It seems as though every foreword written for a Hacking Exposed book has tried to justify releasing the "hacking" methodology to the hackers. By definition, however, a hacker isn't a threat. The threat posed by a hacker is wholly dependent on their intent. The best security practitioners are hackers at heart, thus you will notice the phrase malicious user instead of hacker throughout this foreword.
To most large corporations, wireless technology is one of the most important yet frustrating tools to implement, secure, and manage. The ease with which employees can walk into Best Buy, purchase an inexpensive wireless router, transport it into a facility, and plug it into the network port at their desk has given employees the ability to completely circumvent millions of dollars in network security equipment as soon as their wireless signal extends beyond the walls of the warehouse or office in which it resides. Factor in global organizations operating in lawless and emerging markets and you know why it is difficult for most information security professionals to sleep at night. Even more disturbing is that, in some cases, these are well-meaning employees trying to increase productivity or remediate a networking issue, making it that much more challenging to prosecute them for their security violation.
Home wireless users are also at risk. Whether it is a suburban neighborhood or a congested apartment complex-most wireless users aren't aware of the need to secure and defend their wireless frontier. As such, a "script-kiddy" in his mom's 1991 Ford Tempo can drive down any street sporting a Sony Viao and likely find an insecure wireless network lighting up his free version of NetStumbler.
These are legitimate risks that have cost companies countless dollars and home users weeks of time trying to recover their identities. Malicious users have taken the art of identifying, cracking, hijacking, and advertising misconfigured and insecure wireless networks to an art form. A simple Google search will yield a number of wardriving websites explaining where and how to gain access to private wireless networks that have been discovered and penetrated. Specialized antennas (Yagis) have been developed that can intercept wireless signals from over a mile away, making it nearly impossible to confine a wireless signal to a physical structure. Worst of all, most wireless devices that you purchase from Best Buy are configured insecurely "out of the box," requiring users to secure the devices themselves-for your average user this can be a daunting task. (Imagine Grandma trying to configure a wireless router.) This intrinsic vulnerability makes gaining unauthorized access to wireless networks a walk in the park for even the most average of malicious users.
Thus the need for and importance of this book being written. There has yet to be a technology that cannot be undone by a creative and resourceful mind; therefore, it is imperative that corporations and individuals alike arm themselves with the knowledge, tools, and talent to secure and monitor their wireless networks. Unfortunately technology alone won't mitigate the previously mentioned threats. Regardless of what electrical engineers and equipment manufacturers design and implement, malicious users will always find ways around the security controls put in place. Therefore, wireless owners and network managers must employ stringent processes and procedures, in addition to hardening tactics, to assure that only authorized and authenticated users can access their networks. Secure wireless networks can only be obtained by being as vigilant in maintaining them as the malicious users are at trying to penetrate them.
The writers of this book are exceptionally good at what they do. I have worked with them personally and seen evidence of their skill and cunning at locating and penetrating wireless networks. They explain in a layperson's terms the technologies, tools, and processes that malicious users apply to penetrate and exploit wireless networks. It isn't a pretty picture; however, once you understand a malicious user's mentality, you have the ability to design and implement controls and barriers to prevent them from gaining access to your networks.
Wireless technology isn't going away, and the idea of a "secure wireless network" is still far from being realized. All we can do as business leaders is make solid decisions based on calculated risk assessments in an effort to implement and secure the wireless technology that makes our lives so much easier and more efficient. This book is required reading for any practicing security professional. The information security landscape continues to change, and it is critical that as security professionals we stay on the cutting edge of these assessment and penetration technologies.
-James M. Johnson
Manager, Honeywell Global Security-Risk Management