Eliminating the Risk of Your Wireless Network
By Richard Timbol, ISSM/CISO, Davis Polk & Wardwell LLP
Of course, that freedom from being wired to a wall comes with the cost of greater risk to the privacy of the data you are transmitting through the air and, unless your wireless network is contained within a faraday cage, the airspace your data is moving through is accessible to anyone who has the tools and inclination to intercept it.
Additionally, third-party wireless networks that your users will connect to when out of the office are outside of your ability to secure and present a substantial risk. A simple Google search for the term “wireless breaches” will return page after page of breaches caused by both improperly secured wireless networks (TJ Maxx circa 2007, anyone?) and compromised third-party wireless networks such as ones commonly used at hotels and convention centers.
Wireless network encryption standards that are supposed to provide the security for our wireless networks are easily cracked almost as soon as they are introduced. Any flavor of WEP takes a matter of seconds to break; WPA that was supposed to solve WEP weaknesses turned out almost as flawed and took minutes to crack. WPK2-PSK (AES), the “strongest” commonly available security option, can also be compromised with easily available tools such as aircrack-ng and coWPAtty.
What further weakens wireless security is that most enterprises continue to maintain a user-friendly (read: simple) password on their wireless access in order to make it easier for the user. This password is changed rarely—if at all— because of the disruption it may have for the hundreds or thousands of users who connect to the corporate wireless daily.
We should be spending our primary focus on how we secure the data traveling the wireless, which is really the crown jewels of concern
So what do we do in the face of the inherent risk of wireless? Removing it from our workplace is not an option, and the hope for the introduction of an unbreakable wireless encryption standard is a long-shot, as well.
I propose that we shift our mindset from one of concern for the security of the wireless network itself and, instead, approach the risk it presents to a different mindset altogether. We should submit ourselves to the fact that wireless networks will always be insecure. It is akin to a door with a simple lock that can be easily bashed in with a ram because the doorway moldings are not reinforced.
We should be spending our primary focus on how we secure the data traveling the wireless, which is really the crown jewel of concern. The solution: always-on virtual private network (VPN).
Always-on VPN technologies have rapidly matured in the last few years, offering lowered cost of ownership, greater simplicity to deploy, and transparency to the user. It is no longer only exclusively the capabilities of large enterprises that can afford to purchase and support it, but also well within the means of even small-size businesses with the availability of hosted VPN service solutions that remove the traditional on-premise infrastructure and support personnel costs that use to be tied to always-on VPN.
Past bandwidth utilization concerns of having an always-on VPN have also become things of the past as bandwidth has become cheaper.
The benefits of taking this security posture are multifold. By implementing an always on VPN you can now logically segregate your wireless network from your enterprise network, thereby greatly eliminating the threat of your wireless network providing bad actor ingress into your data network. With the VPN appropriately configured, you can do the segregation because when within the corporate campus and the user is not connected by wire, their device will seamlessly switch over to the VPN and maintain both the session and the security of the data communication. Your wireless network is simply a guest internet portal at that point and requires no internal access to your network. If someone hacks into your wireless network, the only thing they can get is free internet and not your users’ credentials, credit card info from shopping, emails or corporate data being shared internally. This also ensures security for your users when using third-party wireless if you make certain that the always-on VPN is configured to connect immediately upon connection to a wireless signal, is not split tunnel, and cannot be disabled by the user.
Additionally, if you leverage certificates in your always-on VPN strategy, you have made both the user experience of using VPN invisible, a simplification that the user always appreciates, and added a second factor (what they have) to the first factor of their network user credentials (what they know), thereby providing you with a low-user-impact two-factor authentication process.
With so many new and different methods of attack against the security of the enterprises, we are charged with protecting, we need to be able to consider different methods from the traditional approaches to security in order to reduce the number of vectors from which these attacks are coming. Eliminating wireless risk concerns via always-on VPN technology is certainly a start.