Wi-Fi is a wireless technology that connects devices, like laptops and smart phones, to the Internet. Users can access Wi-Fi through organizationally owned and public networks. Wi-Fi can be a key technology to support your business, but it can also create vulnerabilities that threat actors can exploit. Your organization should ensure that Wi-Fi security measures are in place to protect your networks, systems, and information.
How threat actors take advantage of Wi-Fi
Threat actors can use Wi-Fi networks to access and damage your systems and devices. They can also use Wi-Fi networks to steal sensitive information. Public Wi-Fi networks are especially vulnerable as they usually don’t require authentication for users to connect and may rely on weak encryption that is easily hacked. Where possible, avoid using public Wi-Fi for business needs, as threat actors positioned on a network can access unsecured devices on the same network. Threat actors use the following methods to take advantage of Wi-Fi.
Spoofing
Spoofing is when a threat actor creates a fraudulent network to mimic a legitimate network. For example, a threat actor may create a network with the same name as an airport, library, or café network to trick users into connecting to it. If your employees work remotely and connect to a spoofed network, a threat actor could intercept sensitive business or personal data and infect their devices with malware.
Adversary-in-the-middle attacks
The adversary-in-the-middle (AitM) technique is often combined with spoofing. When an employee tries to connect, the threat actor uses Wi-Fi protocol vulnerabilities to collect their credentials. A threat actor can then use these credentials to connect to the legitimate corporate network. While positioned as an AitM, threat actors can collect, modify, or inject data into the communication stream.
Eavesdropping
Threat actors use eavesdropping to take advantage of unsecure, open Wi-Fi to collect traffic transmitted over a network, often from a public access point. Such activity allows a threat actor to monitor communications and to acquire personally identifiable or other sensitive information.
Jamming attacks
Wi-Fi jamming attacks flood access points to "jam" the connection. Threat actors can take over an existing wireless access point and disrupt communication between devices, thus compromising the availability of your organization’s services. Corporate networks should not rely solely on Wi-Fi because a simple jammer can take out an entire business operation. Having wired networks that are not vulnerable to jamming is critical to ensuring the continuity of your business operations.
Rogue access points
Rogue access points are often installed by employees seeking more flexible access to corporate networks. Because they are not corporately sanctioned and managed, these access points may be configured insecurely and could allow unauthorized third parties to gain access to the corporate network.
How to protect your organization
There are significant security concerns when using Wi-Fi in your organization or in public spaces. You should take the following actions to protect your networks, systems, and information.
Set up a guest network
A guest network is a separate access point on your wireless router. It provides devices with access to the Internet but not to your main network. Consider connecting Internet of Things (IoT) devices to a guest network to reduce the risk of malware infections on your main network. For a guest network to be secure, its traffic must be separated from normal corporate traffic. Consider obtaining a separate Internet subscription for guest access and IoT devices instead of simply segmenting the corporate network. In the case of IoT devices that require direct placement on the corporate network, such as printers, point-of-sale terminals, it’s a good practice to segment the network for security reasons and for optimizing data flow.
Encrypt your data
Using encryption technology to encode your organization’s wireless data prevents anyone who might be able to access your network from viewing it. Although it is not fool-proof, Wi-Fi Protected Access (WPA3) is currently the strongest encryption for information transmitted between wireless routers and wireless devices. It is advisable to use equipment that specifically supports WPA3, as using older protocols could expose your network to exploitation.
Use a passphrase
Change the default passwords for the network and the administrator account. Ensure that employees access Wi-Fi with individual, user-based credentials and complex passwords. Use a unique, complex passphrase or password and avoid single dictionary words or other easily guessed passwords. A passphrase is a memorized phrase consisting of a sequence of mixed words with or without spaces. Your passphrase should be at least 4 words and 15 characters in length.
Use multi-factor authentication
Multi-factor authentication (MFA) should be used wherever possible. MFA helps mitigate the ability of threat actors to access your network – even if they’ve guessed your password or stolen credentials. With MFA, users need to supply two or more different authentication factors to unlock a device or sign into an account.
Use security tools to defend your network
Install a firewall on your network. A firewall checks traffic flow in and out of your network and filters out known bad traffic. You can set rules to control the amount and type of traffic that can pass between networks. Consider investing in a wireless intrusion detection system (WIDS) or a wireless intrusion prevention system (WIPS), which monitor your networks for anomalies.
Use a virtual private network
For employees doing telework or travelling, using a virtual private network (VPN) can help to protect your organization’s information. A VPN sends information through a secure, encrypted tunnel. If your employees work remotely and must use unsecured or public networks, using a VPN to set up a secure connection that uses authentication and protects data will provide better security.
Other considerations
Ensure that all employees know how to protect your organization from cyber threats. Provide your employees with cyber security training and encourage employees working remotely to secure their home Wi-Fi networks by:
- creating a strong Wi-Fi password and changing it often
- changing the default router login credentials
- turning on the firewall and Wi-Fi encryption
Other best practices include the following:
- be mindful of your physical security if you work in a public or shared area
- ensure that no one is watching you enter sensitive information
- use your organization’s VPN to connect to the corporate network
- regularly update operating systems and applications
- avoid using “remember me” features when logging into accounts and always sign out when you finish
- remove saved networks that you connected to in the past and no longer use
- deactivate automatic connection features on your mobile devices to prevent automatic connection to unsecure networks
- turn off Wi-Fi and Bluetooth when they are not in use
- regularly update the software and firmware on IoT devices and routers, where possible
Learn more
- Guest Wi-Fi (ITSAP.80.023)
- Cyber security tips for remote work (ITSAP.10.116)
- Device security for travel and telework abroad (ITSAP.00.188)
- Tips for backing up your information (ITSAP.40.002)
- Using encryption to keep your sensitive data secure (ITSAP.40.016)
- Virtual private networks (ITSAP.80.101)
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
- Best practices for passphrases and passwords (ITSAP.30.032)