Since the assault on the Wi-Fi network of the US-based TJX retail group in 2007, there has been no further high-profile data breach involving this communications channel.
Does this mean that the TJX breach was enough to shock corporations into ensuring that Wi-Fi networks were secure, proving that it usually takes a big breach to spur across the board action?
On the surface of it, the answer appears to be to be “yes” in the absence of any headline-grabbing incidents involving Wi-Fi communications.
Since 2007, Wi-Fi products have matured and most corporations appear to have switched to the latest and most secure wireless security protocol WPA2 instead of its less secure predecessors WPA and WEP.
In light of better out-of-the box security and fairly widespread adoption of WPA2 and more recently encryption for Wi-Fi data transmissions, the overall situation has improved.
Most corporate wireless networks are also now under the control of IT and network or information security, says Adrian Davis, principal research analyst, Information Security Forum (ISF).
Those networks are also configured better, providing some level of security, and the actual wireless networks, protocols and associated equipment are more secure, including secure out of the box, he says.
Best practices for Wi-Fi security
- Encrypt all traffic;
- Enforce access controls;
- Set up a guest wireless network that is physically and logically separate from the corporate one;
- Place an edge device such as a firewall between the corporate wireless and wired networks;
- Enforce acceptable use policies for Wi-Fi access;
- Educate users about the risks of using unprotected Wi-Fi access;
- Ensure all Wi-Fi router and access point default passwords are changed;
- Update all security protocols to WPA2.
In the corporate world, the expertise to set up and configure secure wireless networks is also much more widely distributed, says Davis.
“Additionally, wireless networks are no longer a prime route for hackers to attack and infiltrate a corporate network,” he says.
Davis believes organisations are more likely to be attacked via the internet or a compromised device, as these provide a richer environment from which to attack and attempt to compromise an organisation.
However, that does not mean that every business is immune from Wi-Fi attack, particularly small and medium enterprises (SMEs) that typically lack the expertise or resources of larger corporations.
The fact remains that, as the use of Wi-Fi connections increases, so does the potential exposure to data theft if the appropriate technological controls, policies and procedures are not in place.
Although compromises are not making the headlines on a regular basis, this does not mean that it is not happening, particularly in smaller organisations, according to security firm Kaspersky Lab.
For both large and smaller organisations, some common Wi-Fi security failings persist.
Encryption is still not used in all instances for the transmission of data across Wi-Fi networks, says Sergey Novikov, deputy director or the Kaspersky Lab global research and analysis team.
With the proliferation of consumer devices in the enterprise, the use of these devices to connect to corporate email and other systems using public Wi-Fi is also common, he said.
In both cases, bad practices are exposing potentially sensitive corporate data to harvesting by cyber criminals tapping into the Wi-Fi network.
Encryption is essential and there should be no access to corporate systems over public Wi-Fi that is not though a virtual private network (VPN) connection, says Novikov.
Consequently, open Wi-Fi connections at hotels, airports and coffee shops are becoming the weak links in security for many organisations through the pursuit of greater productivity.
These connections are typically unsecured, making users vulnerable to WiPhishing and man in the middle attacks.
The cost of a data breach – either directly or indirectly through credentials sniffed on a Wi-Fi network – is likely to outweigh the cost of mandating a VPN for business use, said Novikov.
Alongside the use of VPNs, organisations should consider providing provide them with a mobile hotspot that uses a connection to a 3G network to create a personal Wi-Fi network for employee.
According to David Emm, senior regional researcher for Kaspersky Lab UK, using a 3G connection is inherently more secure as the connection is encrypted.
This approach reduces the risks associated with open Wi-Fi connections as well as rogue Wi-Fi access points.
These are access points deliberately set up by attackers to mimics a genuine hotspot in the hope that victims’ mobile devices will connect to it by mistake.
The sign-up page typically looks like the genuine one to trick users into entering their credentials or credit card details.
A similar type of attack uses an ad hoc peer-to-peer network masquerading as a legitimate network.
Unwary users connecting to the malicious Wi-Fi network will still be able to access the internet, except all their traffic will be visible to the attacker.
“The old trick of creating a fake AP is still very common as naïve users still connect to these without giving it a second thought,” says Sandeep Kumar, a London-based security consultant.
“Now with a proliferation of Wi-Fi networks rogue APs can easily hide among all the legitimate ones and convince people to connect,” he said.
The default passwords of all Wi-Fi routers and AP should also be changed upon installation, said Kumar, to stop attackers exploiting industry default passwords.
Allied to the problem of rogue AP is the increasing use of personal increasing use of personal Wi-Fi spots.
“This is possibly the main Wi-Fi security pain point for many organisations today,” says Amar Singh, chair of ISACA UK Security Group.
Historically these hotspots had to be created using a router, he says, but today these can be set up very easily using a smartphone.
The increasing use of smart devices in the organisation exacerbates this problem because most mobile operating systems remember the last ten or more Wi-Fi hotspots.
“This ‘feature’ is a weakness as it enables attackers to clone trusted hotspots and carry out man-in-the-middle attacks,” says Singh.
As in most cases, technology alone is not enough and must be supported by a clear and comprehensive set of policies and user education about the risks and how to mitigate them.
In tackling personal Wi-Fi hotspots, Singh says his main focus is on educating the user and making them aware of the dangers of this practice.
“The proliferation of the mobile device makes it very difficult, especially given the current budgetary environment, to technically control this behaviour. The best way forward is to take the user on the journey with you,” says Singh.
In the case of targeted attacks, Kaspersky’s Sergey Novikov says it is the top executives who are most at risk.
“Yet, it is the top executives that are often not included in corporate security awareness training programmes,” he says.
Wi-Fi security may have slipped down the agenda because of increased attention, especially in Europe, to the security and privacy challenges of cloud computing and consumerisation of enterprise IT, yet it remains important and should not be overlooked.
Despite growing maturity in Wi-Fi implementations, increased out-of-box security capabilities of Wi-Fi products and greater use of WPA2 and encryption, challenges remain.
While some of these threats can be mitigated through technical controls and other measures, user education and awareness remains key in ensuring Wi-Fi security.