Companies have encouraged their workforces to be effective regardless of their location or the time of day, making wireless Internet connectivity the latest lifeblood of workforce productivity. These gains have been accomplished primarily by embracing Wi-Fi, which is not without added risk. Cyber spies and criminals have successfully targeted wireless networks for years, which in turn, requires increased vigilance both when deploying Wi-Fi networks and when training our employees to safely use Wi-Fi.
Hot Spots in the Parking Lot.Wi-Fi introduces unique challenges above and beyond those of wired networks that are important for senior leaders to understand in order for them to better identify, assess and prioritize risk. As the National Institute of Standards and Technology (NIST) put it, “Perhaps the most significant source of risks in wireless networks is that the technology’s underlying communications medium, the airwave, is open to intruders, making it the logical equivalent of an Ethernet port in the parking lot.”
NIST’s metaphor is particularly apt. Ten years ago, two individuals were arrested for hacking into the unsecured wireless network of a home improvement store, from the parking lot. Doing so reportedly allowed them to route through the chain’s national data center as well as through individual stores located in seven states, coast to coast. All Wi-Fi communications are easily captured with freely available software, although doing so may be unlawful. Bad guys read the data that is unencrypted (often to include usernames and passwords) and use programs to defeat the security of data that was poorly encrypted.
Home Wi-Fi vs. Enterprise Wi-Fi.As a first step, small and medium businesses must decide whether to resource and adopt the latest WPA2 encryption protocols and capabilities that are designed for enterprises, rather than the less complicated, less expensive and ultimately far less secure “personal” home user standards. That choice will determine the extent to which a company can readily provision different wireless networks, with different security profiles, for particular user groups (such as distinguishing between guests, employees, vendors and even conference rooms). Enterprise security features are particularly helpful for restricting users with a lower security profile from gaining access to more sensitive networks that your company nonetheless wants to make available to others. Its superior encryption scheme employs an external server to provide unique encryption keys to each user who enters a valid username and password. By doing so, enterprise mode also prevents users on the same network from eavesdropping on one another (a possibility in personal mode since all users encrypt their sessions with the same password). Enterprise mode also is more conducive to the change management requirements of larger and more fluid organizations.
Your IT staff also is responsible for implementing specific best practices for using your Wi-Fi network and establishing technical controls for specific operating systems that will protect employees both on and off your Wi-Fi network (such as disabling ad hoc networking between computers and turning off file and printer sharing).
Beware of Rogues and Evil Twins.Regardless of the authentication method your company uses, it is important to ensure your employees are prohibited as a matter of policy, training and practice from setting up their own “rogue” access points and that you have experts to hunt down any such devices and determine how they got there. In addition, employees must be trained about the dangers of joining third-party networks, to include those that appear legitimate.
In 2012, the FBI warned people traveling abroad to be especially careful of hotel Internet connections that presented pop-up windows for software updates. The updates turned out to be malware, which calls to mind the dangers of an evil twin attack, which is a Wi-Fi hotspot that appears to be legitimate but is set up by hackers. Joining a bad guy’s access point leaves its prey vulnerable to a wide range of hacks and social engineering tricks, often ending in a trail of lost passwords, stolen data and installed malware. Professionals recommend either avoiding the transfer of sensitive information altogether while on a third party’s Wi-Fi network, or establishing more secure sessions by limiting yourself to https sites or VPN when visiting password protected services such as email, social networks, online banking, remote storage and online purchasing.