Industry Expert Series: Wireless Security- How to Better Protect Devices and Networks

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Tech Community Voices blog series, Microsoft Senior Product Marketing Manager Brooke Lynn Weenig talks with Jennifer Minella, Founder and Principal Advisor, Network Security, of Viszen Security and the author of “Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise.” The thoughts below reflect Jennifer’s views, not the views of Jennifer’s employer, and are not legal advice. In this blog post, Jennifer talks about wireless security. 

Brooke: What was your journey into cybersecurity? 

Jennifer: My college minor was in design and my declared major was computer engineering, which was electrical engineering and programming basically because we didn't have security classes back then. In the computer classes, they were still teaching COBOL and FORTRAN and later the Visual Programming Language. 

My father started an enterprise technology company in the basement of our house when I was about 5. A few years later, my mom bought out his business partner. I ended up picking up the slack when they were short-staffed. There was a transition from a brief technical sales role into being a network architect working with a lot of different organizations. There were multiple occasions where we were migrating from one solution to another or from old equipment to new equipment and the customer had lost credentials or access into the equipment. We had to creatively break into them, with the client’s permission, and that continued through firewalls, remote access, and Wi-Fi. Early on, I decided that while we're planning these network services, we should build the security into the architecture so somebody maliciously coming in couldn't do what we did during the services. 

Brooke: What are the biggest challenges in wireless security? 

Jennifer: The biggest challenge is that we're undoing some recommendations we've had for the past eight to 10 years. We've been telling people to collapse SSIDs and have three wireless networks, maybe four or five or more in larger organizations. That was to address issues with the overhead that ate up airtime. In Wi-Fi, only one thing can be talking in any given frequency at a time and everything else must listen. Every time we add another network, even if there's nothing on that network, it's sending what we call beacons, and that is taking up airspace. It's like if you have a highway with five lanes and on the left and the right, there are bike lanes, and you can't put cars there but there's not necessarily bikes on it. We've just lost that real estate in the air.  

Now, we don't have the same limitations we did in the past. Not that we don't care about airspace and airtime, but it's not as big of an issue with the newer technology. What we're telling them is completely opposite. We're saying to increase the number of SSIDs and increase the number of wireless networks and further separate things. Each SSID is a broadcast domain, and even in an 802.1X secured network, there are known vulnerabilities related to group encryption keys, but it's just the way the technology functions. Also, many organizations compromise their 802.1X secured networks by allowing MAC-based authentication (which isn’t really authentication). In most deployments, combining these on the same network effectively downgrades the security of the entire SSID. We're telling people to separate SSIDs. Don't collapse them. Add more.  

The second big challenge is that many years ago, it was a very standard default operation on a Wi-Fi network that when things join that network, they could not talk to each other. But a lot of the consumer protocols, like Apple’s Bonjour protocol and other mDNS, started making their way over to the enterprise network. It’s not just Apple products anymore. Most solutions use Bonjour for discovering printers or casting to a device. These protocols were never designed to be used on an enterprise network. They subvert or bypass controls we have on the enterprise network, and it is, in fact, the No. 1 way in for pen testers. 

These consumer protocols and these “zeroconf” protocols are running on enterprise networks because, for example, an executive wants his Apple stuff to work, or a university must support students with printers in their room or screen casting devices in classes. There are secure ways to disable that and be more intentional about that control and allowing the traffic, but it's a lot of work and so most people don't do it. They just let it all go and then deal with the consequences of that.  

  
Brooke: How can organizations prevent having these challenges be part of their risk landscape?  

Jennifer: Most of them aren't, and I think that's the challenge. Universities are a little bit of a challenge because of the student population and the way they work. They're like little cities. If you look at other enterprise organizations, even in healthcare and the financial space, there are a lot of gaps and vulnerabilities in the Wi-Fi architecture. There's always a trade-off because what's correct for one organization isn't necessarily appropriate for a different one. It gets twisted and complicated, but the big thing is that the organizations should understand their risk tolerance. We want them to make informed decisions based on risk tolerance. Some organizations and teams don't have that level of maturity. They don't have a risk management program or even a CISO. 

In my book, “Wireless Security Architecture: Designing and Maintaining Secure Wireless for Enterprise,” I walk the network architect through the governance, risk, and compliance concepts that are relevant to what they're going to do in the network architecture, including the templates and the architectures for design, monitoring, and alerting. It is not written for wireless professionals specifically, but for anybody who works in technology or in networking. Any IT professional should be able to read this book and take something away from it to better secure their organization. To simplify applying the knowledge, key concepts and best practices are outlined on a relative scale of high security, medium security, and low security.

Brooke: How do you qualify a company into security buckets?  

Jennifer: When I do it, it's per network. Consider the internal network or series of networks of a hospital where they have point of care, life-saving services, and biomedical devices. They are high security. On the other hand, how healthcare is evaluated and gets funding is based on guest and patient satisfaction. A big piece of that is their access to the Internet. In healthcare, especially in hospitals, you'll see guest networks, but what you're probably not going see are elaborate captive portals or any impediment to getting that patient or their family members onto the network for guest Internet. We're going to consider that guest network a low security model.  

When we take a network-by-network view, it's easy to figure out where we are going to fall. Certain industries and types of organizations are regulated and have data that is going to put them in a high security group, like healthcare, which has HIPAA, and anybody that is processing payments will have some elements under PCI scope. 

Brooke: Why should companies use conditional access?  

Jennifer: Today’s companies are distributed and highly mobile. Also, many are allowing use of personal devices. Obviously, a lot of the corporate assets have moved to the cloud. Organizations expect both more agility and more security. Conditional access policies help with those corporate-managed endpoints – a fully corporate-owned laptop, phone, or tablet – and personal and third-party devices. A lot of analysts and models around Zero Trust tout that protecting data is our sole goal. I do not feel that that is our only goal. I believe it is a big part of the goal. We have other assets and resources within infrastructures that need protection. 

Conditional access policies and mobile application controls give us a more granular way to protect that data and those application assets. From a corporate-managed device, we get that additional layer of visibility, control, and context over where is that device, especially in this work-from-anywhere model. There are parts of the world that a lot of organizations, especially US-based organizations, may not want their employees traveling to with their corporate resources and accessing data and applications. These conditional access policies let us layer in who, when, where, how, what, and why so we can get very, very granular about what they can and cannot access under what conditions.

Take that over to the bring your own device (BYOD) and personal device model and it is even more compelling because what we have had to do in the past is mobile device management (MDM). Now, instead of controlling the employee’s personal device, we’re controlling our corporate data and applications through Mobile Application Management (MAM) policies. We are wrapping the protection around that. With MAM, we’re much closer to the asset we care about. We do not care about the phone. The phone's just an entry point into potentially malicious access to our data and applications.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.