Unsecured Wi-Fi can lead to a data breach
Wi-Fi is an excellent medium for enabling users to access networks as a guest user or BYOD user with their personal devices. However, failure to properly secure that network can breach your defences. And when your defences are breached, your data is compromised, potentially resulting in what is known as a "data breach".
We are going to explore three ways in which un-secured Wi-Fi can lead to un-authorised, sensitive data breach (This isn’t another GDPR article, however it is very relevant).
Lack of role-based access control
Role-based access control (RBAC) for those un-aware is a method for controlling user access to network file system objects. Solutions such as Ruckus Cloudpath offer role-based access controls for IT teams. Many data breaches come from unintended disclosure and not the intentional cybercriminals you see from the Die Hard 4.0 Fire Sale attack. This means that the unintentional guest or employee may mistakenly gain access to sensitive data because they simply were not set up in a role-based access network.
A secure access strategy requires users to only be granted access to resources considered appropriate or essential to their "role". Policy-based controls are the cornerstone in such strategies. It is likely that it is not hard for you to consider what resources a user with no restrictions could gain access to within your own organisation. As much as this isn’t written to scaremonger, if you don’t have a means to define and manage policies to restrict access, the chance of a data breach is probable.
If someone not authorised in your organisation has viewed certain data not intended for them, that’s a breach. To take a very specific example, in an office with a sales team, they should not have access to a file system with information on employee payroll and personal data, that kind of sensitive information should only be accessible by your HR department, and possibly by your accounts department or any designated members of staff. A role-based policy capability for network access is essential, and a lack of differentiated network access risks data compromises.
Failure to perform a security posture check
Many IT professionals will agree that BYOD programs increase employee productivity and that visitors expect easy network connectivity for their devices. For many, this would fill a bucket of unmanaged devices accessing the network. IT teams don’t have the advantage of controlling these devices, so they have no power to ensure they have the latest updates installed, or antivirus installed. Failure to perform an up-front security posture check before BYOD and guest devices connection is a risk area as well. Our research indicates that Malware is considered the leading causes of data breaches (Malware is designed to disrupt, damage or gain unauthorised access).
A policy to help prevent Malware spreading into your network is to have anti-Malware installed on your network devices and not allow BYOD devices onto your network without anti-Malware software installed. If employees can connect their laptop to the network without anti-Malware installed and up to date, that is a security hole. A security posture check during network on-boarding with a solution such as Cloudpath makes sure the devices connecting employ basic security measures.
We don't expect many smartphone users not to have PIN enabled on their phones or tablets. But imagine what could happen if an employee didn't have a PIN and connected their BYOD phone to the network, granting access to network resources, or if their phone was stolen and access to the device was made. The network cannot identify whether the user of the device is the intended employee, and the device is still able to access the company data! A quick security posture check would include devices must have a PIN enabled before they connect. How would the IT team be able to check every BYOD device every time it connects to the network for PIN-Lock? Cloudpathhas a feature as part of its posture checks that check for PIN-lock on mobile devices.
Unencrypted network traffic
Unencrypted network data in transit over Wi-Fi can be viewed by prying eyes. That is right, the data being sent over the network that isn’t encrypted can be seen by unauthorised users! The tools enabling such an attack are readily available and easy to obtain. If you have not already understood the point we are making here, unencrypted network data can be viewed, stolen and held to ransom with relative ease by any person with a malicious intent.
Many websites accessed are served over https, but often not all page resources are encrypted. Equally, mobile applications equally may or may not encrypt their data traffic, especially if the application being used isn’t a well adopted one.
In an office environment you might think it is crazy not to encrypt traffic over Wi-Fi – and we agree with you. The problem is, MAC authentication, one of the default methods for connecting devices such as Headless Devices (printers and so forth) does not encrypt the wireless data traffic. We also commonly come across networks that have historically operated multiple SSIDs to separate their network traffic for guest users and employees. This doesn’t help the BYOD situation as simply enabling guest users out to the Internet is not a BYOD solution. Whatever the implementation, unencrypted data traffic is a risk for the organisation and its user’s personal security.
One way to tackle the unencrypted network traffic is to deploy a secure WPA2-Enterprise via 802.1X authentication with EAP-TLS, PEAP access methods. That is a mouthful, but for simplicity, get the network traffic encrypted, which happens to be another feature of the Cloudpath security solution.
Although this article is not exhaustive, it should be an eye opener that security vulnerabilities may or do exist in your Wi-Fi network and should take preventive measure to have it assessed and fixed. If you would like to request a demo of the Cloudpath Security solution and discover how the features and benefits can help your organisation plug its network security holes, please get in touch. We will be happy to help you keep your data secure.