Wireless security skills need to prepare for the Internet of Things age

UK – The proliferation of new Wireless communication technologies within consumer electronics and smart devices is overtaking the skills of the information security industry says Larry Pesce, a leading expert in the field and SANS instructor.

"There is a great deal of disparity between the security of the different wireless standards particularly when you compare the 802 family that were predominately built for business use and emerging technologies that came from the consumer landscape such as Bluetooth, Zigbee and Z-Wave," says Pesce who co-authored 'Linksys WRT54G Ultimate Hacking' and 'Using Wireshark and Ethereal' books.

"For example, Bluetooth has some solid maths around encryption but many of the security decisions are left in the hands of the users which means things can go horribly wrong. Zigbee has a poor design for how it handles passphrase and replay packets which are highly vulnerable while security in some of the proprietary formats like Z-Wave is almost non-existent security."

Pesce who also develops real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge is complementary about newer wireless protocols such as 802.15.4 and Zigbee which uses baseline profiles to help deliver enhanced security but comments, "...the technology is probably ahead of the skill sets out in the field and the problem is also somewhat under estimated."

Pesce also highlights the privacy issues that wireless enabled devices are starting to hit against, "If we look forward a large number of devices in the work and home will be wirelessly enabled and communicating autonomously between each other and back to manufacturers. Unless more consideration is given to securing both the devices and the communication links, there are likely to be breaches that will burrow into this internet of things infrastructure and start to gather private information or act as a staging post for more damaging attacks."

Pesce will be teaching the upcoming SANS course, SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses which is debuting in Europe at Pen Test Berlin 2015 at the end of June. The hands-on course takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, students navigate through the techniques attackers use to exploit WiFi networks, including attacks against WEP, WPA/WPA2, PEAP, TTLS, and other systems. The course also examines the commonly overlooked threats associated with Bluetooth, ZigBee, DECT, and proprietary wireless systems.

"We are at a crossroads from a standards perspective," comments Pesce, "The vendors are still mostly obsessed with bigger and faster, but there is increased pressure from a privacy prospective and many are having a hard time figuring it out - for Infosecurity professionals, the skills needed to secure these new types of wireless connections are in high demand." For more information on Pen Test Berlin 2015, or to register, please visit: www.sans.org/event/pen-test-berlin-2015

Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (https://www.sans.org)