Financial exposure

Wireless networks are an essential cog in large, modern businesses. But if left unsecured, they leave companies vulnerable, especially in a city abundant with close, competing companies...
Wireless networks are an essential cog in large, modern businesses. But if left unsecured, they leave companies vulnerable, especially in a city abundant with close, competing companies...
John Markh, Comsec Consulting
John Markh, Comsec Consulting

Although the adoption of wireless networks is becoming increasingly widespread, this is particularly true of high-density urban environments such as London’s financial districts, where a high number of mobile workers are employed.

 

But while wireless networks may seem like a godsend for companies in areas like the City of London and Docklands – not least because the technology is relatively cheap, easy to implement and enables inevitably time-pressured staff to work more flexibly – there are various security issues to be considered that are less of a concern in more rural settings.

 

The key difficulty in metropolitan areas, where wireless local area networks (Lans) tend to be most prolific, is radio waves seeping out of the buildings. This can result in data leakage if the network is not safeguarded properly – potentially disastrous if the information is market-sensitive, such as concerning plans for mergers.

 

Rhodri Davies, technical architect at UK security services provider Vistorm, explains: “With a wired network, you have to get close enough to listen or interfere, but wireless by its very nature is broadcast so anyone in range can reach it. With some wireless access points (APs), you can tune broadcast strength to reduce the range, but even so, someone with a large antennas can pick it up and listen because there’s no physical containment.”

 

Another challenge related to this is the potential for interference by radio signals from elsewhere. Because organisations by default “are not in total control of the medium like they are with wired networks”, third parties can broadcast on them too. This can interfere with legitimate signals and even open the way to denial of service attacks.

 

“People may not be able to listen to the network, but they can jam it by transmitting on the same frequency and it might not even be malicious – it could just be wirelessly noisy machinery,” explains Davies, such as microwave ovens.

 

As a result, organisations are advised to undertake a site survey, not only to understand where APs should be placed in order to optimise their range and coverage and to minimise these issues, but also to establish how much of the frequency is already in use.

 

John Markh, an information security consultant at Israeli firm Comsec Consulting, explains the worry here: “Technology has moved on from five years ago, but there’s still the issue that, as more people use the same frequency, the less bandwidth there is available, particularly in high-density zones. This means that if you want to deploy latency-sensitive applications such as voice, they can become unusable. And this problem will only increase as uptake rises.”

 

To make matters worse, large amounts of metal such as that found in the structure of buildings can also interfere with signals. This, in turn, may lead to black spots and disconnect users from the network.

 

“Undertaking a site survey helps you work out how many access points you need, where they should be placed and how to configure the antennae for best coverage,” adds Markh.

 

Leaking data

 

“It’s not clear that organisations always ask themselves those questions, especially at the small-to-medium enterprise and mid-market level, where there’s often no dedicated security role,”
Mike Gillespie, Advent Information Management

 

Another crucial safeguard is to encrypt data passing over the network. This helps to tackle the thorny issue of radio waves seeping from the building because, even if the network is penetrated, it means that malicious individuals cannot read sensitive information without the key.

 

While all new enterprise-level kit supports the WPA2 (WiFi Protected Access) data encryption protocol for 802.11i-based networks, which means that data leakage is less of a threat, equipment of more than three years old tends to support only the notoriously insecure WEP (Wired Equivalency Privacy) protocol. This has been cracked by experts in as little as 10 seconds and is still deployed widely.

 

To rectify this situation, however, it is possible with some systems to download firmware from the vendor’s web site to upgrade them to WPA2 – although others simply have to be replaced. It is also worth noting that, in order to work, WPA2 support must exist on both the AP and client.

 

Nonetheless, Ken Munro, managing director of UK penetration tester SecureTest, says: “New kit supports a range of protocols, but it’s amazing how many people opt for using WEP, which is outdated. But for any corporate implementation of wireless for applications such as hot-desking, you simply have to use WPA2 as it’s so much more secure.”

 

There are other simple steps that organisations can take, however, to ensure that their networks are not exposed. The first and most frequently overlooked one is to establish the organisation’s security posture and the amount of risk it feels able to bear. For example, the business model of a dot com start-up company may well be based on taking risks for potentially high returns, while a bank is likely to have a very different outlook.

 

In security terms, however, what this means is ensuring that all protection measures are commensurate with the importance of the function that they are trying to safeguard and the sensitivity of corporate data potentially flying across the network.

 

Mike Gillespie, principal consultant at UK security consultancy Advent Information Management, explains: “You have to look at the function of the network and ensure that you address all risks associated with it based on required functionality, types of users and the sensitivity of data transmitted. From that, you can then determine the level of security that’s going to be appropriate.”

 

The problem however is that “it’s not clear that organisations always ask themselves those questions, especially at the small-to-medium enterprise and mid-market level, where there’s often no dedicated security role,” Gillespie adds.

 

As a result, if purchasing wireless equipment for the first time, it is crucial that organisations undertake a risk analysis when designing their networks, not least to provide vendors with a defined list of security requirements.

 

Once the kit is in place, however, it is worth bearing in mind the common mistake of simply retaining default passwords on routers and APs. As Markh points out: “That’s the first thing that hackers or security auditors go for as it gives them access to any device on the network.”

 

A second consideration is that of configuring the device to hide the network name or SSID (Service Set IDentifier), which should also be changed from default mode to something that is not patently obvious like the company name.

 

You can’t hack what you can’t see


“All staff members using laptops should use a separate virtual Lan so that if it’s compromised by malware and the like, it’s very easy to shut them off from the main network and isolate the problem.”
Ken Munro, SecureTest

 

All devices accessing the wireless network must have the same SSID to communicate with each other, but the name can be detected using network sniffers and again used to access the network. So the idea behind hiding it, says Markh, is that “you can’t hack something that you can’t see”.

 

Another useful security layer in this context, meanwhile, is only to allow authenticated devices to connect to the network. While it is possible to buy dedicated authentication boxes, known as Radius servers, to this end, another option is to set up a database of each device’s Mac (Media Access Control) address. The wireless router searches this database and denies access if the Mac address is not recognised, but such a system does have a maintenance overhead and so tends only to be suitable for SMEs.

 

But it is not only external wireless networks that can cause problems. Another big issue is that of individual departments deploying their own rogue APs without the IT department being aware of it.

 

Lewis Honour, security practice manager at British-based IT integrator Logicalis, explains: “It’s quite common for people to say there are no wireless networks in place only to find that departments have put in their own when they undertake a site survey. The problem is that they won’t have taken the proper security steps so it’s a gaping, wide-open sore that provides access to the corporate network for Mr Hacker simply going past war-driving to see if he can find any open networks.”

 

Last but by no means least, however, is the question of mobile workers, which can include both visitors on site and road warriors using third-party WiFi hotspots in facilities such as cafés and airports.

 

“While the manufacturers have pretty much fixed the original problems around encryption and eavesdropping as long as equipment is set up properly, the next big problem is the security of devices connecting to the network and how many viruses they’re going to introduce,” Honour says.

 

The problem here is that the number of zero-day attacks is on the rise and some of the new malware is so sophisticated that it can turn off local device-based applications such as personal firewalls and anti-virus software without users knowing. The same applies to network admission control applications, which enforce compliance with corporate security policies.

 

As a result, those organisations providing visitor networks to enable people to access the internet must ensure that they are completely segregated from the corporate one, whether wired or wireless, to prevent infection. This can be done by either creating a new virtual wireless network or by setting up a totally separate, dedicated one.

 

The same applies to road warriors. SecureTest’s Munro explains: “All staff members using laptops should use a separate virtual Lan so that if it’s compromised by malware and the like, it’s very easy to shut them off from the main network and isolate the problem.”

 

Another option is to configure laptops so that they are unable to connect to any unknown or unauthorised networks. The aim here is to prevent the devices from making peer-to-peer connections to unknown machines, thus creating an ad hoc network. The danger here is that malicious individuals can use such networks to control users’ laptops and gain access to sensitive data.

 

But Logicalis’ Honour also recommends that organisations consider introducing desktop virtualisation software or Citrix’s and Microsoft’s terminal server software on diskless thin clients, which are booted up from a corporate USB. This enables staff to access remote applications stored on a data centre-based host rather on their local machine, removing the danger of infection.

 

“As wireless networks become a more ubiquitous connection technology and the threats become more sophisticated, organisations are simply going to have to introduce even more robust security measures,” he concludes.

 

What’s Hot on Infosecurity Magazine?