John Pescatore

Today we have a guest blogger, John Girard, who leads Gartner’s coverage on the security aspects of remote access, teleworking and mobile computing:

At this week’s Gartner Information Security Summit, we arranged for Motorola (an event sponsor) to perform a scan of all Wi-Fi activity to help us understand the level of defense throughout the conference area and hotel at large. The good news was that Motorola found slightly less vulnerable Wi-Fi access points (74.6%) than at the RSA conference (85%), but the number was still too high because suitable Wi-Fi protocols and best practices have been available for several years to eliminate these problems.

Weak and missing security protocols were represented in three categories:

· No encryption (open): 26 (14.1%)

· WEP: 15 (8.1%)

· WPA-PSK:  97 (52.4%)

Other significant problems included 5 stations that were bridging wireless and wired networks, weak firewalls that exposed routing protocols, and a series of impersonation attacks using duplicate MAC addresses and duplicate SSIDs. Also, a number of people were found reading email on the open wireless networks, without use of a VPN.

10% of the on-site networks were ad-hoc networks that were advertising common SSIDs such as “Free Public WiFi”, and 30 users were found connected to these networks. Pescatore comment: “Free Public WiFi” is essentially a worm that spreads across WiFi-enabled laptops. There is really no such thing as a valid “Free Public WiFi” access point – you should have endpoint security platforms configured to lock down WiFi, and warn your users about this, as a minimum. See this for a good explanation.

All of the problems listed above are known configuration vulnerabilities and all of them can be avoided through a combination of correct Wi-Fi configuration practices, alternate non-Wi-Fi wireless access methods, and a bit of basic user education. I urge the readers to remember that Wi-Fi security requires practice and review. It’s not a stable end-game! Please make sure you are following best practices! Here is a short list and you can read more by looking at our online research, or contacting us for an inquiry session!

· Don’t broadcast your SSIDs.

· Disable Ad Hoc networking.

· Make sure that all Wi-Fi Access Points and Client devices are firewalled to block access to vulnerable ports and services

· Move all internal Wi-Fi security to WPA2 Enterprise with a strong EAP type (such as EAP-TLS).

· Migrate away from known vulnerable systems such as WEP, LEAP, WPA, and Pre-shared Keys.

· If you are in public situations where you are using Wi-Fi on a completely open vulnerable network, use a VPN, or at least choose synchronization applications that provide their own encryption.

· Do not read emails or conduct VoIP conversations when associated with open (unencrypted) Access Points. Your data will be easy to capture.

· Consider wireless alternatives such as cellular data supported by EVDO and 3G. You will still want to use a VPN, but the connection between your end point and the carrier network will be defended and authenticated.

John Girard