Almost every office has a Wi-Fi network today, and sometimes more than one. Who wants to connect laptops with a cable? And forget about smartphones and tablets! However, a wireless network can be a weak point in your IT infrastructure.
Not all companies use complex and unique passwords for their wireless networks, and few bother to disable the broadcasting of the network’s name. And not many at all limit the power of the WI-Fi signal to prevent network connections from outside of the office. Thus, usually little prevents a potential attacker from hanging around near the office and trying to get into a corporate network through a Wi-Fi connection.
Performing a simple dictionary attack on the router’s login takes just a few seconds. Hacking complex password combinations takes more time, unless the attacker is in a hurry, it is quite possible. However, that’s not always necessary, because with some routers, an attacker can simply use vulnerabilities in the firmware.
Researchers regularly detect vulnerabilities that can allow malefactors into a network, bypassing your Wi-Fi router’s passwords and other protective mechanisms. In some cases they can get superuser rights on the device. Usually developers are quick to patch those vulnerabilities. The trouble is that many organizations do not install patches in a timely manner, especially when doing so involves reflashing firmware.
Many companies use different Wi-Fi networks for employees and guests. This is a reasonable measure: on the one hand, customers and other visitors to the office can connect to the Internet; on the other hand, they will not have access to the corporate network and internal resources. However, guest Wi-Fi can work against you.
Getting a password for a guest network is easy enough — that’s the idea. But in some cases — if the network is improperly configured — it can let guests reach some elements of the corporate infrastructure.
Even with the correct network configuration, your employees can unwittingly put themselves in jeopardy. Suppose that one of them wanted to access a network resource blocked by corporate policy. Without thinking twice, he connects a laptop with confidential data to the guest network. Now an attacker lurking in the same guest network can try to perform a man-in-the-middle attack and infect his laptop with malware.
How to make corporate malware less vulnerable
We believe Wi-Fi networks are still worthwhile; they do, however, need security-oriented approaches for both device and corporate-network configuration.
- Update the firmware of Wi-Fi routers and access points, and keep them up to date. Manufacturers are constantly fixing vulnerabilities; don’t assume if something works, that means it’s secure.
- Set a unique, long, complex password to access Wi-Fi. Your employees will need to enter it only once on each device, and strong passwords make hacking a network more complicated.
- Limit signal strength so that your network is not available from outside of the office.
- Hide the name of the network to make it harder to find.
- Choose a name for the network that is not obvious or easily guessable — and keep the router model number out of it, so attackers can’t use that to search for a known vulnerability.
- Segregate the guest network so guests do not have access to internal resources. You may have to deprive your visitors of some convenience (such as the ability to print a document on your printer), but you will significantly reduce the risk of data leakage.
- Use a reliable security solution so that even if an attacker breaches your network, they will not be able to cause significant damage to workstations and servers.