buttonbuttonbuttonbuttonoil and gas

buttonPress RoombuttonStrategic Partnersbutton

 

 


 

ERF Wireless OCC Wireless Advisory Response

AL 2003-10 Advisory Letter from the OCC Bank Information Technology Unit
Ralph E. Sharpe, Deputy Comptroller for Technology

Subject:  Risk Management of Wireless Networks

Overview

ERF Wireless, Inc., a publicly traded company (OTCBB: ERF Wireless), has developed secure, encrypted microwave network infrastructure for financial institutions that incorporates the recommendations from the OCC as per their Advisory Letter AL 2003-10.  Based on early-on discussions with regulators, ERF Wireless Wirless designed its CryptoVue System to create the next generation of encryption security protection so that financial institutions could take advantage of high-speed, cost-effective, point-to-point microwave solutions. Monitored 24/7, ERF Wireless is able to guarantee that CryptoVue devices are functioning properly and conform to the following requirements:

  • Data packets sent or received by CryptoVue devices across the WAN are triple DES encrypted.
  • Data packets originating from a CryptoVue device are only being routed across the WAN to another authenticated CryptoVue device.
  • A CryptoVue device's Packet Filtering Firewall is blocking propagation of any data traffic on the WAN that has not originated from an authenticated CryptoVue device.
  • Encrypted data packets forwarded to a CryptoVue device from an authenticated CryptoVue device have not been modified in transit.
  • Remote logins to the CryptoVue device can only originate from a trusted contractor gateway, and only can occur when a coded secret Security Key has been inserted into the matching CryptoVue device.
  • Software downloaded and installed through the update mechanism on the CryptoVue device was digitally signed by ERF Wireless, a trusted authority.
  • In the event any anomalies are detected by the Security Monitoring System, the system will trigger "Major Alarms". 

Our technical staff has responded to the issues raised in the OCC Advisory Letter point-by-point, which are highlighted in red.  If you have any questions please contact ERF Wireless for additional information.

AL 2003-10
Advisory Letter

Subject: Risk Management of Wireless Networks

Date: December 9, 2003

To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Service Providers and Software Vendors, Department and Division Heads, and All Examining Personnel.

PURPOSE

This advisory letter highlights risks associated with wireless networks and provides guidance for managing those risks. National banks can use this guidance to help in protecting company assets and confidential customer information, achieving service level requirements, maintaining safe and sound practices, and ensuring compliance with regulatory security expectations.

BACKGROUND

The emergence of wireless networking standards and products that rely upon unlicensed radio frequencies is causing an increasing number of national banks to consider how they might benefit from the technology advancements. National banks can use wireless technologies to build local-area-networks and personal-area-networks with low-cost devices and easy installations. The basic technology components include:

  • Systems and devices sharing information (e.g., computers, workstations, networks);
  • Access points and network interface cards sending and receiving data;
  • Radio waves providing the conduit for data transmissions between access points; and,
  • Authentication techniques establishing wireless connections.

The Institute of Electrical and Electronics Engineers, Inc. (IEEE) has been instrumental in expanding wireless network capabilities by developing standards that rely on unlicensed radio frequencies.  The IEEE standards address varying capacity levels, transmission speeds, and functionality.  In addition, the Wi-Fi Alliance, originally known as the Wireless Ethernet Compatibility Alliance (WECA), was formed to promote wireless devices interoperability through a formal certification process. Certified devices are considered to have certain minimum interoperability and performance standards that may reduce the user's need to test product performance individually.

Potential Risks Associated with Wireless Networks

Wireless networks can affect a bank's risk profile in a variety of ways, depending upon how the technology is used. Because wireless network standards continue to emerge and evolve, potential users face the challenging questions of how to obtain the necessary technical expertise and whether to be an early adopter or wait for proven standards. Failure to keep abreast of changing standards can expose a bank to strategic and reputation risks.

A bank's ability to mitigate these risks will depend upon:

  • Effectiveness of board and management oversight;
  • Effectiveness of management's policies and procedures to implement and manage wireless networking projects;
  • Ability to keep up with technological changes;
  • Network reliability and capacity;
  • Adequacy of business continuity plans;
  • Effectiveness of the bank's security program; and,
  • Actions to monitor adverse events and take additional risk reduction steps.

There are two particular security challenges worth mentioning: the broadcast nature of wireless networks and an initial weak encryption standard.  Wireless networks transmit data to anyone in the broadcast area that has the right equipment to tune-in reception.  This is a unique difference from wired networks and poses security challenges that can expose a bank to significant transaction and reputation risks.  Managing the broadcast area involves controlling radio transmissions that can travel through walls, windows, and doors.  In addition, the initial encryption standard to protect data transmissions, named "Wired Equivalent Privacy" (WEP), has well-known weaknesses and vulnerabilities. Experts have cracked the WEP security standard, and tools are available to exploit WEP vulnerabilities.  The combination of uncontrolled broadcast areas and use of a weak encryption standard creates an environment in which unauthorized access to systems and information can occur.  This combination increases the importance of an effective security program and the quality of risk management.

RISK MANAGEMENT CONSIDERATIONS

The OCC wants to ensure that board and management oversight of wireless networks is effective and that the level of risk taken by using such networks is responsibly managed and controlled.(1) The following discussion focuses on security, project management, and performance considerations that are important in mitigating and controlling risks associated with the use of wireless networks.  In addition, the appendix to this Advisory Letter highlights National Institute of Standards and Technology (NIST) risk management suggestions relating to effective management of wireless networks.

Key Steps

  • Security risk assessments, appropriate policies, and adequate internal controls should be in place before wireless networks are used.
     

  • ERF Wireless recommends its client financial institutions conduct security risk assessments and Vulnerability Assessment Tests, and ensure the appropriate security policies are in place before the encrypted microwave network is activated.

  • Security measures should protect bank networks and wireless-enabled devices from unauthorized access, intercepted transmissions, and disclosure of confidential customer information, and other vulnerability threats.
     
     

    ERF Wireless implements very tight authentication controls to prevent unauthorized access to any of its encryption devices.  In addition to high-level password protection, a secret Security Key is required to be inserted into the device for any administrative access.  The master encryption device (generally located at a financial institution’s operation center) issues tickets to each branch-located encryption device that periodically expire and must be electronically re-authenticated.  Each device is constantly monitored so any attempt to access the device (whether authorized or not) is logged and alerts sent out. 

    All data is encrypted from end-to-end so that no transmissions can be intercepted and there is no disclosure of confidential customer information. 

    Each ERF Wireless encryption device employs packet blocking technology so that only another ERF Wireless encryption device can communicate with it.  The system is fully monitored to further reduce vulnerability threats.

    ERF Wireless requires its client financial institutions to deploy a monitored firewall and intrusion detection system.

  • Security test plans should address wireless networks.
     
     

    ERF Wireless assists the financial institution in developing security test plans.

  • PERF Wirelessormance levels of service level agreements should be monitored to ensure that wireless solutions are effective.
     
     

    ERF Wireless monitors the system and generates pormance level statistical reports every five minutes, 24/7. The reports are accessible by the financial institution.

  • Total cost of ownership or return on investment objectives to implement and maintain the network, including incremental security costs (e.g., authentication, monitoring, updating, testing), should be considered as a component in determining project success.
     
     

    ERF Wireless system pricing provides both a total turnkey setup cost and all ongoing monthly costs including warranty, unlimited upgrades, monitoring, testing, alerts and authentication for a primary term of five years.

Wireless Network Security

The OCC expects banks to have effective controls to maintain system security and protect customer information while it is stored or transmitted.  The Federal Financial Institutions Examination Council's IT Examination Handbook - Information Security Booklet (December 2002) outlines a process to manage security-related risks as part of a bank's security program.  The process identifies the following key steps:  risk assessment, strategies, controls, testing, and monitoring and updating.  It is important that the board and management update the bank's security program before activating new systems, such as wireless networks, since the use of new technologies may render an existing security program ineffective.  Failure to update the program may violate regulatory requirements to safeguard customer information.(2)

 
 

ERF Wireless recommends its client financial institutions make security risk assessments, conduct Vulnerability Assessment Tests and ensure the appropriate security policies are in place before the encrypted microwave network is activated.

Implementing User Policies and Procedures.  Implementing effective policies and procedures for wireless network installations and their usage reinforces the importance of system security.  Wireless policies usually restrict employees from establishing their own wireless networks without prior approval, since wireless access points are relatively easy to install. Unauthorized wireless networks may present high and potentially large risks to the security and integrity of bank networks.  In addition, effective policies and procedures should encourage employees using approved wireless networks to report unusual activities.

 
 

ERF Wireless employs encrypted microwave networks between secure financial institution locations using the proprietary protocols from Motorola and is NOT based on the 802.11x protocols. 

Identifying Available Information.  The types of information available through wireless network access (i.e., transmitted and network-accessible data) should be identified to ensure that the risk assessment is accurate, and the security plan is reasonable.

 
 

Since all data is encrypted end-to-end, there is no transmitted or network-accessible data outside of a financial institution's LAN.

Identifying Wireless Access Points.  Maintaining an inventory of all approved and deployed wireless network solutions and access points is important for effective project management.  This improves management's ability to manage and update device settings and configurations, apply upgrades and patches, and manage network and device security.  Clearly identifying wireless networks and devices on system architecture diagrams is also beneficial for ongoing risk assessments and security testing.

 
 

ERF Wireless prepares a complete Encrypted Microwave Network Project Book.  Included in the project book is a detailed project plan, site survey for each location, spectrum analysis, tower foundation engineering reports, equipment lists, Propagation Reliability Index calculations for each microwave link deployed, a detailed Network System Architecture Schematic Map, a Microwave Frequency Map, a Microwave Path Profile with three meter terrain elevations for each point-to-point link deployed, Scaled Path Map showing a ground map with magnetic headings, bandwidth and distance for all drawn beam paths, complete Equipment Configuration Tables, contact names, locations, and alerts.

Controlling Broadcast Areas.  The broadcast nature of wireless network signals means that anyone with the right equipment can tune-in and receive the signal, increasing the potential for unauthorized access to systems and information.  This threat can be reduced through various techniques, such as strategic placement of wireless access points (e.g., center of building), reducing the broadcast signal strength to the minimum necessary, or turning devices off when not in use.  Directional antennas, signal shielding, and physically securing wireless access points also improve control of the broadcast area and protect against unauthorized access.

 
 

Because all data is LAN-to-LAN 3-DES encrypted using ticketing technology prior to transmission, and then encrypted again at the radio beam level, there is virtually no potential for unauthorized access.

Encrypting Information and Data.  Encrypting wireless transmissions protects against unauthorized systems, devices, and information access.  While WEP encryption is considered a weak security measure, it provides a security layer that acts as a deterrent.  A better solution is to consider end-to-end encryption to maintain data integrity and protect confidential information transmissions.  In general, end-to-end security measures protect data from inception to the end destination point regardless of the transportation method (i.e., wired, wireless). For example, using a virtual private network (VPN) adds another protective layer to enhance security.  Emerging IEEE standards strive to provide stronger encryption alternatives to mitigate existing wireless encryption protocol weaknesses.  Overall, the type of security used should be consistent with management's conclusions drawn from their security risk assessment.

 
 

ERF Wireless strongly agrees with this recommendation by the OCC for a financial institution to consider end-to-end encryption to maintain data integrity and protect confidential information transmissions.  Therefore, we developed our CryptoVue encryption device to encrypt all data from the source LAN to the destination LAN, regardless of transmission method (either wired WAN or microwave WAN).  While VPN technology is a definite improvement from WEP technology, ERF Wireless feels that VPN technology is still lacking in that it is not a dual-controlled or hardware key-managed system, and lacks any monitoring that have been designed into our CryptoVue system.

Maintaining Authentication Controls.  Authentication controls for users and devices need to protect the system's confidentiality and integrity, and mitigate risks associated with wireless environments.  User password-only authentication may allow unauthorized systems access through password guessing or radio wave eavesdropping.  The potential risk may warrant enhanced techniques such as token-based or certificate-based solutions because of uncertainty regarding the user's physical location, vulnerabilities in wireless network standards, and the broadcast nature of wireless communications.(3)  Also, efforts to authenticate wireless devices accessing systems can mitigate threats from unauthorized wireless devices.  Emerging IEEE standards also support new techniques for device authentication that can improve security (e.g., Wi-Fi Protected Access or WPA).

 
 

Maintaining authentication controls has been a primary ERF Wireless objective in the design of CryptoVue.  As recommended by the OCC with regard to the broadcast nature of microwave systems, ERF Wireless has developed enhanced techniques in CryptoVue by using a token-based strong security solution which uses timed Tickets for authentication and re-authentication to greatly improve security.

Protecting Against Logical and Physical Attacks.  Wireless networks and devices are subject to intentional attacks (e.g., denial of service, man-in-middle, theft of data).  Firewalls, intrusion detection systems, and anti-virus tools can protect systems and devices from attack.  Also, disabling wireless connectivity during off-hours provides another protective measure.  It is important that physical access restriction to wireless access points prevent intentional or accidental system configuration changes.  Employee training that encourages reporting unusual workstation activities can also help identify problems.

 
 

ERF Wireless monitors the CryptoVue encryption devices 24/7, and with its design requiring insertion of a hardware key to effect changes, it prevents intentional or accidental system configuration changes.  All CryptoVue encryption devices are located on the financial institution’s premises in a controlled access area, such as a server room.

Monitoring System Vulnerabilities.  Emerging wireless network hardware and software standards and technologies have not been widely tested for vulnerabilities.  Effective project management practices should include ongoing network security vulnerability monitoring, identification, and software patch processes.(4) Actively monitoring systems for unusual activities can ensure that these activities are identified and damage is minimized. Banks that use Internet banking applications have learned that monitoring and updating network security should be a regular, ongoing process.(5)  Additionally, when system changes are made, it is important to carefully review and assess the effect on other systems to be assured that previous vulnerabilities are not reintroduced into the network.

 
 

ERF Wireless monitors all CryptoVue devices and microwave links 24/7.  In addition, each CryptoVue employs an internal monitoring system that automatically shuts down the device if it detects any non-authenticated (ticketed) communication attempts.  ERF Wireless also requires that a financial institution deploy a monitored firewall and intrusion detection system.

Completing Security Tests.  Wireless network systems should be included in the overall security testing program.  Security testing can help ensure that only known wireless systems and devices are operating, controls are functioning properly, and vulnerabilities are mitigated.  The security testing results can be used to update the risk assessment and ensure that policies, procedures, and controls remain appropriate.

 
 

ERF Wireless strongly agrees with this recommendation and advises to its client financial institutions to make security risk assessments, conduct Vulnerability Assessment Tests and ensure the appropriate security policies are in place.

Project Management Practices

In addition to the effective project management considerations mentioned in the previous "Wireless Network Security" section, the technology project management process needs to consider the rapidly evolving nature of wireless network technologies and standards.  As new standards and products develop, early adopters need to obtain the necessary technical expertise and should consider and evaluate cost-benefit scenarios for staying with legacy, and perhaps more stable, standards or migrating to newer standards to gain more efficiency and benefits.

 
 

ERF Wireless prepares a cost-benefit analysis for the financial institution.

Completing Due Diligence.  Outsourcing can provide technical expertise to install, maintain, and test wireless networks. Proper due diligence is critical when outsourcing wireless network activities because of the potential security threats.  It is important that adequate due diligence be completed to ensure that the third-party provider is technically capable of implementing a solution that supports the bank's needs (as identified during the risk assessments).(6)

 
 

ERF Wireless has successfully installed, monitored and maintained encrypted microwave networks for multiple financial institutions in three states.

Analyzing Costs versus Benefits.  Evaluating cost and benefit assumptions related to wireless networks using a total cost of ownership (TCO) or return on investment (ROI) approach enhances overall project management.  These analyses consider the anticipated benefits such as lower installation costs, improved employee productivity, expanded product and service offerings and better customer service.  Costs include those incurred while deploying and maintaining the wireless network, acquiring the hardware and software, enhancing authentication requirements, data transmission security, routine maintenance, missing service level agreement requirements, potentially short product life cycles and upgrade periods, and access to technical expertise. This type of financial analysis provides a reference benchmark for determining whether products and services are achieving expectations.

 
 

ERF Wireless assists its financial institutions with this analysis.

Wireless Network PERF Wirelessormance

Estimating Network Capacity.  Data transmission rates and network capacity are dependent upon the standard chosen.  A standard reporting high transmission rates does not mean that the network can handle the capacity necessary for timely transmissions.  The performance requirements for wireless networks are important to identify during the development process.  A good understanding of the types and volume of data transmitted allows effective planning to meet business objectives and service level agreements.

 
 

During the planning process, ERF Wireless interfaces a complete analysis, taking into account data bandwidth needs for each branch location, and recommends transmission speeds and effective throughput for each encrypted microwave link.  The analysis includes calculating the Propagation Reliability Index for each link, taking into account the distance (up to 35 miles), microwave radio equipment, antenna gain, terrain, Fresnel Zone, frequency, humidity, foliage and average annual temperatures.

Understanding Network Availability.  Network availability that is dependent upon unlicensed frequency means that it may be available now but may not be available in the future.(7)  If a bank's wireless networks experience unacceptable interference from other area networks, devices, or appliances (e.g., microwave ovens, wireless phones), the bank is responsible for identifying the issues and taking the appropriate actions to support its business objectives.

 
 

This is an important component of the monitoring service provided by ERF Wireless.  All microwave links are constantly monitored for RSSI and Jitter levels to instantly detect interference.  The radio equipment deployed by ERF Wireless has a buitl-in spectrum analyzer for determination of clear frequencies, in addition to the ability to remotely re-program frequencies should conditions change.

Developing Business Continuity Plans.  Business continuity plans need to consider the criticality of the businesses and systems supported, with alternative solutions developed as appropriate to achieve business needs and service level requirements.(8)

 
 

Included in each proposal is ERF Wireless's technical assistance in adjusting a financial institution's Business Continuity Plan to take the changes in network architecture into account.  ERF Wireless can also engineer redundant links (either wired or microwave) into the overall network design.

SUMMARY

Wireless network solutions provide national banks with an alternative for systems development that requires effective board and management oversight.  Effective wireless network management includes maintaining adequate security, ensuring appropriate project management, and achieving performance goals.  The OCC requires the board and management to update the bank's security program before implementing wireless networks and monitor the security program to ensure that effective risk management practices are in place.  The guidance provided in this Advisory Letter, along with other OCC and FFIEC guidance can help national banks use wireless networks in a safe and sound manner.

RESPONSIBLE OFFICE

Questions regarding this advisory letter can be directed to the director for Bank Information Technology unit at (202) 874-5920.

________________

Ralph E. Sharpe

Deputy Comptroller for Technology

APPENDIX

The National Institute of Standards and Technology (NIST) has produced a special publication (800-48) on Wireless Network Security that includes suggestions on policy, procedures, and controls to effectively manage wireless networking issues.  This Appendix lists considerations that NIST discusses that are specific to wireless local area network (WLAN) security policies and access point configuration.

The OCC encourages banks that are interested in implementing wireless networks to review the NIST paper, particularly the tables titled "Wireless LAN Security Checklist" and "Summary of Wireless LAN Security" and narrative discussions on mitigating WEP encryption weaknesses.

A WLAN security policy should consider the need to:

  • Identify who may use WLAN technology;
  • Identify whether Internet access is required;
  • Describe who can install access points and other wireless equipment;
  • Provide limitations on the location of and physical security for access points;
  • Describe the type of information that may be sent over wireless links;
  • Describe conditions under which wireless devices are allowed;
  • Define standard security settings for access points;
  • Describe limitations on how the wireless device may be used, such as location;
  • Describe the hardware and software configuration for any access device;
  • Provide guidelines on reporting losses of wireless devices and security incidents;
  • Provide guidelines on the use of encryption and other security software; and,
  • Define the frequency and scope of security assessments.

Access Point Configuration should consider the need to:

  • Update default passwords;
  • Establish proper encryption settings;
  • Control the reset function;
  • Use Medium Access Control (MAC) Access Control Lists (ACL) functionality;
  • Change the Service Set Identifier (SSID);
  • Change default cryptographic keys;
  • Change default Simple Network Management Protocol (SNMP) Parameter;
  • Change default channel; and,
  • Use Dynamic Host Control Protocol (DHCP).

 

Footnotes

1.) See OCC Bulletin 98-3, "Technology Risk Management."

2.) See OCC Bulletin 2001-8, "Guidelines Establishing Standards to Safeguard Customer Information."  The guidelines mandate that banks protect certain customer information and amend its information security program before implementing systems.  This requirement would apply to a bank adopting wireless network technology.

3.) See OCC Advisory Letter 2001-8, which transmits FFIEC guidance on "Authentication in an Electronic Banking Environment."

4.) See OCC Alert 2001-4, "Network Security Vulnerabilities."

5.) See FFIEC IT Handbook, Information Security booklet (December 2002); OCC Alert 2001-4, "Network Security Vulnerabilities;" and OCC Bulletin 2000-14, "Infrastructure Threats - Intrusion Risks."

6.) See OCC Bulletin 2002-16, "Bank Use of Foreign-Based Third- Party Providers;" OCC Bulletin 2001-47, "Third-Party Relationships;" and OCC Advisory Letter 2000-12, "Risk Management of Outsourcing Technology Services."

7.) The Federal Communications Commission (FCC) allocates and licenses radio wave spectrum in the United States.  The public, including banks, can own and establish networks that use unlicensed radio frequencies without direct ownership and licensing of the frequencies by the FCC.

8.) FFIEC IT Handbook, Business Continuity Planning booklet (May 2003).  Wireless network solutions also may play an important role in business continuity plans.

 

  

 


 

 
 

Home Page | Enterprise Network Services | Bundled Wireless Services | Network Operations | Wireless Messaging Services | Oil & Gas Services  |  Investor Relations  | Press Room  |  About Us | Strategic Partners | Contact Us | Sitemap
FAQ | Disclaimer

footer

2911 South Shore Blvd. Suite 100 • League City, TX 77573
(281) 538-2101 • (800) 538-9050