After the TJX breach, the PCI security council strengthened their wireless security standard in an attempt to prevent such catastrophic incidents from reoccurring. While some of the largest retailers strengthened their wireless security, small and medium businesses need to take a look at their own security practices because they are just as susceptible, maybe more. In its annual Data Breach Investigations Report earlier this week, Verizon said “criminals are increasingly hitting smaller businesses as it becomes harder to steal financial data from big companies.”
War-driving is still more common than most people probably think, but the number of incidents reported by small and medium businesses is very low. In most cases, WEP encryption is still the target. In a recent Network World article reported that Seattle police are investigating a group of criminals attacking local businesses via Wi-Fi access points encrypted with the flawed WEP protocol. Does this appear to be an isolated incident? No. According to the Seattle police, this group of criminals has been suspected of these types wireless attacks for as many as *5 years*.
What is troubling is the number of retailers that continue to opt for a “compensating control” to address their wireless security requirements. Even PCI’s “approved” methods including quarterly wireless scans and visual inspections are insufficient to protect your business. Wi-Fi is everywhere, its easy to find an unencrypted (or poorly encrypted) signal.
Until companies understand the risk of properly secured Wi-Fi, they will remain susceptible. Just ask the guys in Seattle.
If you are concerned about the proliferation of smart devices (Iphones, Droids, tablets) and the impact on your network security, then this is a “can’t miss” webinar. The inability to detect and block unauthorized personal devices from attaching to your network puts your business at risk. AirTight CTO and Founder Pravin Bhawat discusses the challenges with mobile device management and the limitations of existing wireless network security measures.
Listen to the recorded webinar here.
Every now and then we run into network administrators and CSOs that brag about how their organization is not vulnerable to wireless security threats, only to see their rash confidence fizzle out once the results from a wireless vulnerability assessment or penetration test are out.
Today, most are aware that Open WiFi on enterprise network is foolish and using WEP encryption is a bad idea and that WPA2/802.1x is the way to go. Then where do they go wrong?
Wireless scanning, Wireless security
Wireless security audits play a crucial role in the wireless vulnerability assessment of IT infrastructure and provide guidance on how organizations can meet regulatory wireless compliance requirements. Assessment of wireless vulnerabilities is challenging because of the dynamic nature of wireless environments. Auditors have to worry about not only the wireless devices in a network environment that is being audited, but also external wireless devices in the vicinity that can impact the susceptibility of the network in question to vulnerabilities and attacks. Wireless laptops, handhelds, and smartphones carried by business travelers can also get infected with vulnerabilities on the road; even organizations that may not have officially deployed a wireless LAN need to be aware of these threats. Read more…