Web Security – Understanding the Business Risk of At Home Wireless
BY GRANT HEGERBERG
You may know what to do about WLANs at the office. But, what about your employees when they go home? As many have pointed out, “wireless” is very affordable. And it works. So, how do you help safeguard your users — and the corporate data on their computers? It starts with your (and your employees’) understanding the web security risk.
Understand the web security risk
First, we realize that the web security risk is going to be a function of the vulnerability, the level of threat, and how much it would cost your company if someone were able to steal proprietary information (or at the minimum, to piggy-back on your Internet connection). The vulnerabilities are in the very infrastructure of WLAN technology.
Threat, or threat rate, is more difficult to measure. We have to take into account physical parameters. For example, not only does it matter how far the WAP can transmit, but it also matters how close people can get to the user’s house without being obvious.
Also, the web security threat increases if attacking your network is attractive to a would-be attacker. Has the employee recently ticked off his neighbor (or worse, his neighbor’s teenaged son)? Does your company deal in military secrets or pizza dough recipes? And what’s the competition like in the pizza industry, anyway? The same kind of web security threat analysis that you do for your company network has to be extended to employees’ homes. Not in as much detail, not with as much effort, but similarly. Attacking your employee’s network and system is either worth something to someone or it is not. No matter how we figure the threat, it is greater than zero.
How do you estimate the cost to the company (or the individual, for that matter) of a break-in — the event cost? It depends. What secrets does the home network hold? Does it have corporate information? How about military secrets or personal, financial, or medical information? Having a home WAP is similar to running Cat-5 wire connected to a hub inside your house, out to the end of your driveway, with an RJ45 socket on it. Someone could drive up, plug in, and access your home network. They can do the equivalent via a connection to the WAP. And they could sniff all packets traveling by radio between the WAP and each wireless client.
Bridging web security policy and practice
Perhaps by now you are convinced that the best acceptable use policy for home users with WLANs is to not allow them. You would be right. However, since we know that people will ignore that directive, after explaining the web security risks to them, as I did above, you will need to put some guidance in place that they might actually follow. This is neither meant to be fatalistic nor overly pragmatic. As web security professionals, our job is not to provide security. It is to secure the mission requirements of the organization.
Let us assume we are talking about average-grade web security risks. Our main concern is not with targeted attacks by agents of other governments. (Because in that case we can say, “Thou Shalt Not Do This,” making sure people realize that infractions could lead to time in a federal penitentiary.)
Users should change all defaults on their WAPs. Default keys must be replaced, default web security settings changed, default broadcast channels switched, and the SSID renamed to something non-generic. It is best if the name does not identify the name of the owner (though in a small neighborhood, this might be a moot point). It certainly should not identify the employer of the individual. An SSID that broadcasts “ABC1″ is less interesting than one that says, for example, “cia-home1.” From a risk standpoint, it is irrelevant that “CIA” are the homeowner’s initials.
They should change the default IP address of the WAP as well as the default administration password. Some WAPs use a hard-connected USB port for administration, but many can be administered via a network-connected Web interface. If the kid next door enables his wireless card, and sees your WAP broadcasting (because it broadcasts on the same channel as his), and sees that your SSID is “linksys”, he might be tempted to try to connect to IP address “192.168.1.251″ and login with password “admin.” Every vendor has a list like that. That’s why it is important to change the defaults.
The user with a WLAN is arguably at greater risk than other mobile users. Disk encryption protects the data on a PC while it is powered off and at rest, but if that data flows over a home network, we need extra protection for that network or the computer. Personal firewalls must be used, with a policy that disallows SMB services between computers. Otherwise, there is no good way to keep that teenager next door from your computer’s folders.
Finally, and this is perhaps most important: establish a web security policy that says users of home WLANs must configure their WAPs to filter, only talking to a fixed set of MAC addresses. This is tedious to do in an organization with many computers. It is a short job for someone working on a home network.