WiFi: The Weak Link in Network Security
Financial institutions need intrusion detection systems that incorporate wireless networks.
The biggest credit-card hacking incident in history exploited a weakness in wireless network security that could have easily been fixed. The lesson for financial institutions is to plug all such weaknesses before wrongdoers discover them.
TJX Companies, owner of T.J. Maxx and other retail brands, says that at least 45.7 million credit and debit cards were compromised over several years.
Intruders gained access to TJX’s computer systems beginning in 2005 and continuing until January 2007. Although debit card PINs weren’t compromised, unencrypted magnetic stripe data, also known as “track 2 data,†was stolen on transactions that occurred before September 2003, the company said.
Investigators believe hackers used handheld devices to intercept wireless messages during the payment card approval process, and used the information to steal payment card data. The ability of consumer devices such as phones and laptops to pick up wireless communications traffic through proximity to local network access points has upped the ante for network security.
Because WiFi signals can be picked up by proximately-located devices, any data that’s traveling wirelessly is fair game for attackers. It’s tantamount to “putting a screen door†around corporate systems,†says TowerGroup chief analyst Bob Egan. With the use of WiFi in the workspace on the rise, it’s critical that financial institutions respond effectively to the new threats that WiFi presents. “Financial institutions cannot afford to turn a blind eye to the impact WiFi is having today,†wrote Egan in a 2006 report.
The vulnerability is present even at companies that don’t use WiFi. Employees who connect electronic consumer devices such as games to their laptops at work can unwittingly convert them into transmitters that broadcast corporate message traffic, which can be viewed by anyone with a WiFi device near enough to pick up the signal.
Or, in cases where WiFi is used but not secured, as in some retail environments, attackers can simply wait outside the store with a WiFi-enabled device and pick off message traffic at will. In either case, “having inadequate or no wireless security is equivalent to inviting random outsiders to sit at an internal, unprotected computer and do as they please,†writes Egan.
Vulnerability doesn’t stop at the network perimeter. Financial institutions need to monitor employee WiFi-enabled devices as they attempt to establish a connection to the company's virtual private network (VPN) from a hotspot or the individual's own home. If the home network or hotspot s not secure, no amount of negotiated security policies established during a VPN session will protect the institution's network. “A hacker will simply ride in through the back door created by the insecure remote network access node,†writes Egan. To effectively identify and mitigate threats, networks must deploy a WiFi intrusion detection system or intrusion prevention system. These systems have a variety of technical architectures, but typically consist of radio sensors to collect and analyze network activity and a central server to establish, propagate, and execute the security policy, manage the sensors, and conduct additional analysis.
The sensors allows the system to triangulate the location of offending devices. If the device can’t be physically removed, aggressive systems have a number of options. The most common is to use a "deauthenticate" packet flood. “This is essentially the same as having a focused denial of service on the offending device,†writes Egan. A deauthenticate packet causes the device to drop any wireless connections. Some of those connections will automatically restore themselves, but sending a constant stream of these packets will effectively shut down a rogue device until its location can be determined and the offending device is removed.
Effective intrusion detection systems analyze network traffic on both the wireless and wired side of corporate networks. If a WiFi-enabled device is discovered to be on the company network and is not an approved device, then the device should be disconnected. If a WiFi device is physically local but not communicating on the company network, it can be automatically characterized as a neighbor, and the number of nuisance alarms that IT must attend to can thus be reduced.
Falling hardware costs have made it easier than ever before for an employee to accidentally or intentionally cripple network security measures through the simple installation of a rogue access point. While many companies attempt to mitigate internal threats through policy, enforcement is impossible without the proper tools, and the policy merely provides a false sense of security.
External attackers present a significant threat, particularly considering the value of customer data and the potential damage to a company's reputation when its customers' data is stolen by an intruder. Writes Egan, “The threats resulting from WiFi can’t be avoided by policy alone, and intelligent enforcement based on used of automated solutions for detecting and preventing breaches of security is the only safe way for financial services institutions to operate any network, whether wired or wireless.â€