Since its first foray as a valid network connectivity medium, Wi-Fi has always had suspicions raised around its security. In the early days, the classic question was: "Isn’t this the equivalent to putting a network point outside my building?"
That was over 10 years ago and we all seemed to overcome that concern fairly quickly. Now fuelled by the recent explosion of BYOD initiatives and the transition to cloud, wireless has made its way back to the top of the ‘most feared’ list when it comes to security.
According to our independent global study, which surveyed almost 1,500 IT leaders at mid-large organisations, wireless was viewed as the most vulnerable element of IT infrastructures, and 92% of CIOs believe their current wireless security set-up is not adequate for today’s threat landscape and mobile-first world.
If Wi-Fi has somehow managed to have "gotten away" with a less critical rep than its traditional networking or application counterparts over the years, it may be down to the complexities around ensuring its ‘usability’, with the sheer demand for quick, easy connectivity trumping any rising security concerns.
However, the threat landscape’s shift from connection-based to content-based attacks has made that security/usability trade-off argument obsolete. There are a whole host of attacks ranging from infrastructure-targeted threats from rogue access points, to targeting users with honey pots out there today.
But the recurring theme across securing Wi-Fi, more than any other infrastructure, is making it useable, simple as well secure.
You’re only ever as strong as your weakest link
Content from our partners
With cybercriminals deploying more advanced targeted attacks and increasingly shrewd ways to manipulate individuals to bypass security, it’s never been clearer that organisations are only ever as strong as their weakest link. As an industry we have secured many important factors in the Wi-Fi communication process, so there is very little reason your weakest link should be the wireless network.
And yet all too often Wi-Fi security focuses solely on what may seem, logically at least, like the most vulnerable part: the link between client and access point or "the air". It’s not; it’s no longer safe to assume that once you are securely connected onto the network that your job is done.
Too many of today’s breaches occur because of a lack of focus across the spectrum of possible threats or attack vectors. Rapid innovation on the malware front, the exploitation of new zero-day vulnerabilities, and emerging evasion techniques can all render any single approach to security ineffective. In order to counter these increasingly sophisticated attacks, wireless security must bring together multiple security technologies and it must not be siloed, but part of your business’s wider IT security strategy.
Beyond authentication
Beyond basic authentication, you need to protect from threats on the network and devices, malware, malicious websites and a variety of network intrusion threats that are continuously evolving to become more sophisticated.
The majority of enterprises are not there yet. The CIOs in our research are right to be concerned, as almost 40% of do not have this basic security measure of authentication in place.
While more than 60% of organisations use anti-virus scanning, and 70% use firewall (still very low!), less than 40% protect their wireless networks with IPS, application control or URL filtering.
And perhaps it’s best not to mention guest access, as 13% of organisations deploying guest access on the same WLAN network used by employees reported that guest Wi-Fi is totally open. A further 24% allow guests to use a shared username and password, which really limits monitoring and tracking capabilities.
Combined, these findings suggest wireless security is still not being treated as solemnly as it deserves, and certainly with less attention than its traditional wired network counterpart.
In the face of advanced persistent attacks increasingly targeted at multiple entry points, overlooking the most basic security measures is playing with fire.
Balance security with usability
So what should enterprises be doing to secure their wireless networks? The challenge lies in getting the balance right between making your network secure but also still easy to use.
Don’t fall into the trap of forgetting the basics. Secure authentication is a must, with suitable security and authentication for roles, such as guest, employee or BYOD. There are many ways to look at guest networking (as it also depends on the type of guests), but a commonly accepted approach is to use a captive web portal with unique usernames and passwords for guests. Again what happens after authentication (where users go, what’s available on the network and what security checks are made) is just as important as how users get on to the network in the first place.
Part of this includes subjecting your network’s traffic to real-time antivirus scanning as well as usage controls (such as time of day, length of session, rate limits) and content filtering through guest policies associated with a guest SSID. This is where separating traffic really becomes key to securing different users in different ways.
It’s also critical to choose a network topology and architecture that suits your requirements in the here and now, but can also be adapted should those requirements change in the future. This is particularly true from a wireless security perspective, as potential changes are undefined and unknown, but your system should be adjustable.
While no one approach works in every case, a simple way to achieve the above with little disruption is to implement tunnelled service set identifiers (SSID) to a controller – especially if the controller has full security and next-generation firewall capabilities as well as elements like data leakage protection. This means traffic can be easily secured, inspected and actioned as is appropriate according to the security policies in place.
The research findings showed that 72% of respondents managed part of their network through the cloud, and also revealed information security is a critical concern. While cloud management is powerful and suitable choice for many organisations, having the flexibility to tunnel traffic to a secure end point (like a controller) is definitely something to think about in order to help mitigate the top risk of sensitive information leaks.
Once your security system is in place, make sure you conduct regular re-assessment and on-going information gathering on the Wi-Fi networks uses, capabilities and threats and adapt your system’s behaviour accordingly.
Can wireless ever be secured? Of course it can. It’s simply down to how you architect, deploy and implement it.
