Encryption and other standard features of Wi-Fi routers and access points have reduced the ability for hackers to blindly break into an enterprise’s wireless network. However, there are plenty of methods available to those with ill intentions.
Compounding the wireless security problem is the fact that simple tasks, such as changing default settings on wireless equipment and enabling stronger authentication and encryption, often are not implemented by the vast majority of users.
As such, enterprises must be aware of the factors that weaken their wireless security and address those issues. Here are seven tips to ensure robust wireless security, which can be applied to both on-premises and shared home networks.
Changing the default login settings should be the first action any organization or single user performs after receiving Wi-Fi equipment. Hackers are able to easily find the Set Service Identifiers (SSIDs) and admin passwords for a particular Wi-Fi router or access point by looking for specific documentation online. Once this has been found, it becomes easy for the hacker to then gain access to the network.
Changing the default login settings in an enterprise setting will require network administrators to communicate the change effectively with every employee the changes. There should also be clear instructions to not publish this password, possibly by keeping it in a secure location or writing it down.
For aimless attacks, switching from the default admin password should be enough, but against targeted assault, enterprises need to have strong password strength. A simple password made up of numbers or lower-case letters can be cracked in under 24 hours. To make it strong, password managers typically advise a mix of capitalized letters, numbers, and symbols, although some networking software may exclude symbols. There are numerous password generator tools available to make strong, unique passwords.
Once a password has been decided on, it needs to be communicated clearly and written down to avoid a flood of IT requests. According to the CISA, users should consider periodically changing passwords as well.
There are several alternative methods of authentication available if passwords are not sufficient. One of these is media access control (MAC) authentication, which works off a MAC address, a 12-digit hexadecimal number added to every network interface card. With this, a Wi-Fi network can filter all devices which are not authorized to access the network. This can be an inconvenient solution for IT teams, as it requires each new device added to the network to be added to the MAC filtering list. Bring your own device policies are almost impossible to manage if an organization has a MAC authentication setup.
MAC authentication is not the only type of alternative authentication method, with Kerberos, x.509 certifications, multi-factor authentication through a mobile device, or authentication through fingerprint or facial recognition.
WPA2 has been the standard, out-of-the-box solution for Wi-Fi security for so long that most don't even think about adding additional security. However, WPA2 has had quite a few security issues published over the past ten years, including the Wi-Fi Protected Setup (WPS) PIN vulnerability, insecurities of the Group Temporal Key with Hole196 and random number generator exploits, and the Key Reinstallation Attack (KRACK).
While the Wi-Fi Alliance has patched some of the issues with WPA2, some updates are not cross-compatible with older routers. WPA3 was certified in 2018, which supports stronger authentication and cryptography solutions. As such, finding Wi-Fi equipment that supports WPA3 is a necessity.
One of the best ways to prevent passwords and other identifiers from being stolen or published online is to limit Wi-Fi access to employees only. The best way to do this is by creating a guest network for visitors and other unverified actors use. This diverts guests to a separate access point, and if in the future they were to be the subject of a malware or keylogger attack, there would be no data on their device on the home network.
Additionally, a guest network creates a layer of separation between employees, who are more traceable and likely to inform if they have been subject to a cyberattack, and everyone else trying to access the network. Fortunately, guest networks are easy to set up for home and enterprise use, as most routers will allow users to enable guest networks and create SSIDs and passwords.
While most attacks will take place solely online, in some scenarios, it is beneficial to have limited access to physical equipment, such as Wi-Fi routers. SSID names and passwords are usually printed on Wi-Fi equipment, providing malicious actors with all of the information they need to access the network. This is important in places where there is a lot of non-employee traffic, such as hospitals, schools, and stores.
Having a locked area that only a few people can access reduces the chance of a malicious actor gaining access to Wi-Fi and other wireless details.
Old Wi-Fi routers routinely run into problems that require firmware patches to fix. However, it is not always clear if the router is automatically downloading the most recent software or if the user has to manually download updates. IT managers should know if updates are downloaded automatically, and if not, they should regularly check for patch updates to avoid exploits. Old Wi-Fi routers are prime targets for hackers, as through this, they can access all other connected devices on the network and use them for DDoS and other cyberattacks.
Routine checkups on software are a necessity at the enterprise level. In the home, users should make sure that Wi-Fi updates are pushed through automatically. Both should be aware of when a Wi-Fi router is at an end-of-life state and look to upgrade to a new one as soon as possible.
Pending 6GHz spectrum availability, faster speeds, and private wireless access use drive FWA forward.
The new HPE Aruba 730 series Wi-Fi 7 access points tout high performance, enhanced security, location tracking capabilities, and more.
Verizon is demoing crowd analytics technology that uses 5G along with AI and mobile edge computing to give stadium operators insights into the flow of fans throughout a venue.
