Friday, December 8, 2006

From Kevin Lueders - What are the tradeoffs between ease of use/administration versus security?

This is a question posted on my security1a blog, it seemed appropriate to also post it here since it can affect you as an enterprise security user or manager.

The easiest thing in the world to do when setting up your wireless at home is to take all of the defaults and only use a SSID for security. People tend to think that if they come up with a unique SSID, that no one will be able to log on to their network. But the fact of the matter is, most access points by default broadcast the SSID, and modern day wireless software running on Windows, Linux and Macintosh will list all SSID’s that the wireless antenna detects. Bottom line….SSID is “wireless ease of administration” and it provides “no security what so ever”. Anybody with a PC can logon to your wireless network and do what ever they want.
From a threat point of view here is a list of the possible impacts.- someone gets on your wireless network and they have free open access to any device you have connected to your home network. This means they can install keyboard sniffers, networks sniffers or even man in the middle attack software. All of which could steal encrypted usernames, passwords, Social Security Numbers, credit cards etc. Not to mentioned access your firewall or edge router and modify the configuration to weaken your security posture.- another huge threat is, if you are using VPN to get to your company. Essentially, if somebody compromises your home network they can potentially have access to your company’s network. Also keep in mind that many companies use VPN in a way that data must go into your company’s network before it goes out to the Internet. This means if your company has a policy that defines “acceptable network use” and this person/hacker/attacker/accidental_tourist does compromise your network and violates that policy doing something like, attacking another network or surfing pornographic web sites - your company will track this activity back to you and you may be in a position where you will have to answer very uncomfortable questions or perhaps even face termination.
I guess this is a long-winded way of saying, don’t take the easy way out when it comes to administering the wireless network in your House. Check with your security vendor and find out steps you need to take to authenticate only your devices and in addition encrypt your network traffic. Also change your encryption key on a regular basis if your security vendor does not have technology which automates this process.
Just a little more information. If you don’t use encryption on your wireless network, anybody with a wireless sniffer that is within the range of your access point can sniff all data going to and from your wireless network. This is bad enough at home but this is especially dangerous in wireless hotspots. If you have a host VPN use it in situations where you don’t have control over wireless encryption. Also never turn off your host intrusion prevent, ant-virus or personal firewalls if you are near a public hotspot.

No comments:

With Great Power Comes Great Responsibility....raise the bar

With Great Power Comes Great Responsibility....raise the bar
Get Secure