The disconnect in the devotion that network administrators demonstrate between securing wireless local area networks and wired networks is widening.
In London's financial district, for example, wireless LAN deployments have tripled in a year's time, yet only one-third of those systems are using encryption to secure data, a recent study conducted by RSA Security Inc. revealed. The Bedford, Mass. vendor revisited a 2001 study late last year. Armed with a car-full of off-the-shelf scanning technology, the researchers detected 264 unique networks, 328 access points and 552 client devices. Slightly more than one-third were using Wired Equivalent Privacy (WEP) encryption, while 120 points were at default settings, making them prime targets for attack. RSA said that 100 of those devices identified their organizations.
"CIOs are placing less weight on wireless security because, in some instances, they are not aware of the security issues with wireless deployments," said Jin Jung, senior product manager for RSA's wireless embedded product development solutions division. "As time goes on, you will see CIOs and IT managers realize that, by using unsecured wireless LANs, they are providing a back door into networks for attackers."
Even those using WEP are ripe for attack because of inherent weaknesses, which are being addressed in the 802.1x wireless standard. Enterprises, meanwhile, need to respond on two fronts -- with solid policies and technology.
From a policy level, enterprises need to change the server set identifier, which serves as a password that provides access to a wireless LAN, from the default setting to something less specific to their company, Jung said.
"By having that information obscured, you are less inclined to be hacked," Jung said.
Rogue access points also plague enterprises. The convenience of wireless LANs make them attractive to companies and, often, some employees take it upon themselves to install wireless access points without consulting with IT. Exposure via rogue points is dangerous, and officers and administrators must address this in an IT policy, Jung said.
Network administrators and CIOs also have to consider moving away from WEP to WPA (Wi-Fi Protected Access) and make it policy.
"A lot of companies do not put encryption on the channel carrying all data from the client to the access point," Jung said. "Even those companies that did encrypt, a lot were using WEP products. We recommend to CIOs to look at WPA-compliant devices or get firmware upgrades on those devices."
Further on a technology level, companies expose themselves on wireless LANs not only with poor encryption, but with weak or no authentication.
Strong authentication from the client, such as a two-factor authentication using a token or biometric in conjunction with a password, closes potential holes there, Jung said.
"There's a lack of understanding of this problem," Jung said. "In addition to the encryption problem is the issue of authentication; CIOs and IT managers are not sure of how to integrate authentication into client devices. [By using two-factor authentication], users would not have to change their behavior. They would just have to remember a password and their token."
With wireless access points nearly tripling in a year in a major metropolitan financial center like London, this is a problem enterprises will have to address sooner rather than later.
"Things are going to come to a head in the next year or so," Jung said. "WLANs in corporations are growing exponentially. IT managers are going to be forced to place wireless security on an equal footing with wired security."
FOR MORE INFORMATION:
- FEEDBACK: Is wireless security on a par with wired in your enterprise?
Send your feedback to the SearchSecurity.com news team.