Many deployments are to support inter-office mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile devices...

1. Wireless security controls are often too lax for the data they need to protect
At Redspin we are often asked to perform wireless security assessments for organizations that have
recently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs),
controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-office
mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile
devices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet these days are
grappling with the question of how to support employee requests for connectivity – often times by senior
executives. These devices themselves are inherently risky due to their highly mobile nature, ability to store
and access sensitive data, and immature enterprise security management support. For today, let's focus
on the corporate wireless infrastructure itself. The problem is less about the capabilities of wireless security
technology and more about the lack of a thoughtful deployment of these systems. Wireless networks need
to implement security controls that are at least as good as the existing controls on the data they are trying
to protect.
The most consistent problem is that wireless networks are deployed with less than optimum security
controls. For example, using WPA2 in personal mode rather than enterprise mode. The upside of personal
mode – in which clients, such as laptops and iPhones, authenticate to the networks with a pre-shared key
(PSK) – is that it's easy to manage and configure. The downside of this approach that it is vulnerable to a
password guessing attack, cached client credentials, system-wide risk in the event of a compromised key
and rogue access points. This risk may be acceptable for access to a wireless network whose only
purpose is to provide Internet access for guests or mobile devices. However, many wireless networks
begin with this simple purpose in mind only to evolve into much more access into the internal network.
Wireless network signals travel well beyond your corporate office space. In a downtown office environment,
dozens or even hundreds of other businesses or public areas are able to “see” these signals. It's as if you
are grabbing a hand full of network cables that are connected to your internal switch and lobbing them out
into the street for everyone to use. This greatly extends the attack surface area for wireless networks, so
it's imperative that they are configured with security settings that are appropriate to the data they need to
protect.
With wireless networks, there are a great many security configurations available to support a variety of
business cases. It's critical to ensure that usage scenarios are carefully evaluated before a network is
deployed to ensure that appropriate security controls are implemented. Once deployed, wireless networks
should be tested to verify that the controls are actually working effectively.
www.redspin.com Meaningful Healthcare IT Security™ 800.721.9177