In many organisations, particularly smaller ones, WiFi is set up in such a manner that all users (guests and employees) have access to the same access point. While this makes for a really simple to deploy and manage use-case, it creates a rather significant security flaw in your network. I’m going to run through a few of the risks of this kind of configuration and what you can do about them, specifically aimed at the smaller business.
The Risk of Strange Devices
This speaks to the danger of allowing non-company devices on to the network. This can be seen in two parts – devices owned by employees, as well as devices owned by non-employees. It’s all fine and well that the person connecting is a friend of the director’s family, who happens to be in the area and is coming over for some coffee. It’s also just dandy that Steve from marketing has been employed by the company for 9 years. But how well do you know their devices that are connecting to the network?
Exploits such as KRACK (which stands for Key Reinstallation Attack) is something to be very aware of. The fundamentals of this type of attack is that someone’s phone could have KRACK installed without the person knowing and when they connect to your network, KRACK gets to work. It will try various means to “break” your network’s security in order to eavesdrop on all your network’s traffic. So when Cindy from finance logs into your business banking, the data for that is transmitted through someone else’s network and the details are stolen. Without any fanfare or Hollywood style hacking, in fact no-one would be any the wiser – including the person with the infected phone.
Outside of viruses and malware, devices such as laptops are also dangerous on your network from a compliance point of view. Sure, you have an IT Policy and Acceptable Usage Policy (if you don’t, please contact us) and computers used by employees are locked down, but strange PCs aren’t subject to this management. If your guest has download software that is illegally downloading movies or other software, it will be transferring through your network. This could expose you to liability and cease-and-desist (or worse) action.
The Risk of Malicious Attacks
The examples so far speak to accidental or unintentional threats to your network, however there are very real threats of malicious actions. Someone can easily ask to join your network during a short meeting, and then later attempt malicious action. Once someone has joined a network, it is remarkably easy to sit in the coffee shop next door and trace an entire network. Again, it’s not the Hollywood fanfare, it’s a person in a coffee shop, sipping a latte while their laptop quietly maps out your network using any number of free (and fast) tools available. Before they’ve finished that cuppa, they’ve got every device on your network mapped out.
What to do?
While there are many advanced threat detection tools out there, these are often out of reach for the smaller company given their complexity and price. Simple approaches can yield results though, given the right configuration.
Firstly, and hopefully most obviously, if someone does not absolutely need access to the internet, simply don’t give them access.
Secondly, if they do need internet access, create a second WiFi network for guests and isolate it. Routers such as Mikrotik support this function by default. This isolation means that any device joining your network will not be able to scan your network easily or be able to access company resources, instead it is only allowed to pass through to the internet. This applies both to guests, and employee mobile devices. Do these devices really need access to your internal network resources, or just the internet? Define this for yourself, and build your policies accordingly.
Next, have a secure WiFi key. A short key or a key that replaces the letters of your network name with numbers is NOT a secure password (such as joining “CompanyGuest” and having the password be “C0mp4nyGu3st”). At the very least, have a long phrase as your password that is not easily guessable.
Point four is often the most neglected; make sure your network equipment and devices (such as routers and access points) are up to date. Manufacturers release updates that counter some of these attacks (such as KRACK), and it’s important that you are protected.
Lastly, monitor your network, at the very least with a “Mark I Eyeball”. Keep an eye on things, watch for strange network behaviour, and keep tabs on who is accessing what. Consider network monitoring software like Spiceworks or PRTG, or for home offices you can look at hardware such as the Fingbox.
If you’re looking for advisory on your network security, Ross G Saunders Consulting has a network of specialists ready to help. We are able to offer everything from basic advisory on the above, to networking hardware, through to complete ethical hacking penetration tests. Give us a shout if you feel you need assistance, or even just a security “check up”.