No products in the basket.
Home > News / Guides > 7 Enterprise Wi-Fi Risks You Need to Know About Today
News / Guides
7 Enterprise Wi-Fi Risks You Need to Know About Today
Wireless networking has been a part of the tech mainstream for over 20 years now. When you connect to a Wi-Fi network nowadays – wherever it might be – you can be pretty sure of a fast, efficient network connection with a decent range. But how secure is Wi-Fi? Well, it’s complicated.
Don’t get us wrong – there are significant benefits to providing Wi-Fi for your staff and visitors. But as we’ll see below, by freeing ourselves from the tethers of Ethernet cables, we’ve opened ourselves up to a security minefield.
The Problem with Wi-Fi Security
The main issue with Wi-Fi is that the technology itself doesn’t contain any ingrained security features that reflect our modern cyber threat landscape. Most networks implement some kind of WPA or WPA2 encryption to keep wireless communications secure, but as we’ll find out later, that’s not all it’s cracked up to be.
As things stand, a cyber criminal could hypothetically head to any cafe with open, public Wi-Fi and turn their laptop into a highly powerful listening device. With the right tools and knowhow, they can harvest any kind of traffic being sent unprotected over the airwaves. Fellow network users who don’t have the right protections in place could risk “Wi-Fi hotspot”-style credit card fraud, identity theft, malware infections, and more.
Thankfully, encryption technologies like HTTPS and VPNs are becoming more widespread as they both do a decent job of protecting Wi-Fi users’ data in transit. However, expecting people to rely on VPNs and external encryption technologies is akin to just putting a plaster over the problem. There’s nothing inherently built in to Wi-Fi that protects users from the kinds of modern threats that wireless users face.
But hopefully, that may change.
Building a Trusted Wireless Environment
One of our suppliers, WatchGuard, believes that there should be a robust, global standard for Wi-Fi security, and we’re inclined to agree. Remote workers and team members who spend a lot of time “on the road” are especially at risk of bringing cyber-nasties back to the office because they’re most likely to use external wireless networks and open Wi-Fi hotspots.
With concerns like this in mind, WatchGuard have started a movement called the Trusted Wireless Environment, described as “a movement dedicated to pursuing industry cooperation in building Wi-Fi security standards”. They’re effectively partnering with global industry authorities like the PCI Security Standards Council and IEEE to bring about a new kind of Wi-Fi with security baked in by default.
If this sounds like a movement you’d like to be a part of, please consider signing their Trusted Wireless Environment petition.
7 Common Wi-Fi Security Threats
WatchGuard has identified six common types of Wi-Fi threat which plague enterprise networks of all sizes. Excellent though WatchGuard’s guidance is, we’ve added a seventh point that we feel that all enterprise organisations should be aware of too – especially if you rely on older hardware.
WatchGuard’s six most common Wi-Fi threat categories are as follows, in no particular order:
1. Evil Twin Access Points
An Evil Twin AP is an external Wi-Fi access point that looks, acts, and operates just like your genuine workplace Wi-Fi, but is actually being controlled by a cyber criminal. The intention here is to fool unsuspecting network users into connecting to the wrong network, allowing the criminal to intercept, view, and affect the data that’s being transmitted: potentially stealing access credentials, injecting code, forwarding users to malware sites, and swiping payment details.
2. Rogue Access Points
“Rogue hardware” or “shadow IT” refers to any IT hardware that is added to your network without explicit permission from your IT department. If a Wi-Fi access point is set up without a technician’s oversight, it’s unlikely to be compliant with your network’s security policies – especially if its encryption is poor or it uses default access credentials. This leaves you potentially unable to protect the users who use the rogue AP.
An insider with a grudge could hypothetically plug in a cheap access point and leave it open for them to hack later – skimming data, snooping in on sensitive communications, and accessing things they shouldn’t.
3. Misconfigured Access Points
IT technicians are only human, and during times of intense growth or restructuring, it’s easy to slip up. When pulled in a million directions at once, a technician may accidentally leave a private access point half set-up, potentially with no password, no encryption, or using default settings. Non-technical personnel may not notice any difference, but from a hacker’s perspective, any Wi-Fi communications may as well be floating through the air in plain text for all to see (especially when used in conjunction with threat number 7).
4. Neighbour Access Points
This one can be quite difficult to police. If a user hops onto a neighbouring business’s Wi-Fi to do something that your firewalls or network policies don’t allow (which is a problem in and of itself) they are no longer under your network infrastructure controls. And if your neighbour’s Wi-Fi is poorly configured, your unsuspecting policy-flouter may be opening themselves, and potentially your whole network, up to hacking attempts, in-transit data theft, snooping, and so on.
5. Rogue Client Hardware
Any device that has previously connected to a rogue access point, evil twin, or other example of suspicious IT is considered a rogue client. Depending on the cyber criminal’s goals, these devices may be loaded with malware and vulnerabilities, ready to spread them throughout your real network.
6. Peer-to-Peer Networks
Nowadays, it’s easy to set up a mini wireless peer-to-peer network to share files between devices. However, much like connecting to an unknown external Wi-Fi network, this circumvents IT security teams’ ability to apply the same level of protection through firewalls and network policies; you’ve created a network that’s a separate entity after all. If your self-made network isn’t robust enough, you risk welcoming snoopers to the party and potentially also sharing malware between machines.
We highly recommend checking out WatchGuard’s report “The 6 Wi-Fi Threat Categories You Need to Know About” for more information about these six Wi-Fi concerns. We also recommend taking a look at their Trusted Wireless Environment whitepaper which details how WatchGuard tested their wireless security product’s ability to protect against each of the above threats.
Our Number 7: WPA2 Has Been Kracked
However, there is one extra wireless threat doing the rounds that we feel more people should know about. An exploit called Krack.
The current Wi-Fi encryption standard – WPA2 – is designed to encrypt wireless transmissions so they’re protected while they’re sailing through the airwaves. However, as of October 2017, it is now possible to crack this encryption using the Krack vulnerability. If they so wanted, a cyber criminal (armed with Krack tools) could sit within range of a WPA2-protected Wi-Fi network and decrypt whatever data is flying around inside.
Though it’s by no means a definitive solution, this threat can be kept at arm’s length by using your own in-transit encryption, keeping software updated, and patching your existing wireless infrastructure hardware. The National Cyber Security Centre has a great guide about keeping enterprise networks safe from the Krack vulnerability.
WIPS to the Rescue!
Keeping enterprise-level networks protected from wireless threats may seem difficult, but with modern WIPS (wireless intrusion prevention systems), you can!
A WIPS system works alongside a network’s regular wireless provisions by scanning the radio spectrums present within the network’s range. If the WIPS picks up an unauthorised access point, it can notify an administrator or automatically tamper with the device’s connection capabilities, effectively quarantining it from all devices under your control.
Our MD has a great analogy about WIPS. If your network is a nightclub, then the security guard at the front door is your firewall. If a cyber criminal wanted to enter “Club Network” without the firewall knowing, they may use any of the above scenarios to “create” a back door for themselves and silently enter. Though firewalls are essential, they struggle to combat the above wireless threats without help.
But having a WIPS system is like having someone constantly monitoring the venue’s CCTV. They can immediately spot the person and send them on their way.
Many vendors provide WIPS systems, and WatchGuard’s WIPS system claims to be the best in the industry. In our view, they’re not wrong. As well as protecting your wireless network from intruders, WatchGuard’s WIPS system protects against the six threats above, including rogue hardware and evil twin impersonation. And the best part? WatchGuard’s WIPS hardware works in tandem with other vendor hardware, so there’s no need to rip out old hardware and replace it.
So for a no-obligation chat about securing your Wi-Fi, get in touch with the team at Just Firewalls. We provide a whole host of cyber security solutions from industry leaders like WatchGuard and SonicWall. We’ll totally manage installation, and our friendly team are on hand if anything goes wrong. Call us today on 0808 1644414 or drop us a line!
