Once upon a time, Wi-Fi security was considered notoriously weak. Wireless encryption mechanisms including WEP, Cisco LEAP, and WPA1 were proven to be nothing more than minor speedbumps for bad actors that wanted to break in. Yet, ever since WPA2 with AES encryption burst onto the scene, opinions on Wi-Fi security have changed.
Most now consider WPA2 protected Wi-Fi to be as secure (if not more-so) than a wired connection. But this is only a part of the overall Wi-Fi security battle. While I was attending DEF CON 27 earlier this month, I was frequently made aware of this fact. When I asked multiple attendees and wireless security pros working the conference for tips on how corporate LANs can be better secured, most never even mentioned an encryption type as most likely assumed WPA2 would be in use. Instead, answers focused on other security factors that WLAN administrators commonly overlook or ignore. Factors that make wireless networks less secure than they should be. Here are what top wireless hackers say are the most overlooked ways you can better secure your corporate WLAN.
If you're going to use pre-shared keys, make them complex and change them regularly
WPA2 comes in two forms. One is known as WPA2 Enterprise and it leverages IEEE 802.1X to authenticate users that are assigned username and a password only they know. The second type of WPA2 is called WPA2 Personal. This authenticates users or devices using a pre-shared key (PSK). While this is not nearly as secure as WPA2 Enterprise from an authentication perspective, it's sometimes a necessary evil. This is especially true when you must connect cheap IoT devices that cannot use WPA2 Enterprise authentication.
That said, if it’s properly managed, WPA2 Personal can still be considered secure. The biggest risk, however, is that IT departments neglect to change the PSK on a regular basis. It’s not uncommon for a PSK to be used for months or years. Over time, the PSK inevitably gets into the wrong hands. Thus, it's possible that the bad guys could stumble across your shared key and easily connect without you ever knowing it.
Another PSK tip is to make the password as complex as possible. It’s important to know that even AES encryption can be cracked if given enough time. The amount of time required to hack a PSK, however, depends greatly on the complexity of the password used. The longer and more random your PSK is, the more time it will take to crack.
Penetration testing of guest Wi-Fi access
You may think you've properly configured access controls that only grant the ability for guest Wi-Fi users to access the internet and perhaps a handful of internal resources. Yet mistakes are often made that potentially expose far more of the internal corporate network than was thought. Even a rudimentary penetration test of what guest users can and cannot access proves that your access control lists (ACLs) were indeed configured correctly.
Take advantage of built-in Wi-Fi security tools
Most enterprise-grade WLAN hardware and software these days comes with a slew of security tools that can be used to scan the wireless environment and baseline/detect security anomalies. This includes the identification of rogue access points, suspicious clients or other malicious behaviors meant to scan or overwhelm your WLAN. While these tools are largely available, they are commonly not used on a regular basis as they were intended. Learning how to take advantage of these already existing security tools can help prevent wireless security breaches or outages both small and large.
Device authentication using certificates
As mentioned, most enterprise-grade Wi-Fi uses WPA2 Enterprise for end-user authentication. While considered very secure, sometimes a second form of authentication is deemed necessary. A different authentication method identifies and validates that a specific end device – as opposed to a user – can connect. One way of accomplishing this is to implement a certificate-based authentication mechanism such as EAP-TLS. Without getting overly technical, EAP-TLS works by installing certificates on client devices and authentication servers. Both the clients and servers use these certificates to validate the identity of the other. Doing so allows administrators the ability to only allow access to certain Wi-Fi networks that have the client-side certificate installed. In other words, it prevents rogue devices from connecting to a sensitive corporate network – a major problem common with companies that condone overly loose BYOD policies.
Wi-Fi security is only as good as the person that implements it
Generally speaking, the technical aspects of Wi-Fi security are in good shape. For example, we’ve been talking about WPA2 security without mentioning that its successor – WPA3 – already exists and is (almost) ready to go. That said, the biggest threat to corporate WLAN security according to hackers at DEF CON isn’t a technical one. Rather, the biggest risks are found in those that are responsible for the configuration and ongoing management of said WLAN. Thus, it may be well worth the time and effort to review configuration, monitoring, auditing, and other processes to ensure your corporate WLAN is as secure as you want it to be.