Guides tackle wireless, training

NIST Computer Security Resource Center

The National Institute of Standards and Technology's Computer Security Division released its latest two draft guides for agencies in the past week, this time taking aim at wireless security and security training.

The first draft, "Special Publication 800-48: Wireless Network Security," is a much more technical document than the other. Wireless networks not only have the standard set of security vulnerabilities, but also the problem that the network itself is inherently insecure. NIST developed the guide to focus on that problem.

"Perhaps the most significant difference from wired networks and the main source of these risks is that with wireless networks, the organization's underlying communications medium, the airwave, is openly exposed to intruders, making it the logical equivalent of placing an Ethernet port in the parking lot," the guide states.

The guide looks at the potential vulnerabilities and risks for many of the most prevalent wireless network technologies, including the IEEE 802.11 wireless local-area network (LAN) standard and the Bluetooth ad hoc standard for connecting mobile phones, personal digital assistants and other handhelds.

The draft also outlines the benefits of wireless networks. And it provides recommendations for security configurations, information on emerging wireless security standards, and a case study outlining the possible secure implementation of a wireless LAN.

Comments on this draft are due to Tony Karygiannis (sp800-48@nist.gov) by Sept. 1.

The second draft guide, "Special Publication 800-50: Building an Information Technology Security Awareness and Training Program," is designed for the chief information officers and program managers within an organization. It draws on the experience of many agencies across government, including the Defense Department and the members of the Federal Information Systems Security Educators' Association.

Security training and awareness programs are required by law and directive, but agencies are still struggling at determining and meeting their needs.

The guide outlines four steps toward establishing a security training and awareness program:

* Creating a strategic planning document based on an agencywide needs assessment.

* Developing or contracting for classes, material and instructors.

* Implementing the training, including an assessment of the most appropriate means (Web-based, distance learning, on-site, etc.).

* Establishing a process for feedback and updates to keep the program relevant and to monitor its effectiveness.

The guide also explores the benefits of using either a centralized, partially decentralized, or fully decentralized approach toward the program.

Comments on this draft are due to Mark Wilson (mark.wilson@nist.gov) by Aug. 16.