Wireless Security Must Not Be an Oxymoron
BackBy Carmi Levy — March 2009
When you go wireless, are you doing everything you possibly can to keep your confidential data safe?
Chances are you’re not. Confusing wireless security standards, hyperbolic claims by vendors and the everyday challenges of working within a still-immature, fast-evolving industry make it nearly impossible for the average IT shop to implement fail-safe solutions. As demand for mobile services explodes, however, the industry needs to find a workable way for business customers to routinely integrate end-to-end security into their wireless networks.
The general consensus from network security experts, who have collectively shaken their heads at today’s state of wireless security, is that our lax wireless security landscape makes it easy for hackers, identity thieves and other less-than-honest types to steal our data.
“Wireless networks are in many ways ‘networks of convenience’ that allow your employees to get the information they need where and when they need it in the workplace,” said Bradley Fordham, director of research and product management for Xiocom Wireless. “We should not be cavalier enough to allow that convenience to work for information thieves [as well].”
But we do — often without even knowing it. We send traffic over old routers running the already-broken Wireless Equivalent Privacy (WEP) encryption standard. Or we trick ourselves into believing that Wi-Fi Protected Access (WPA) encryption was and is a good enough replacement for WEP. We assume the “security tested” sticker on the box is enough proof that any wireless data that moves through it will be safe.
News flash: It isn’t. Almost since the first wireless solutions hit the market, we’ve taken vendor claims of wireless invulnerability at face value without independently assessing wireless security best practices.
Whatever standards we’re looking at — human or technological — there’s no reason why wireless solutions can’t be as secure as wired solutions. Solera Networks CTO Joe Levy believes increasingly user-friendly solutions are making it more difficult for organizations to use complexity as an excuse for not deploying optimally secure wireless infrastructure.
“Configuration of the encryption and authentication elements has become much simpler as technology vendors continue to refine their user interfaces,” Levy said. “While it’s still possible to run an insecure wireless network, the maturation of the medium is helping ‘insecure wireless’ transition from the norm to the exception. Because encryption and authentication is becoming commonplace, it would not be difficult to argue that today’s properly configured wireless network is more secure than its relatively unprotected wired counterpart.”
But we need to get serious about leveraging newer equipment and standards such as WPA2-Enterprise, as well as identifying and removing older solutions as they become compromised. That first-generation router that’s been chugging along in your office for five years is using encryption technology that was cracked by hackers six months after the device went on sale. Just because it’s up and running doesn’t mean it’s not a candidate for replacement, and companies that fail to move to more secure solutions risk finding themselves in the news for all the wrong reasons, said Jennifer Jabbusch, a CISO and network engineer for Carolina Advanced Digital Inc.
“You can’t fake your way through wireless security,” she said. “It’s becoming more difficult to pick the correct solution as hackers expose more vulnerabilities each day.”
Jabbusch said companies looking for that ideal solution first must understand what situations make the most sense for wireless implementation. They must assess the kinds of traffic they plan on sending over wireless infrastructure, and the level of security required in each case.
“If they’re processing credit card numbers or transmitting financial data, that’s a lot different than worrying about users accessing YouTube videos,” Jabbusch said.
Why does this matter? Because your customers don’t care whether you’re using conventional or wireless infrastructure to fling their confidential data around. All they care about is that you’re keeping it safe. Stewardship is the new mantra for companies entrusted with personal information, and serious hurt is what happens to organizations that fail to learn the meaning of the word.
Carmi Levy is a technology journalist and analyst with experience launching help desks and managing projects for major financial services institutions. He offers consulting advice on enterprise infrastructure, mobility and emerging social media. He can be reached at email@example.com.