The wireless Internet connection changed the business "interior design", nowadays it is not necessary to have countless cables to enter the network, however this "blessing" entails some security drawbacks.
By: Juan David Pineda C.
These days it has become a basic need not only at home but also in small, medium and large companies to have access to the Internet from all places.
With the advent of wireless networks it is now possible to be connected to the network of networks from any device that has a wireless network card, regardless of whether it is a desktop computer, a laptop or a mobile phone; however, there are really few companies that pay attention to the configuration and deployment of network access devices, much less to the definition of organizational policies that allow protecting information, both public and private.
Faced with this question, I ask you: how is your wireless network open? Is it encrypted? If your network information travels encrypted, what is the encryption scheme you use? These are some questions that should make any person in charge of the network in an organization think, since it is the same information of your company that is in danger; both public and confidential information is being transmitted isotropically to everyone without discrimination.
How do they steal information?
Some encryption protocols such as WEP have been broken for a few years by hackers and today with tools easily obtained on the Internet such as aircrack (http://www.aircrack-ng.org/) passwords can be "cracked" in periods of two to three minutes, depending on the amount of traffic that the attacker can capture.
Protocols such as WPA and even WPA2 despite not having been completely broken are susceptible to brute force attacks, a type of attack that through statistical techniques reduces the sample field considerably so that a program can test different keys until it finds the correct one, despite being tedious and long this can become an effective attack if the intruder is patient.
The most worrying thing about the matter is that not only do you continue to see wireless networks configured with weak encryptions such as WEP, but we continue to make indiscriminate use of open networks, not only in companies but in restaurants, shopping centers and other public places, networks that by not carrying encryption will allow anyone to easily access confidential data that is traveling through the network; now you do not need to be an "überhacker" to do this, tools like Firesheep (http://codebutler.github.com/firesheep/) make available to any user without technical knowledge the possibility of extracting personal information from anyone who connects to an open wireless network, just by installing a plugin for the Firefox browser ... This is just one of the best known, there are tools on the Internet that will allow a third party this and much more.
Passwords and security policies
When you receive a customer, a third-party provider, or just a visitor in the company, and they need Access to the Internet, are they denied? Am you given the password? How long is that password valid? And if you are a strategic customer? These are questions that make more than one stagger and wonder about security and the way your wireless network is shaped and configured.
In the latter case of the user invited to the company, there must then be an implementation of the network that segregates the private network of the company and the network for "guests", which is governed by restrictive policies and controls when it comes to accessing the internal network. In addition to organization in the network, there are also protocols and enterprise technical schemes such as captive portals to establish a role-based access control layer, as well as protocols that allow Authentication, Authorization and Accounting (AAA), making use of Public Key Infrastructure (PKI) mechanisms and protocols such as RADIUS http://www.lanarchitect.net/Articles/Wireless/SecurityRating/.
It is then necessary to have within the organization policies of conformity of use in which it is specified that it is and that it is not allowed to make the users of this network, including a policy of management and change of passwords, since thanks to these is that the possibility of the network falling before brute force attacks is reduced.
Fortunately, in Latin America there has been awareness about the importance of information security, not only at the business level but also at the governmental level, in countries such as Colombia there are initiatives and laws on this neuralgic issue, such as Law 1273 of 2009 (http://www.secretariasenado.gov.co/senado/basedoc/ley/2009/ley_1273_2009.html ), known as the Computer Crime Law in Colombia, which protects information, data and systems that use ICT.
A good read that should be followed by those who are concerned about their corporate or even home network, is the "Guide to Securing IEEE 802.11 Legacy Wireless Networks" from the National Institute of Standards and Technology (NIST) ( http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf), a document that will definitely help you start hardening your network against cyber-criminals, but this is only the beginning of a series of technical and organizational countermeasures, remember that security is not a project, it is a fundamental process within the organization.
* Juan David Pineda is a Systems Engineer from Eafit University (Medellín, Colombia) and a researcher in computer security. He is currently pursuing his master's studies at the Open University of Catalonia in Computer Security, is a university professor and coordinates different research groups and seedbeds on the subject of security. If you want you can write to [email protected]
Leave your comment