Protect your business with a strong cybersecurity strategy
By Chad Mercer
Cyberattacks can cause business disruptions that lead to defective products, production downtime, physical damage, tarnished brand and reputation and angry customers - and the unfortunate truth is these attacks are not as rare as one would like to think: The 2016 IBM X-Force Research report found a 64 percent increase in cybersecurity incidents in 2015 over 2014.
One of the most important assets an enterprise must protect is its wireless network. Wireless networks are susceptible to a number of cybersecurity threats, and to ensure a business's wireless network is not creating risks, enterprises should utilize five best practices.
1. Role-Based Access: Some IT operations have an admin role - a super user - that controls everything, but that creates only one entry point into the network, and the admin role becomes the weakest link. If the admin is inadvertently compromised, so, too, is the keying material used to provide encryption and other trust mechanisms.
Other roles should be incorporated, such as security administrator: a completely different account from the admin that manages the security configuration of the various network devices. Both the admin and security admin roles should require dual identification to access the network. This means using not just a password, but also a second identifying element like a hardware token or certificate - something that this role must physically possess to identify itself. This eliminates the single point of failure created by using just a password.
Other roles may also be created, such as generic user accounts that let other employees or external customers to log in with read-only accounts, but don't let them directly control it.
2. Encryption and Authentication Protocols: Strong layers of encryption and authentication are one of the simplest ways to minimize the risk of cyberattacks. They protect against traffic analysis threats and keep attackers or adversaries from being able to "sniff" information off the wireless network. AES-256 encryption - considered among the top ciphers, and theoretically uncrackable - is recommended for an enterprise's wireless network. Additionally, a strong authentication algorithm, such as Galois Counter Mode (GCM) or Counter with CBC MAC (CCM), should be used in conjunction with the encryption algorithm.
However, it's also important to ensure that the network devices providing the encryption and authentication protocols have sufficient processing bandwidth, so that enabling these high-strength security protocols don't inadvertently slow down overall wireless throughput and connectivity, which can impact real-time data flow.
3. Securing IoT Devices: As businesses begin adding smart devices to their infrastructure, they have to be wary of one of the biggest challenges of IoT: the inherent vulnerability of these devices.
One of their weaknesses is that many devices don't have the security mechanisms to detect unauthorized software updates. If a device's simple password protection mechanism is compromised, adversaries can send non-authorized software updates to the device. The device will accept and process it, and may appear to be running normally, but instead that "update" is functioning as a back door into the network, or even turns that device into a "robot" that can scan the internal network for information or even be used to carry out denial-of-service attacks.
IT can protect against these attacks by ensuring that the device only accepts software updates that come from trusted sources. This can be accomplished by requiring devices to only accept digitally signed software distributions, which is a certificate-based concept that allows a device to check a digital signature on the software update and compute whether or not it is trusted software. If the digital code doesn't match, then the device will reject the update, which prevents unauthorized software from getting into the system.
4. Secured Key Distribution: Each wireless access point or security router within a system must be set up with the same key so they can all communicate with each other.
This sometimes entails IT personnel going to each device manually, connecting to each one and typing in a common static secret key - which is an effective secure-channel keying approach, but not efficient from an operational standpoint. The operational inefficiency impact can often result in a weak security configuration, such as keys not being changed often, or keys being known by more than one IT personnel, which exposes potential key leaks due to social engineering type of attacks. Once a key is known by an adversary, they can use it not only to decipher encrypted traffic at that moment, but also for past encrypted communications that they might have sniffed from the wireless network.
Newer devices allow each access point to be remotely keyed, but these access points should be designed to leverage some of the stronger security protocols that are out there, such as derived shared secret algorithms: Each element can conduct a secure message exchange that allows it to generate a shared secret that only it can access. The shared secret is then used to derive other internal keys that are used to encrypt (i.e., wrap) the actual network traffic key prior to transmission to the device requiring keying. The receiving device uses its internal shared secret to decrypt the received wrapped network key and then use it for secure communications.
Perfect forward secrecy is another property of secure communication protocols in which compromise of long-term keys does not affect past session keys, helping protect past sessions against future compromises of secret keys or passwords. As such, secured key distribution - with shared secret derivation using perfect forward secrecy - is the recommended approach when keying each element of the network.
5. Logging: For all elements and components in a network, everything needs to be able to log any type of security-related access or modification. If an adversary does cause some kind of disruption, those logs will help IT figure out what elements have been compromised and how far that attack went.
It seems simple, but if an attack occurs and there is no logging, there is no way to trace when something happened and where on the network it happened - and that necessitates shutting everything down and starting from scratch.
By taking steps to secure a wireless network, enterprises can reduce their risk of security issues and cyber attacks, protecting their own data as well as that of their customers.