Protecting your organization while using Wi-Fi (ITSAP.80.009)

Wi-Fi is a wireless technology that connects devices, like laptops and smart phones, to the Internet. Users can access Wi-Fi through organizationally owned and public networks. Wi-Fi can be a key technology to support your business, but it can also create vulnerabilities that threat actors can exploit. Your organization should ensure that Wi-Fi security measures are in place to protect your networks, systems, and information.

How threat actors take advantage of Wi-Fi

Threat actors can use Wi-Fi networks to access and damage your systems and devices. They can also use Wi-Fi networks to steal sensitive information. Public Wi-Fi networks are especially vulnerable as they usually don’t require authentication AuthenticationA process or measure used to verify a users identity. for users to connect and may rely on weak encryption EncryptionConverting information from one form to another to hide its content and prevent unauthorized access. that is easily hacked. Where possible, avoid using public Wi-Fi for business needs, as threat actors positioned on a network can access unsecured devices on the same network. Threat actors use the following methods to take advantage of Wi-Fi.

Spoofing

Spoofing is when a threat actor creates a fraudulent network to mimic a legitimate network. For example, a threat actor may create a network with the same name as an airport, library, or café network to trick users into connecting to it. If your employees work remotely and connect to a spoofed network, a threat actor could intercept sensitive business or personal data and infect their devices with malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. .

Adversary-in-the-middle attacks

The adversary-in-the-middle (AitM) technique is often combined with spoofing. When an employee tries to connect, the threat actor uses Wi-Fi protocol vulnerabilities to collect their credentials. A threat actor can then use these credentials to connect to the legitimate corporate network. While positioned as an AitM, threat actors can collect, modify, or inject data into the communication stream.

Eavesdropping

Threat actors use eavesdropping to take advantage of unsecure, open Wi-Fi to collect traffic transmitted over a network, often from a public access point. Such activity allows a threat actor to monitor communications and to acquire personally identifiable or other sensitive information.

Jamming attacks

Wi-Fi jamming attacks flood access points to "jam" the connection. Threat actors can take over an existing wireless access point and disrupt communication between devices, thus compromising the availability AvailabilityThe ability for the right people to access the right information or systems when needed. Availability is applied to information assets, software, and hardware (infrastructure and its components). Implied in its definition is that availability includes the protection of assets from unauthorized access and compromise. of your organization’s services. Corporate networks should not rely solely on Wi-Fi because a simple jammer can take out an entire business operation. Having wired networks that are not vulnerable to jamming is critical to ensuring the continuity of your business operations.

Rogue access points

Rogue access points are often installed by employees seeking more flexible access to corporate networks. Because they are not corporately sanctioned and managed, these access points may be configured insecurely and could allow unauthorized third parties to gain access to the corporate network.

How to protect your organization

There are significant security concerns when using Wi-Fi in your organization or in public spaces. You should take the following actions to protect your networks, systems, and information.

Set up a guest network

A guest network is a separate access point on your wireless router. It provides devices with access to the Internet but not to your main network. Consider connecting Internet of Things (IoT) devices to a guest network to reduce the risk of malware infections on your main network. For a guest network to be secure, its traffic must be separated from normal corporate traffic. Consider obtaining a separate Internet subscription for guest access and IoT devices instead of simply segmenting the corporate network. In the case of IoT devices that require direct placement on the corporate network, such as printers, point-of-sale terminals, it’s a good practice to segment the network for security reasons and for optimizing data flow.

Encrypt your data

Using encryption technology to encode your organization’s wireless data prevents anyone who might be able to access your network from viewing it. Although it is not fool-proof, Wi-Fi Protected Access (WPA3) is currently the strongest encryption for information transmitted between wireless routers and wireless devices. It is advisable to use equipment that specifically supports WPA3, as using older protocols could expose your network to exploitation.

Use a passphrase

Change the default passwords for the network and the administrator account. Ensure that employees access Wi-Fi with individual, user-based credentials and complex passwords. Use a unique, complex passphrase or password and avoid single dictionary words or other easily guessed passwords. A passphrase is a memorized phrase consisting of a sequence of mixed words with or without spaces. Your passphrase should be at least 4 words and 15 characters in length.

Use multi-factor authentication

Multi-factor authentication Multi-factor authenticationA tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication. (MFA) should be used wherever possible. MFA helps mitigate the ability of threat actors to access your network – even if they’ve guessed your password or stolen credentials. With MFA, users need to supply two or more different authentication factors to unlock a device or sign into an account.

Use security tools to defend your network

Install a firewall FirewallA security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside. on your network. A firewall checks traffic flow in and out of your network and filters out known bad traffic. You can set rules to control the amount and type of traffic that can pass between networks. Consider investing in a wireless intrusion detection Intrusion detectionA security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time). system (WIDS) or a wireless intrusion prevention system (WIPS), which monitor your networks for anomalies.

Use a virtual private network

For employees doing telework or travelling, using a virtual private network Virtual private networkA private communications network usually used within a company, or by several different companies or organisations to communicate over a wider network. VPN communications are typically encrypted or encoded to protect the traffic from other users on the public network carrying the VPN. (VPN VPNSee virtual private network. ) can help to protect your organization’s information. A VPN sends information through a secure, encrypted tunnel. If your employees work remotely and must use unsecured or public networks, using a VPN to set up a secure connection that uses authentication and protects data will provide better security.

Other considerations

Ensure that all employees know how to protect your organization from cyber threats. Provide your employees with cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. training and encourage employees working remotely to secure their home Wi-Fi networks by:

• creating a strong Wi-Fi password and changing it often
• changing the default router login credentials
• turning on the firewall and Wi-Fi encryption

Other best practices include the following:

• be mindful of your physical security if you work in a public or shared area
• ensure that no one is watching you enter sensitive information
• use your organization’s VPN to connect to the corporate network
• regularly update operating systems and applications
• avoid using “remember me” features when logging into accounts and always sign out when you finish
• remove saved networks that you connected to in the past and no longer use
• deactivate automatic connection features on your mobile devices to prevent automatic connection to unsecure networks
• turn off Wi-Fi and Bluetooth when they are not in use
• regularly update the software and firmware on IoT devices and routers, where possible

Learn more

• Guest Wi-Fi (ITSAP.80.023)
• Cyber security tips for remote work (ITSAP.10.116)
• Device security for travel and telework abroad (ITSAP.00.188)
• Tips for backing up your information (ITSAP.40.002)
• Using encryption to keep your sensitive data secure (ITSAP.40.016)
• Virtual private networks (ITSAP.80.101)
• Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
• Best practices for passphrases and passwords (ITSAP.30.032)