Is wireless the Trojan horse in your network security?
According to Roger Klorese of WatchGuard technologies, smartphones and tablets now account for about 25% of devices used for work in the US. Wireless, mobility and BYOD are all part of an unstoppable wave, based on widespread consumer and remote worker usage. With the new faster wireless standard, 802.11ac, due to be ratified this year, and with 4G continuing to grow, demand for fast wireless in the workplace will increase inexorably.
While this creates multiple opportunities, it also creates a great many challenges. If, for example, your existing wireless network is insecure, building on that base of sand is always going to fail.
Historically, for many organisations, both large and small, wireless was a tactical solution to a user-driven demand for laptop (and subsequently smartphone and tablet) mobility in the office.
As demand and users have increased, organisations have typically added more access points. Today, access points are a significant element of user LANs. While they may not carry the highest amount of traffic, they typically will carry a disproportionate percentage of business confidential information.
The problem that this creates, particularly for smaller organisations, is that access points sitting inside the network, and connecting to it, are often perceived as being covered by many of the existing gateway security solutions. This can mean they are connected directly to the trusted network (internal LAN). Where this happens, it raises major security risks. There are also risks, even where wireless connectivity is managed through a separate virtual LAN (VLAN).
Wireless has crept up on many organisations. From a situation where it was provided as an additional service for certain specified staff and as a guest service to provide internet access for visitors (and staff), it has gradually increased in importance.
Today, with the upcoming multi Gbps 802.11ac wireless standard, we can now foresee a fundamental shift from wired to wireless networks.
The main problem with this is that the risk assessment and security deployed around wireless haven’t kept up with the pace of change. While many of the actual threats of wireless use haven’t changed, the increasing pace of deployment has significantly increased the risks to organisations.
Companies are often unaware of the risks because they have multi-layered perimeter security in place and don’t realise that wireless access has subverted that security. In addition, a misplaced “shoal mentality’ still blinds users to the risks. They realise there are lots of hackers out there, but simply think that there are so many targets, it’s unlikely they will be the one who is attacked.
Misconfiguration – Every time a new access point is added, there is the risk it may be misconfigured. If that happens, the rules that were put in place to protect the network won’t be consistently applied.
Man in the middle attack – This type of attack is where someone presents an SSID (network address) that pretends to be something it isn’t, e.g. your company wireless name. The attackers intercept the name and password of users who are logging in, and pass them through, so it isn’t obvious what they have done. By the way, this is the risk that everyone who logs in at internet cafes, hotel lobbies, etc. takes.
Connection by unauthorised users – Unauthorised users may connect to the network. It may be disgruntled ex-employees, it may be through identity theft or through “man-in-the-middle attacks’. Most organisations are vulnerable because most organisations have something valuable on the network, such as credit card data, online banking information, confidential payroll details, or information helpful to a competitor.
Insertion of malicious code or theft of code via a wireless connection – Access directly onto the trusted network creates a vulnerability for data stealing programs, as well as for data destruction programs – particularly by disgruntled individuals and ex staff.
Data-stealing apps on mobile devices – While Apple isn’t immune, the problem of malicious apps is particularly pernicious on Android devices.
Rogue access points – Well-meaning employees (and sometimes less well-meaning) can put up additional wireless access points to provide wider coverage, without management permission or awareness, creating security risks.
The TKMaxx fraud – There is the never to be forgotten TKMaxx credit card fraud where hackers accessed data on 45 million payment cards, through an unsecured wireless LAN.
With wireless and mobility becoming ever more ubiquitous, now is a good time to review the risks, security policies and protection that are in place.
Most companies have policies for wireless and mobility that are out-of-date. Since it is the statement of and management of policies that drives employee behaviour, out-of-date and unsupervised policies will almost certainly lead to incorrect employee behaviour, when it comes to mobile security.
Reviewing policies, perhaps doing that with some power users who understand what’s happening with technology and apps, not only gives a clear message to the business that you are serious about mobile security, but can often be a very interesting and enlightening experience. It is also important for users to be aware that wireless security is not only considered essential, but will also be managed and reported on.
The wireless risk profile changes as usage increases and more users are enabled. Many of the threats have changed and migrated down from enterprises to smaller businesses.
However, many organisations have not reviewed their wireless and mobility risks in line with increasing wireless use. They are often rolling out increased access and access points without considering the security implications. For those with PCI or data security considerations, a security review is essential.
Everything starts with reviewing policies and appreciating some of the risks. At a practical level, there are some quick wins:
- Use your laptop, tablet or phone to scan for network connections and make sure that that all network addresses under your company name are yours. As additional security consider changing the SSID (Network ID) to something other than your company name.
- Make sure all connections are over a secure VPN
- Ensure that all connected devices have at least anti-virus security, including all tablets and smartphones.
- Use two-factor authentication to protect against ID theft.
- As an absolute minimum, require all users to have a PIN on their devices.