Managing Security Risks in Wireless Networks
Steps to Secure the End User
A large portion of security vulnerabilities on a wireless network can be prevented by securing the end user. Below are items to consider for mitigating end-user security weaknesses.
Policies – Enforcing policies for mobile devices, passwords, and acceptable use can help to create a secure environment in many ways. These policies not only need to be created, but they also need to be updated regularly and made easily available for users.
Security Training – Provide security training to end users on an ongoing basis, in an attempt to keep security in the forefront of their minds. Outside vendors can be used for this at a fairly reasonable cost. Users can benefit from this type of training not only at work, but also at home, so many users like to be involved in this type of training.
Secure Bluetooth Devices – Users should be educated on the use of Bluetooth devices and how to secure Bluetooth devices. Bluetooth devices; including printers, should have Bluetooth turned off when not in use
Rogue Devices – Inform users about rogue devices and that these devices can cause a security issue and should not be installed. Attackers can access these devices if proper security protocols haven’t been put into place by the untrained user.
Lost and Stolen devices – If users are to use a call phone or a laptop on a company network, they will need to adhere to a mobile device policy. This policy should outline device security and the procedure for lost and stolen devices.
Device security should include:
- Software installed by the company to locate the device or disable it.
- Passcode/password security to lock the device.
- There should not be any confidential data stored on a mobile device.
Lost device procedure should include items such as:
- Who to notify in the event that an item is lost or stolen.
Steps to Securing the Structure
Standards Policy – A technology department should have a set of wireless standards that all employees in the department can adhere to. This will help to assure that a secure wireless network remains secure. If an access point goes down, any employee in the department should be able to properly configure the new device to match existing devices. These types of items should be outlined in the wireless standards for a department.
- Protocol Use – This policy should include the mandatory use of WPA2 protocol rather than WEP or WPA which are less secure and could provide avenues of attack.
- Hidden SSID’s – To prevent an attacker from finding your SSID, you will have to keep the SSID hidden by not broadcasting it. There are programs out there that will still help an attacker find hidden SSID’s, so it’s best not to give too many identifiers in the SSID even though it’s hidden. You wouldn’t want to name your accounting departments private SSID “ACCOUNTING” because this would make it too easy for the attacker if that’s what they are attempting to gain access to.
- Secure Devices – Access points should be physically hidden from sight to make it more difficult for attackers to know what types of devices they are dealing with. Also, to prevent unsecured access it’s important to make sure default passwords on all devices are changed. Attackers will attempt to use known default passwords in hopes of gaining access to the network. Once inside the network, they are potentially able to access secure information and change security criteria.
- Perimeter Security – Parking lot attacks and wardriving attacks can be reduced with proper planning when creating a wireless network. By making sure the wireless access points don’t bleed signal outside of the perimeter, attacks can be significantly reduced. To do this you may need to control the RF footprint of your network by using directional antennas and reducing power levels to a level that could still work for users within the buildings or boundaries. There are also methods that can be used such as shielding paint and window film that help to prevent signal from leaking outside of the perimeter.
Prevent Rogue Access Points – To prevent an attack with the use of a rogue device, it’s important to make sure there are none on the network. This is difficult to do unless you have a dedicated wireless security person monitoring the network. Wireless controller management software can sometimes set a standard for rogue devices and a policy of when the device goes from just being on alert to needing to be contained. Containing a rogue device can lead to legal ramifications and should only be handled by a trained professional. Another safeguard against rogue devices is to use static IP addressing. If a rogue device is plugged into an empty data jack, it won’t be able to acquire a dynamic IP address.
Enforced Policies – Dictionary attacks can be prevented with the use of strong passwords and an enforced password policy. It’s much more difficult for an attacker to gain access using a dictionary attack if the passwords are longer, use special characters, numbers, and avoid using proper names or words that may actually be found in a dictionary. This makes it more difficult, but it doesn’t make an attack impossible. The enforced password policy should also force users to change their passwords on a regular basis.
Encryption – Eavesdropping is a difficult threat to prevent without locking down the network so tight that even authorized users can’t access it. The only way to really prevent eavesdropping is to change the encryption key often, so that the attacker is unable to decrypt the messages that come through.
WIDS – Consider using a wireless intrusion detection system. Wireless intrusion detection systems can protect a company from nearly all vulnerabilities or attacks, but they can be quite expensive and difficult to maintain.
Antivirus – Install antivirus on wireless devices. If somehow a device suffers an attack of malicious code/software, the antivirus should help to notify the user that an attack has happened and give the user an idea of what they need to do, or it could remove the virus before it wreaks havoc on the network.
Securing a wireless network is not a weekend project. This is a task that requires a lot of planning. The planning starts long before the network is even powered up and should continue on indefinitely. This paper is in no way considered to be an exhaustive list of the only wireless security issues to consider. With changes in technology, also come new security issues and threats.
Following a few recommendations from this paper will help to steer a wireless security network in the right direction.
Here is a summary of recommendations to follow to do just that.
- Create and put policies in place such as:
- BYOD/MDM Policy – Policy should include:
- Device security requirements
- Lost or stolen device procedure
- Signed agreement annually
- Wireless/Acceptable Use Policy – Policy should include:
- Signed agreement annually
- Users agree to monitoring
- Users agree to use the network for work use only
- Password Policy
- Outline password length and complexity requirements
- Passwords changed at least every 3 months
- BYOD/MDM Policy – Policy should include:
- User training should be conducted monthly as a requirement for continued wireless access.
- Training should be verified by the training department
- Training should include email security, wireless security, password security, and internet security
- Wireless audits should be completed either internally or by a vendor. This should be completed quarterly to make sure the network hasn’t been compromised since the last audit.
- Create a standard for configuration and management of devices on the network in order to give the technology department a standard to go by in the event anything on the network needs changed or added.
- Implement a change management system to track changes that have been made in case a security event occurs.
- Install and maintain network level antivirus on all devices.
- Logs should be monitored daily for viruses.
- Virus definitions should be updated weekly.
- Virus scans should be performed weekly.