Out of sight, out of mind’ is a proverb that doesn’t apply so well in IT security. If anything, the inability to actually see a service can be a cause of anxiety and has led to many arguments about the security of cloud services.
That same thinking also applied in the early days of wireless networking. If you can see it, you can secure it. Therefore, the reverse should also apply, right?
“When we first started bringing wireless into the mainstream for enterprises, there was a huge amount of concern around the security aspects of it, because what you can’t see you assume could be a bigger threat,” says Kathryn Soares, director at the Perth-based IT provider Vizstone.
“Certainly over the past couple of years people are a lot more open to the idea of running their entire network on a wireless infrastructure.”
In recent years enterprises have flocked to wireless networking as convenience has overridden those concerns.
Wireless networks are, of course, still prone to many vulnerabilities that plague fixed network devices, such as firmware flaws, poor human behaviour, such as failure to reset default passwords, and inherited bugs from open source code.
While these can be mediated through patching, the very nature of wireless networking – where anyone with a suitable device can attempt to connect – should cause network managers to take a pause, especially as the number of devices attempting to connect to their networks proliferates thanks to the internet of things.
“There’s a big difference with the wireless medium,” says Mark McSherry, director at Brisbane-based wireless networking specialists IPTel Solutions. “It’s open to anyone scanning it and trying to connect. As with any security posture though, you need to apply multiple approaches, and monitor the network.”
McSherry says IPTel promotes the use of certificate-based authentication as the most secure method of connecting clients. Any older technology using WEP-based encryption should be junked in favour of that using WPA2 (and soon WPA3). And as a radio-frequency medium, he advocates scanning the air for intrusion attempt to determine if the network is under attack.
“You can also apply policies which can restrict client access to the network, either temporarily or full time,” McSherry says. “The ongoing monitoring is the layer not all organisations are currently using. Wireless intrusion prevention is a service some of the vendors support to provide alerting on suspicious behaviour and allow the network admins to track the suspicious clients down.”
As the executive director for information technology services at Victoria University, Zoran Sugarevski must carefully weigh up the consequences of deploying wi-fi to a community that includes thousands of students, employees, researchers, contractors and guests – all with different needs, and all with different security profiles.
Late last year Victoria University completed a 12-month rollout of Cisco wi-fi solutions, including its Identity Services Engine (ISE) and Stealthwatch monitoring technology.
“From a strategic perspective, the wi-fi network over the next couple of years will become our primary network,” Sugarevski says. “We are already starting to see significant shifts around the way in which we make decisions and planning around that.”
Victoria University uses segmentation as a key defence to prevent unauthorised access, isolating systems that are critical or core to the organisation from the wi-fi network.
“With the new WPA3 standards that have emerged, these will provide further opportunities for the university, particularly where we collaborate with industry and have enabled free wi-fi for particular areas,” Sugarevski says.
Specifically, WPA3 adds additional protections that safeguard against use of weak passwords using a more robust handshake, eliminating the threat of the so-called Key Reinstallation Attack (KRACK) vulnerability uncovered last year, and adds individualise encryption and an easier management interface.
Such technologies will prove useful as the next biggest threat to network security, the internet of things (IoT), begins to take shape.
“We are seeing a significant growth of the number of devices connecting to our wi-fi network, and it is not just your traditional phone and your laptop,” Sugarevski says. “The emergence of the IoT devices is significantly growing the traffic on the network, but it is also becoming a lot more difficult for us to manage these devices connecting in. We are very aware of the growing potential of malware on mobile phones.”
And with good reason. According to Fortinet’s Threat Landscape Report released in June 2018, 21 percent of organisations reported mobile malware, up seven percent.
Soares agrees that even the so-called headless devices lack the ‘brains’ to do much on their own, they do have capacity to contain malware or a virus.
“Those devices don’t have a lot of smarts to them,” Soares says. “They just connect to the network and do that one function that they have been created to do.
“However, they do have enough room on them to perhaps contain a bit of spyware or a virus. And if it connects to the wireless and is allowed on to your corporate network and it does contain something like that, that virus can then spread.”
Soares says the solution is normally to implement smart antivirus filters into the back end of the network to monitor the communications coming out of these devices and preventing them from doing whatever they shouldn’t be doing.
Sugarevski says Victoria University is also seeking to understand the patterns of traffic, to identify whether those devices that are now connecting in are a potential threat. That includes tapping into the big data capabilities in the university and using artificial intelligence and machine learning to find patterns in the huge volume of its wi-fi data.
“We leverage a commercial security operations centre, so it is about feeding that operation centre with these alerts and information,” Sugarevski says. “We can’t cope with the level of data that the wi-fi network is producing to be able to analyse that, so the machine learning and the AI is the next step for us moving forward.”
Not all threats to wi-fi networks are so advanced in their nature. One of the most serious consequences of a compromised network is that it will become unavailable, and hence damage the user’s productivity and interaction with clients.
It might surprise some organisations, however, to find they are actively inviting onto their premises the very technology likely to take their network down. Its location? The kitchen.
“A microwave oven can interfere with the ability to get your wireless connection properly,” Vizstone’s Soares says. “But it is not the type of thing you think of when you think of a denial of service attack.”
Unfortunately both microwave ovens and wi-fi operate on the same frequency: 2.4 GHz. Hence Soares says when designing a network for clients her team will pay close attention to the layout of the area to be covered, creating a heat map and ensuring that it can traverse difficult areas such as lift cores and kitchens, while not leaking too much signal to the outside world.
“If you walk away from that building and can still see their wireless network, that is a security threat,” Soares says.
Vizstone takes a lot of effort to fine-tune the wireless so that, as much as possible, it is only visible within the company itself.
“When we come to wireless we just have to be far more rigid around the security aspects that we bring in to it,” Soares says. “So authenticating every device, authenticating every user, ensuring that we are using the highest security parameter that we possibly can when implementing the wireless networks themselves.
“It is different types of issues you are dealing with, which means that you have to come at in with a slightly different way of thinking.”