile phones, but not with Wi-Fi," said van Someren. "We need to look at who you are talking to and what they send, not the medium they send over."

Voice over Internet Protocol telephony also raised many security issues for the panel. Van Someren said that he had worked with a New York bank that had deployed 100 VoIP phones to its top employees, but he thought that managing the system would be tough because identification was based on MAC addresses.

"The best thing they could think of was MAC addresses," he said. "That's not so hard to spoof and all those long numbers are not pretty. The idea could do well, but the management will be tough. It's just not an adequate authentication model."

Editorial standards