If misconfigured or unmaintained, the public/guest wifi can be one of the largest holes in your WLAN security. Constant vigilance and following WLAN security best practices are the only ways to safeguard against ever-evolving threats.
We recently wrote about Wi-Fi 6 and how it will bring better connectivity and speed for everyone on your enterprise wifi network. As activity on your network increases, it will be critical to protect your Access Points (APs) from nefarious activity.
WLAN Security Vulnerabilities and Threats
Anyone within range of a guest network that isn’t segregated physically from the LAN has the propensity to expose your information. Security breaches, especially those that compromise customer data, can put your business at risk.
Whether it’s an inside job (a disgruntled employee releasing malicious software) or an outside job (Hackers parked outside your building wardriving) the threats below are all too common.
This is especially true if you haven’t employed any whitelisting/blacklisting concepts for your users.
Releasing Malicious Software
Anyone can purposefully or accidentally navigate to an area online, and spread malicious software, such as any variety of ransomware, which has been quite effective over the past few years. Cerber, targeting Office 365 users, and GandCrab, which has been excellent in avoiding detection, both use phishing and cloning to lock up your network. As a matter of fact, several municipalities, including the city of Baltimore, have been held hostage recently with ransomware.
Insecure Or Unmonitored Devices
An employee leaving a device out in a public place (like a coffee shop where someone is working remotely) can leave you vulnerable to attack. It’s important to have a lost/stolen policy, as well as the physical locking system installed on each employee device. Remember to collect all company devices from employees at the time of termination or release.
Spoofing, Rogue Servers, and Imposters
The intent here is to steal information in plain sight by tricking clients into joining networks that share the same name. MAC spoofing can occur if a client hears a device name through network traffic, and clones their own. This can be dangerous, especially if the cloned client is commonly connected to a variety of individuals, exposing more information.
Brute-forcing is a cryptanalytic attack that involves a hacker attempting to break into your network or account by guessing your password through a series of searches. This is possible on both guest and internal wifi networks.
Dictionary attacks are attempts to guess your password using commonly used words and phrases (Password123 anyone?).
They’re quicker than brute-forcing, and often effective. These types of attacks are often a result of bad practices like not including alphanumerics in your passwords and/or forgetting to change passwords frequently.
Protecting the Enterprise Network
Here are 5 ways to improve your wireless enterprise network security.
1. Use Stronger Passwords
Use strong passwords, and change them frequently. Avoid using easily discovered personal information in your passwords, as those who know details about you or your coworkers can use them to their advantage. Always have a combination of letters, numbers, and symbols in yours.
2. Revise Your Security
DDOS attacks are commonly deployed, via coordination, automation, or some combination thereof, and they’re designed to overwhelm outward-facing services, or the inside network with requests. These attacks hammer away until it all buckles under the load. Use a hosted protection service, such as Cloudflare, to prevent these attacks. Always be sure to maintain your UTM and enforce security best practices.
3. Practice Better Key Management
While complicated, encryption key management is critical to your WLAN security. You’ll need a plan for management and for when there’s a problem. Some enterprises choose to adopt centralized, in-house enterprise key management services.
4. Put Your APs To Bed At Night
Response times are critical if your network has been hit, and unmonitored endpoints won’t let you know they’ve been compromised. Besides having a robust UTM, you’ll want to turn your APs off overnight or during downtime. That way, you’ll be able to respond to threats immediately.
5. Conduct A Wireless Site Survey
Are you aware of every single access point in each of your buildings? IT teams are often surprised to find APs deployed without their knowledge or permission. Conducting a wireless site survey can help. You’ll also want to do an inventory of all of the company devices (laptops, phones, etc.) so you can implement WLAN access controls and know if there are any stolen or missing WLAN adapters.
Bonus Tip: Utilize Cloud Management
Having a live, running list of all network peripherals can help you spot rogue APs, SSIDs, and equipment.
Our team can conduct your wireless site survey and provide analysis that can help you reorganize, upgrade your existing network, or prepare for new construction deployments.