The ease of cracking Wi-Fi security systems is shocking. Recently, a Canadian brokerage firm installed a Wi-Fi network on its trading floor. WEP (Wired Equivalent Privacy) was enabled and no one could enter the trading floor without a smart card pass.
How long does it take to crack WEP security
on a trading floor? Apparently, about 45 minutes with a laptop and Wi-Fi card. How can WEP security be compromised when access to Wi-Fi enabled rooms are behind smart card lock and key? Apparently, all it takes is to sit in an adjacent washroom stall and run a downloadable WEP cracking tool.
Luckily in this case the intruder was a friendly employee of the company who simply wanted to report the results of a security test to the network manager. But what if this was a competitor? A company’s security policy has to go beyond beyond technology needs. It also needs to include organizational structures and building layout schemes.
Over the past year, at industry seminars and in the technology trade press, network managers have been told that all they need to do is turn on the WEP security. But new cracking examples show that it’s simply not enough to require employees to use passwords, or to use pass cards to enter buildings.
A more vigilant approach needs to be taken. Educating executives by demonstrating security breaches is just as important as presenting a ROI (return on investment) spreadsheet for next year’s IT budget.
As with many technical concepts, it is difficult to explain the delicate balance between information security and business productivity to many executives. While there is little dispute that Wi-Fi networks help cut cabling costs and reduce the time required for setting up network infrastructure, the current round of wireless gear can pose a threat to securing valuable corporate data.
With a wired network, one of the ways that an enthusiastic intruder accesses corporate data is to enter the premises and somehow physically connect to the cabling infrastructure. There is some risk of getting caught by being physically on the premises. Wireless makes it even easier for the intruder.
Companies have to take an active role in developing a comprehensive security policy. Don’t rely solely on your vendor. Most studies report that over half of security breaches are directly attributed to employees. This type of breach is independent of any Wi-Fi encryption or firewall configuration.
Of course you also have to avoid simple breaches, like leaving those Windows NT Emergency Repair Disks lying around on the server room shelf.
A hacker could secretly remove the disk, obtain the Windows Security Accounts Manager database with login information and return the disk the following day.
In other cases, when thinking about the overall security policy, you need to look at non-technical issues. If simple passwords can be cracked in a few minutes with downloadable software, should employees be rewarded for using passwords that are harder to crack?
What is done with the draft copies of financial reports that are left in an open waste bin beside the shared network printer in the back corner of the office? That printer should be moved to an open area in full view of everyone, thus reducing the temptation for someone to reach for those drafts in the waste bin.
The publicized faults of Wi-Fi seems to be bringing a lot of security issues to light, both technical and organizational. Network managers need to challenge assumptions and inform executives on overall security issues and security policies. If not, you could see your stolen corporate data up for sale on eBay.
