“Wireless is a different medium and presents different challenges that we faced with wired,” said David King, chairman and chief executive officer of AirTight Networks, makers of wireless intrusion prevention systems. “All the borders and boundaries that used to exist at the physical level are gone. The perimeter has to be redefined.”
Panel moderator Lisa Phifer, vice president of Core Competence, a network security consultancy, said businesses must take note of the growing popularity of Wi-Fi, especially as the technology moves to mission-critical devices uses for manufacturing and inventory control.
But many companies face a slew of common wireless vulnerabilities that, if exploited, could lead to the next large-scale data breach, such as TJX, he said.
Flaws include rogue and misconfigured access points (APs), unauthorized clients, client misassociations – authorized clients that errantly connect to a neighboring network – and ad-hoc connections – a two-way connection that does not go through proper security checks.
Meanwhile, threats include denial-of-service attacks and honeypot APs, which falsely advertise themselves as a free, available wireless network, King said. End-users often fall for the bait.
“They want to attach and, to any extent possible, they want to get it for free,” King said.
More threats are on the horizon, especially as wireless-enabled portable devices, such as iPhone, become more prominent in the workplace, King said.
Increased risks are also sure to come from the wireless networking standard 802.11n, a proposed amendment that will allow wireless signals to travel further than ever before, which will permit wireless devices to become more visible to more people, he said. Meanwhile, voice over Wi-Fi (VoWiFi), a wireless-based VoIP service, may open to door to emerging threats.
Applying the latest WPA2 encryption standard and a holistic technology offering, which includes vulnerability management capabilities, can help, King said.
Greg Murphy, chief operating officer of AirWave Wireless, provider of wireless network management software, said defining access control rights and creating centralized policy is paramount to protecting a company's wireless infrastructure.
Murphy also recommended keeping up with vendor patches for devices, maintaining accurate infrastructure inventory and to track and locate lost and stolen devices on one's network.
John Steiner, LAN (local area network) coordinator for the Fargo, N.D. public school district and one of about 200 audience members, said the panel made him think about some of risks his end-users may encounter.
Particularly, he said he needs to investigate some of the trouble that could result from wireless devices connecting to potentially malicious access points.
“That's something that hadn't occurred to me,” Steiner told SCMagazineUS.com afterward. “I don't know…what they might bring back when they connect again [to our network.] Our users are generally naïve when it comes to security issues, as most end-users are.”
David Cohen, director of product marketing for Trapeze Networks, also participated in the panel.