ISO/IEC 27033-6:2016

FINAL
INTERNATIONAL ISO/IEC
DRAFT
STANDARD FDIS
27033-6
ISO/IEC JTC 1/SC 27
Information technology — Security
Secretariat: DIN
techniques — Network security —
Voting begins on:
2016-02-18
Part 6:
Voting terminates on:
Securing wireless IP network access
2016-04-18
Technologies de l’information — Techniques de sécurité — Sécurité
de réseau —
Partie 6: Sécurisation de l’accès réseau IP sans fil
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC FDIS 27033-6:2016(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
©
NATIONAL REGULATIONS. ISO/IEC 2016

ISO/IEC FDIS 27033-6:2016(E)
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

ISO/IEC FDIS 27033-6:2016(E)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Structure . 5
6 Overview . 5
7 Security threats . 8
7.1 General . 8
7.2 Unauthorized access . 8
7.3 Packet sniffing. 8
7.4 Rogue wireless access point . 9
7.5 Denial of service attack . 9
7.6 Bluejacking .10
7.7 Bluesnarfing .10
7.8 Adhoc networks .10
7.9 Other threats .10
8 Security requirements .10
8.1 General .10
8.2 Confidentiality .11
8.3 Integrity .11
8.4 Availability .11
8.5 Authentication .11
8.6 Authorization .12
8.7 Accountability (Non-repudiation).12
9 Security controls .12
9.1 General .12
9.2 Encryption control and implementation .13
9.3 Integrity evaluation.14
9.4 Authentication .14
9.5 Access control .15
9.5.1 Permission control .16
9.5.2 Network-based control . .16
9.6 Denial of service attack resilience .16
9.7 DMZ segregation via firewall protection .16
9.8 Vulnerability management though secure configurations and hardening of devices .16
9.9 Continuous monitoring of wireless networks .17
10 Security design techniques and considerations .17
10.1 General .17
10.2 Wi-Fi .17
10.2.1 General.17
10.2.2 User authentication .18
10.2.3 Confidentiality and integrity .19
10.2.4 Wireless Wi-Fi technologies .19
10.2.5 Other Wi-Fi Configurations .19
10.2.6 Access control — User equipment .19
10.2.7 Access control — Infrastructure access point .20
10.2.8 Availability.21
10.2.9 Accountability .21
© ISO/IEC 2016 – All rights reserved iii

ISO/IEC FDIS 27033-6:2016(E)
10.3 Mobile communication security design .21
10.4 Bluetooth .22
10.5 Other wireless technologies .23
Annex A (informative) Technical description of threats and countermeasures .24
Bibliography .26
iv © ISO/IEC 2016 – All rights reserved

ISO/IEC FDIS 27033-6:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Security techniques.
ISO/IEC 27033 consists of the following parts, under the general title Information technology — Security
techniques — Network security:
— Part 1: Overview and concepts
— Part 2: Guidelines for the design and implementation of network security
— Part 3: Reference networking scenarios — Threats, design techniques and control issues
— Part 4: Securing communications between networks using security gateways
— Part 5: Securing communications across networks using virtual private networks (VPNs)
— Part 6: Securing wireless IP network access
© ISO/IEC 2016 – All rights reserved v

ISO/IEC FDIS 27033-6:2016(E)
Introduction
In today’s world, the majority of both commercial and government organizations have their information
systems connected by networks with the network connections being one or more of the following:
— within the organization;
— between different organizations;
— between the organization and the general public.
Further, with the rapid developments in publicly available network technology (in particular with
the Internet) offering significant business opportunities, organizations are increasingly conducting
electronic business on a global scale and providing online public services. The opportunities include the
provision of lower cost data communications, using the Internet simply as a global connection medium,
through to more sophisticated services provided by Internet service providers (ISPs). This can mean the
use of relatively low cost local attachment points at each end of a circuit to full scale online electronic
trading and service delivery systems, using web-based applications and services. Additionally, the new
technology (including the integration of data, voice and video) increases the opportunities for remote
working (also known as “teleworking” or “telecommuting”) that enable personnel to operate away
from their homework base for significant periods of time. They are able to keep in contact through the
use of remote facilities to access organization and community networks and related business support
information and services.
However, while this environment does facilitate significant business benefits, there are new security
risks to be managed. With organizations relying heavily on the use of information and associated
networks to conduct their business, the loss of confidentiality, integrity, and availability of information
and services could have significant adverse impacts on business operations. Thus, there is a major
requirement to properly protect networks and their related information systems and information. In
other words, implementing and maintaining adequate network security is absolutely critical to the success
of any organization’s business operations.
In this context, the telecommunications and information technology industries are seeking cost-
effective comprehensive security solutions, aimed at protecting networks against malicious attacks
and inadvertent incorrect actions, and meeting the business requirements for confidentiality, integrity,
and availability of information and services. Securing a network is also essential for maintaining the
accuracy of billing or usage information, as appropriate. Security capabilities in products are crucial
to overall network security (including applications and services). However, as more products are
combined to provide total solutions, the interoperability, or the lack thereof, will define the success
of the solution. Security must not only be a thread of concern for each product or service, but must be
developed in a manner that promotes the interweaving of security capabilities in the overall security
solution.
The purpose of ISO/IEC 27033 is to provide detailed guidance on the security aspects of the management,
operation and use of information system networks, and their inter-connections. Those individuals
within an organization that are responsible for information security in general, and network security
in particular, should be able to adapt the material in this International Standard to meet their specific
requirements. Its main objectives are as follows.
— ISO/IEC 27033-1 aims to define and describe the concepts associated with, and provide management
guidance on, network security. This includes the provision of an overview of network security and
related definitions, and guidance on how to identify and analyze network security risks and then
define network security requirements. It also introduces how to achieve good quality technical
security architectures, and the risk, design and control aspects associated with typical network
scenarios and network ― technology areas (which are dealt with in detail in subsequent parts of
ISO/IEC 27033).
— ISO/IEC 27033-2 aims to define how organizations should achieve quality network technical security
architectures, designs and implementations that will ensure network security appropriate to their
vi © ISO/IEC 2016 – All rights reserved

ISO/IEC FDIS 27033-6:2016(E)
business environments, using a consistent approach to the planning, design and implementation
of network security, as relevant, aided by the use of models/frameworks (in this context, a
model/framework is used to outline a representation or description showing the structure and high
level workings of a type of technical security architecture/design), and is relevant to all personnel
who are involved in the planning, design and implementation of the architectural aspects of network
security (for example, network architects and designers, network managers, and network security
officers).
— ISO/IEC 27033-3 aims to define the specific risks, design techniques and control issues associated
with typical network scenarios. It is relevant to all personnel who are involved in the planning,
design and implementation of the architectural aspects of network security (for example, network
architects and designers, network managers, and network security officers).
— ISO/IEC 27033-4 aims to define the specific risks, design techniques and control issues for securing
information flows between networks using security gateways. It is relevant to all personnel who
are involved in the detailed planning, design and implementation of security gateways (for example,
network architects and designers, network managers, and network security officers).
— ISO/IEC 27033-5 aims to define the specific risks, design techniques and control issues for securing
connections that are established using virtual private networks (VPNs). It is relevant to all personnel
who are involved in the detailed planning, design and implementation of VPN security (for example,
network architects and designers, network managers, and network security officers).
— ISO/IEC 27033-6 aims to define the specific risks, design techniques and control issues for securing
IP wireless networks. It is relevant to all personnel who are involved in the detailed planning,
design and implementation of security for wireless networks (for example, network architects and
designers, network managers, and network security officers).
It is emphasized that ISO/IEC 27033 provides further detailed implementation guidance on the network
security controls that are described at a basic standardized level in ISO/IEC 27002.
It should be noted that this part of ISO/IEC 27033 is not a reference or normative document for regulatory
and legislative security requirements. Although it emphasizes the importance of these influences, it
cannot state them specifically, since they are dependent on the country, the type of business, etc.
Unless otherwise stated, throughout this part of ISO/IEC 27033, the guidance referenced is applicable
to current and/or planned networks, but will only be referenced as “networks” or “the network”.
© ISO/IEC 2016 – All rights reserved vii

FINAL DRAFT INTERNATIONAL STANDARD ISO/IEC FDIS 27033-6:2016(E)
Information technology — Security techniques — Network
security —
Part 6:
Securing wireless IP network access
1 Scope
This part of ISO/IEC 27033 describes the threats, security requirements, security control and design
techniques associated with wireless networks. It provides guidelines for the selection, implementation
and monitoring of the technical controls necessary to provide secure communications using wireless
networks. The information in this part of ISO/IEC 27033 is intended to be used when reviewing or
selecting technical security architecture/design options that involve the use of wireless network in
accordance with ISO/IEC 27033-2.
Overall, ISO/IEC 27033-6 will aid considerably the comprehensive definition and implementation of
security for any organization’s wireless network environment. It is aimed at users and implementers
who are responsible for the implementation and maintenance of the technical controls necessary to
provide secure wireless networks.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 27033-1, Information technology — Security techniques — Network security — Part 1: Overview
and concepts
ISO/IEC 27033-2, Information technology — Security techniques — Network security — Part 2: Guidelines
for the design and implementation of network security
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, ISO/IEC 27033-1
and the following apply.
3.1
access point
wireless access point
device or piece of equipment that allows wireless devices to connect to a wired network
Note 1 to entry: The connection uses a wireless local area network (WLAN) or related standard.
3.2
base station
wireless base station
equipment that provides the connection between mobile or cellular phones and the core
communication network
© ISO/IEC 2016 – All rights reserved 1

ISO/IEC FDIS 27033-6:2016(E)
3.3
Bluetooth
wireless technology standard for exchanging data over short distances
Note 1 to entry: “Bluetooth” is a trademark owned by the Bluetooth SIG.
3.4
core network
part of a mobile telecommunication network that connects the access network to the wider
communication network
EXAMPLE The Internet and other public networks are examples of wider communication networks.
3.5
femto cell
home cell
small cell
small, low-power cellular base station (3.2)
Note 1 to entry: A femto cell is typically designed for use in a home or small businesses.
3.6
hardening
process of securing a system by reducing its surface of vulnerability
Note 1 to entry: Hardening typically includes the removal of unnecessary software, unnecessary usernames or
logins and the disabling or removal of unnecessary services.
3.7
machine to machine
technologies that allow both wireless and wired systems to communicate with other devices of the
same type
3.8
power ratio
signal-to-noise ratio
measure that compares the level of a desired signal to the level of background noise
Note 1 to entry: It is defined as the ratio of signal power to the noise power.
3.9
radio access network
part of a mobile telecommunication system that implements a radio access technology such as WCDMA
or LTE to provide access for end-user devices to the core network (3.4)
Note 1 to entry: The radio access network resides between the end-user device and the core network.
Note 2 to entry: A mobile phone is an example of an end-user device.
3.10
radio network controller
network element in a 3G mobile network which controls the base stations, interface to the core network
(3.4) and carries out the radio resource management and mobility management functions of the network
3.11
Wi-Fi
wireless local area networking technology that allows electronic devices to network, mainly using the
2,5 GHz and 5 GHz radio bands
Note 1 to entry: “Wi-Fi” is a trademark of the Wi-Fi Alliance.
Note 2 to entry: “Wi-Fi” is generally used as a synonym for “WLAN” since most modern WLANs are based on
these standards.
2 © ISO/IEC 2016 – All rights reserved

ISO/IEC FDIS 27033-6:2016(E)
3.12
Wi-Fi Ad-Hoc network
wireless ad-hoc network
decentralized wireless network which does not rely on a pre-existing infrastructure
Note 1 to entry: Examples of pre-existing infrastructure are routers in wired networks or access points (3.1) in
managed (infrastructure) wireless networks.
4 Abbreviated terms
3G Third Generation of mobile telecommunications technology
3GPP Third Generation Partnership Program
4G Fourth Generation of mobile telecommunications technology
AAA Authentication, Authorization, and Accounting
AES Advanced Encryption Standard
AP Access Point
ASE Authentication Service Entity
BYOD Bring Your Own Device
CCM CTR with CBC Message authentication code
CCMP Cipher Block Chaining Message Authentication Code Protocol
CISO Chief Information Security Officer
DMZ De-Militarized Zone
DoS Denial of Service
EAP Extensible Authentication Protocol
FTP File Transfer Protocol
HTTP Hyper Text Transfer Protocol
GHz gigahertz
ICT Information and Communications Technology
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IMAP Internet message access protocol
IMEI International Mobile Equipment Identity
IMS Internet Protocol (IP) Multimedia Subsystem
IMSI International Mobile Subscriber Identity
IPS Intrusion Prevention System
IPsec Internet Protocol Security
ISM Industrial, Scientific and Medical
ISP Internet Service Provider
IT Information Technology
LTE Long Term Evolution
MAC Media Access Control
MIC Message Interface Code
NIC Network Interface Card
OBEX Object exchange
PDA Personal Digital Assistant
PEAP-GTC Protected EAP - Generic Token Card
PIN Personal Identification Number
PKI Public Key Infrastructure
© ISO/IEC 2016 – All rights reserved 3

ISO/IEC FDIS 27033-6:2016(E)
PLMN Public Land Mobile Network
POP Post Office Protocol
RAN Radio Access Network
RBAC Role Based Access Control
RF Radio Frequency
RFCOMM RF Communication
SAC Standardization Administration of China
SAE System Architecture Evolution
SIG Special Interest Group
SLA Service Level Agreement
SIM Subscriber Identity Module
SNMP Simple Network Management Protocol
SMTP Simple Mail Transfer Protocol
SSH Secure Shell
SSID Service Set Identifier
STA STAtion
TCP Transmission Control Protocol
TLS Transport Layer Security
TTLS Tunnelled Transport Layer Security
UE User Equipment
UEA1 UMTS Encryption Algorithm #1
UHF Ultra High Frequency
UICC Universal Integrated Circuit Card
UMTS Universal Mobile Telecommunications System
USB Universal Serial Bus
UWB Ultra-Wide Band
VLAN Virtual Local Area Network (LAN)
VPN Virtual Private Network
WAI WLAN Authentication Infrastructure
WAPI WLAN Authentication and Privacy Infrastructure
WEP Wireless Equivalent Privacy
WIDS Wireless Intrusion Detection System
WIPS Wireless Intrusion Prevention System
WLAN Wireless Local Area Network
WMAN Wireless Metropolitan Area Network
WNIC Wireless Network Interface Controller
WPA Wi-Fi Protected Access
WPA2 Wi-Fi Protected Access 2
WPAN Wireless Personal Area Network
WPA-PSK Wi-Fi Protected Access Pre-Shared Key
WPI WLAN Privacy Infrastructure
WRAN Wireless Regional Area Networks
WWAN Wireless Wide Area Networks
4 © ISO/IEC 2016 – All rights reserved

ISO/IEC FDIS 27033-6:2016(E)
5 Structure
The structure of this part of ISO/IEC 27033 comprises of the following:
— an overview of wireless networks and its security requirements (see Clause 6);
— security threats associated with wireless networks (see Clause 7);
— security requirements for wireless networks (see Clause 8);
— security controls for wireless network architectures (see Clause 9);
— security design techniques for wireless networks (see Clause 10).
6 Overview
More and more users of communication and processing devices are opting to use wireless interfaces
to connect to their network of choice. With ubiquitous wireless networks, users see the benefit of
lower costs, always-on connectivity and automatic connection setup as a driver for choosing a wireless
connection over a wire line connection. Particularly for wireless networks, availability of unlicensed
frequency bands, the high cost of installing a cabling infrastructure into an established or old premise,
business or residential zone and the flexibility to allow additional users to connect to the network can
make the choice attractive.
For example, in most countries, for Wi-Fi connectivity, one just needs to apply to a service provider for
an Internet connection. It is then connected to a wireless access point or router which broadcasts the
signal. Network Interface Cards (NIC) in the communications devices or computing device generally
come as standard and users need only enable the interface to start the communication process with the
wireless network.
For mobile/cellular networks, the challenges when deploying a network are much greater. In some
countries, there may be limited spectrum available for a particular wireless technology and national
spectrum regulators can take several years to plan, free-up and allocate spectrum to potential service
providers. Depending on the technology (3G, 4G), the amount of spectrum required may vary. The cost
of obtaining licenses can be substantial for service providers.
The following list describes the major wireless IP network categories and provides examples of selected
key technologies.
— Wireless personal area networks (WPANs): small-scale wireless networks that require little or
no infrastructure. These WPANs address wireless networking of portable and mobile computing
devices such as PCs, Personal Digital Assistants (PDAs), peripherals, cell phones, pagers, and
consumer electronics; allowing these devices to communicate and interoperate with one another.
Examples of WPAN technologies include the following.
— Bluetooth. A wireless technology for exchanging data over short distances (using short-
wavelength UHF radio waves in the ISM band from 2,4 GHz to 2,485 GHz) from fixed and mobile
devices, and building WPANs for wireless networking between small portable devices. The
original Bluetooth has a maximum data rate of approximately 720 kilobits per second (kbps)
and Bluetooth 2.0 can reach 3 Mbps. Bluetooth 3.0 provides theoretical data transfer speeds
of up to 24 Mbps. Bluetooth implements confidentiality, authentication and key derivation
based on the block cipher. Bluetooth key generation is generally based on a Bluetooth personal
identification number (PIN), which must be entered into both devices.
— Ultra-Wide Band (UWB). A radio technology used at a very low energy level for short-range,
high-bandwidth communications using a large portion of the radio spectrum. It can achieve data
rates of up to 480 Mbps over short ranges and can support the full range of WPAN applications
such as sensor data collection, precision locating and tracking. Two UWB devices use a shared
master key for authentication to establish a secure relationship. The confidentiality is protected
© ISO/IEC 2016 – All rights reserved 5

ISO/IEC FDIS 27033-6:2016(E)
by encrypting the secure payload, while integrity is protected by including a message integrity
code (MIC).
— ZigBee. A technology for lightweight WPANs and designed to address the needs of low-cost,
low-power wireless sensor and control networks such as climate control systems and building
lighting. ZigBee provides facilities for carrying out secure communications, protecting
establishment and transport of cryptographic keys, ciphering frames and controlling devices.
— Wireless local area networks (WLANs). A group of wireless networking nodes within a limited
geographic area that is capable of radio communications. WLANs are typically used by devices within
a fairly limited range, such as an office building or building campus, and are usually implemented
as extensions to existing wired local area networks to provide enhanced user mobility. Examples of
WLAN technologies include the following.
— Wi-Fi. A trademark name and defined as any WLAN products that are based on the Institute of
Electrical and Electronics Engineers’ (IEEE) 802.11 standards. Wi-Fi relies on three security
methods known as Wired Equivalent Privacy (WEP), WPA (Wi-Fi Protected Access) and WPA2.
WEP and WPA have several well-documented security problems. WPA2 supports the use of
pre-shared keys (PSKs) and IEEE 802.1X + EAP for authentication. The data confidentiality
and integrity protocol (such as CCMP) used by WPA2 protects communications between
stations (STAs) and APs. Deploying WPA2 should ensure that communications between each AP
and its corresponding Authentication Services are protected sufficiently through cryptography.
— HiperLAN. A European alternative for the IEEE 802.11 standards. HiperLAN is a technology
on digital high speed wireless communication in the 5,15 GHz to 5,3 GHz and the 17,1 GHz to
17,3 GHz spectrum developed by European Telecommunications Standards Institute (ETSI)
and in itself does not support any features directly related to end-to-end security. Secure
data transport is obtained in layers above the MAC layer, and is in the case of HiperLAN the
responsibility of the HiperLAN service requester.
— WAPI. WLAN authentication and privacy infrastructure (WAPI) is an alternative for the
IEEE 802.11 standards security mechanism developed by Standardization Administration of
China (SAC). WAPI mechanism contains two parts: WLAN authentication infrastructure (WAI)
protocol and WLAN privacy infrastructure (WPI) scheme. STA, AP and authentication service
entity (ASE) utilize the digital certificate and five messages exchange for mutual entity
authentication.
— Wireless metropolitan area networks (WMAN). Networks that can provide connectivity to users
located in multiple facilities that are generally within a few miles of each other. Many WMAN
implementations provide wireless broadband access to customers in metropolitan areas. Examples
of WMAN technologies include the following.
— WiMAX. A wireless communications technology designed to provide 30 megabit per second
to 40 megabit per second data rates, with the 2011 update providing up to 1 Gbit/s for fixed
stations and provides at-home or mobile Internet access across whole cities or countries. WiMAX
supports the use of IEEE 802.1X + EAP for authentication. The data confidentiality and integrity
protocol (such as CCM and AES-128) used by WiMAX protects communications between Clients
and Base stations.
— 3G. The third generation of mobile telecommunications technology. 3G telecommunication
networks support services that provide an information transfer rate of at least 200 kbit/s. Later,
3G releases also provide mobile broadband access of several Mbit/s to smartphones and mobile
modems in laptop computers. 3G finds application in wireless voice telephony, mobile Internet
access, fixed wireless Internet access, video calls and mobile TV. 3G networks use the KASUMI
block cipher instead of the older A5/1 stream cipher. However, a number of serious weaknesses
in the KASUMI cipher have been identified. In addition to the 3G network infrastructure
security, end-to-end security is offered when application frameworks such as IMS are accessed,
although this is not strictly a 3G property.
6 © ISO/IEC 2016 – All rights reserved

ISO/IEC FDIS 27033-6:2016(E)
— 4G. The fourth generation of mobile telecommunications technology succeeding 3G. A 4G system,
in addition to usual voice and other services of 3G system, provides mobile ultra-broadband
Internet access, for example to laptops with USB wireless modems, to smartphones, and to
other mobile devices. Even though 4G is a successor technology of 3G, there can be signification
issues on 3G network to upgrade to 4G as many of them were not built on forward compatibility.
Conceivable applications include amended mobile web access, IP telephony, gaming services,
high-definition mobile TV, video conferencing, 3D television, and cloud computing.
However, regardless of the type of technology being used there are common security challenges to be
considered and addressed.
With any wireless network, the wireless transmissions may be detected by any device capable of
receiving and processing these transmissions. So unlike a wired network where the signals are
transmitted along the physical medium, with wireless networks, the transmitter of the signal may not
be sure who is ‘listening’ to their broadcasts. In addition, technology is readily available to interfere
with the transmitted signal and to disrupt the wireless network thus impacting the “service” of the
network.
Hence, it is vital to secure the network to provide the following:
— confidentiality: that the information transmitted is not divulged in any way;
— integrity: that the information transacted is not altered along the way;
— availability: that the network service is available;
— authentication: that the identity of those users or entities seeking access to the network is confirmed;
— access control: that access to networks and network access points is controlled;
— accountability: that any violation of policy will be traceable to a specific user or entity.
With all networks, the above information security principles apply. For wireless networks, there are
additional considerations as a result of the different transmission environment. For example, it is much
easier to obtain and use a radio frequency (RF) jamming device than an electronic device that can
interfere with cabling in a building. Most equipment types that are deployed with a wireless interface
will also have an Internet interface or will carry Internet traffic which means that cyber security
threats need to be considered and addressed for these elements.
To ensure that we comply with these principles for wireless networks, one first has to understand the
types of threats that networks are potentially exposed to. Clause 7 deals with security threats and
includes some of the typical technical threats that wireless networks are potentially exposed to and
which may ultimately be realised as a business threat to the security principles of confidentiality,
integrity, availability, authentication, access control and accountability.
Clause 8 defines generic security requirements for the wireless networks and devices that connect to
and use the network. Clause 9 establishes generic security controls to meet the needs of the security
requirements in order to prevent a threat being realised.
Many different types of wireless devices are being used to conduct business in the home, outdoors, in
business/organizations/enterprise environments, in public areas, in service provider deployments and
in industrial deployments.
When considering the threats, requirements and controls, it is important that user behaviour, types
of user devices, the amount and type of information assets that are being used and the changed threat
landscape are taken into consideration. Indeed for organizations and/or enterprises and service
providers, this changed user behaviour and new wireless capabilities of devices requires that the
information security officer, responsible for establishing, monitoring and enforcing an unambiguous
Internet Usage Policy, now has to evaluate wireless threats.
This part of ISO/IEC 27033 will focus on the threats, requirements, controls and design techniques
specific to wireless networks.
© ISO/IEC 2016 – All rights reserved 7

ISO/IEC FDIS 27033-6:2016(E)
7 Security threats
7.1 General
This Clause provides a list of typical security threats that are particular to wireless networks. However,
as new wireless standards are developed, new threats will emerge and existing threats may evolve. It is
recommended that service providers and wireless network administrators familiarize themselves with
developments in wireless technologies in order to be in a position to adopt new security controls and
techniques to counteract potential new threats.
Unauthorized access can result in the disclosure of sensitive information, data modification, denial
of service and illicit use of resources. Once an unauthorized user has gained access to the network,
monitoring of the now unprotected data can lead to user names and passwords being intercepted,
which can then be used for further attacks. Wireless networks are susceptible to all the security threats
normally faced with conventional wire line networks but additionally, they are exposed to threats
directly associated with the use of wireless access technologies. The nature of most wireless medium
makes it practically impossible to confine the radio signals to a controlled area. These radiated signals
are subject to clandestine interception and exploitation. In a traditional wire line infrastructure, the
physical security of the workplace or service provider’s premises provided some protection for the
network as users were obliged to physically connect to the network to access its resources. In a wireless
environment, this layer of defence is no longer applicable and indeed the whole threat landscape needs
to be re-evaluated and this Clause describes some of the main threats that are p
...