Transcript of "Wireless Security Controls Too Lax for Data They Need to Protect"
Wireless security controls are often too lax for the data they need to protectAt Redspin we are often asked to perform wireless security assessments for organizations that haverecently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs),controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-officemobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobiledevices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet these days aregrappling with the question of how to support employee requests for connectivity – often times by seniorexecutives. These devices themselves are inherently risky due to their highly mobile nature, ability to storeand access sensitive data, and immature enterprise security management support. For today, lets focuson the corporate wireless infrastructure itself. The problem is less about the capabilities of wireless securitytechnology and more about the lack of a thoughtful deployment of these systems. Wireless networks needto implement security controls that are at least as good as the existing controls on the data they are tryingto protect.The most consistent problem is that wireless networks are deployed with less than optimum securitycontrols. For example, using WPA2 in personal mode rather than enterprise mode. The upside of personalmode – in which clients, such as laptops and iPhones, authenticate to the networks with a pre-shared key(PSK) – is that its easy to manage and configure. The downside of this approach that it is vulnerable to apassword guessing attack, cached client credentials, system-wide risk in the event of a compromised keyand rogue access points. This risk may be acceptable for access to a wireless network whose onlypurpose is to provide Internet access for guests or mobile devices. However, many wireless networksbegin with this simple purpose in mind only to evolve into much more access into the internal network.Wireless network signals travel well beyond your corporate office space. In a downtown office environment,dozens or even hundreds of other businesses or public areas are able to “see” these signals. Its as if youare grabbing a hand full of network cables that are connected to your internal switch and lobbing them outinto the street for everyone to use. This greatly extends the attack surface area for wireless networks, soits imperative that they are configured with security settings that are appropriate to the data they need toprotect.With wireless networks, there are a great many security configurations available to support a variety ofbusiness cases. Its critical to ensure that usage scenarios are carefully evaluated before a network isdeployed to ensure that appropriate security controls are implemented. Once deployed, wireless networksshould be tested to verify that the controls are actually working effectively.www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177