Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Editor's Note: Some years ago eSP contributor Mike Horowitz took a look at wireless networks and the best way to secure them. Since then some things have changed and others have not (like creating strong passwords). So we decided to have veteran tech journalist Pam Baker revisit the issue to see what's considered best-practice today. Here's what she found out.
The bad guys are drooling over all the delicious info they can suck from your ever-growing wireless network. Where once there were only computers and servers to steal information from now there are dual-mode cell phones (that often seek the nearest WiFi connections without your approval or knowledge); Blu-ray players and gaming consoles that connect to the Internet; tables; laptops ... virtually everything you do, everything you know, everything that defines the essence of you is contained neatly on your network. Not just tasty tidbits of info for a bad guy to snack on, but a full-on, table-covered feast!
While it's good advice to limit the amount of personal info on your devices, that advice isn't very practical. After all, the whole point of having all those devices is so you can do stuff easier and that in turn generates information about you -- a lot of information. Still, keep the private info to a minimum and then follow these tips to build your own hacker-smacker defense shield, so to speak:
First, realize the threat is both physical and virtual. Most folks still think of a hacker as some unshaved showerless teen geek with a malicious streak sitting at a single computer far, far away. However, that is not usually the case. These days hackers tend to work in teams as members of organized crime. Quite often they are funded by foreign governments. However, there are plenty of cyber-criminals here at home, too and they are just as likely to case your street, like ordinary robbers do.
With a laptop, tablet or smartphone in hand, all a criminal has to do is slowly drive or walk down your street to detect an unprotected network. From there he need only to park at a discreet distance and "shop" your network at his leisure. You, meanwhile, will likely have no idea anything has happened.
That's the trouble: you don't know you have a security breech ... ever. So a criminal can come back again and again, updating his records on your passwords and that new debit card info you just got because the bank says a criminal used it for a purchase. Surprise! Now he can use your new debit or credit card to make another purchase. Wash, rinse, repeat.
The good news is that most protective steps for wireless networks cover both the physical and virtual threats. The only additional steps you'll need to take to guard against the physical threats are to lock, password protect and encrypt all your mobile devices so that if they are stolen or lost, the information on them is still safe.
What the WEP did you WPA that for? When it comes to routers (a.k.a., access points), wired equivalent privacy (WEP) protocol is the easiest protection to setup and the easiest to break into. So, forget about using WEP at all. One might argue that the setting is better than nothing, but only in a band aid-at-the-nude-beach sort of way.
"The older WEP protocol is notoriously simple to crack using simple point and click programs," explained Joshua Mead, senior security analyst at IVPN.NET. "Fortunately all modern routers now implement WPA2 (WiFi protected access version 2) which is significantly more secure and should be considered as a mandatory feature when purchasing a new access point."
Indeed, when most people say WPA these days, they actually mean WPA2. The second version was designed to overcome flaws inherent in the first version. However, if WPA2 is not an option, say on an older router, then WPA is still vastly superior to WEP. Instead of just a band aid to wear, WPA will at least give you the protection equivalent to a bandana, a fig leaf and a sun hat.
By contrast, WPA2 is a rubberized snow suit with the fly open. In other words, there is no single measure that provides 100% protection. True protection comes from combining several measures and keeping all of it regularly updated.
"The final step is to keep your wireless access point updated," said Bob Gaines, security expert at All Covered, a division of Konica Minolta Business Solutions USA. "There are often firmware updates designed to increase security and provide additional functionality. Check for updates at least once a month."
Change all router defaults. Change the default password because these are commonly known to criminals and openly published for most devices. Use a password that combines numbers, letters (both upper and lower case) and even symbols. You can do this and easily remember it, too. Think of a sentence for example that includes numbers, such as "I have two dogs and live on Elm Street." In that example, the first letter plus the number becomes a password that's hard to crack but easy to remember -- Ih2daloES. Just don't think you're done now that you have a clever password, however.
"Change the router's default network range, which is typically 192.168.1.X or 10.0.0.X," advises Gaines. "Changing the defaults reduces the chance that someone will try to guess elements of your network." But, no, that's not the last thing you need to do either.
Change the default SSID (the wireless network identifier) on your router. Give it a unique name, but not something that can be associated to your location (such as a name or an address). Avoid using the router brand or a common name too as you can easily end up connecting to the wrong router thinking it is yours when actually a neighbor just named his network the same thing you did.
"Like many other routers, Linksys legacy routers (WRT models) ship with default settings that are known to anyone who uses the same router," said Karen Sohl, Corporate Communications manager for Cisco. "Changing both the default password and SSID will help ensure you're secure and preventing others from getting into your network."
Fortunately, newer routers such as the current line of Linksys E-Series or a Cisco Valet home router are already protected because the Cisco Connect software program sets up a new SSID (network name) and passwords automatically during the initial setup. Most other vendors have done likewise. But just changing SSID still isn't enough; you need to disable SSID broadcast, too.
Be sure to shop for routers that offer you additional protection. You'll be surprised at what is available these days.
"Many of the home systems from Cisco, Belkin and others are pre-configured with encryption, with the Cisco line leading the way using a security thumb-drive to auto-configure devices security with the access point," said Gaines. "However, even with these pre-configured systems, users should follow basic guidelines of changing default guidelines, disabling the SSID broadcast, setting encryption levels, and updating firmware for maximum security."
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).