5 tips for tightening your wireless network's security
Your wireless network is humming along like a happy hummingbird. Your employees feel wonderfully un-tethered as they walk around the office exchanging ideas. Productivity is up. You wonder how you ever got along without Wi-Fi.
Hold on. You might also be exposing your business to unseen dangers.
Ask the pros to name the top three mistakes small businesses make when it comes to wireless networks, and they'll tell you: Security, security, and...security.
"An unbelievably large number of small businesses install Wi-Fi networks in their facilities, but fail to change any of the factory default configuration settings on the wireless access points," says Greg Murphy, the chief operating officer for AirWave Wireless Inc., a San Mateo, Calif., network-management software company. "Since most access points have security settings disabled by default, this amounts to issuing an open invitation for intruders to connect to your network."
These mistakes can seriously hurt your company. Just ask the managers at the Lowe's store in Southfield, Mich., where hackers in 2003 reportedly tried to break into the home-improvement chain's customer database using a laptop and a wireless card. Three men pleaded guilty in the security breach that the company says cost it more than $2.5 million.
Indeed, according to the 2004 Computer Crime and Security Survey published by the Computer Security Institute, overall financial losses from security breaches at the 494 companies polled — including those perpetrated via wireless networks — totaled $141.4 million in the 12-month survey period. That represents a drop from the previous year's losses, but it is still roughly $300,000 per company.
How do you keep your wireless network safe? Here are five strategies.
1. Assume you already have a problem. "A CEO shouldn't make the 'Three Mile Island' mistake," says Mike Klein, the chief executive for Interlink Networks, a wireless network security software company in Ann Arbor, Mich. "Don't assume the probability of an incident is low, and then ignore it. It's important to understand that most security breaches go undetected. A hacker who can freely access your network, or monitor your network traffic, is likely to do so undetected — reading confidential information and gaining competitive advantages over the airwaves."Tip: There are a number of useful intrusion-detection applications, from stand-alone solutions such as the open-source Snort (www.snort.org) to Windows Small Business Server's integrated intrusion-detection mechanisms, which can alert you when a specific attack is launched against your network.
2. Get a security policy in place. "If a business has deployed wireless, they must take the necessary steps to make sure it is secure," says Mike Peters, director of consulting for Calence, a Tempe, Ariz., networking company. "If a business has not deployed wireless as part of its IT infrastructure, the chances are pretty good that someone in their organization has installed a wireless access point for their own convenience. The first step any organization must take is to develop a comprehensive security policy document."Tip: For details on how to write an effective security policy document, you might want to either hire a consultant or check out some of the literature, including Scott Barman's book, "Writing Information Security Policies."
3. Build a wall, not a quilt. Many security issues happen because you buy hardware and software from multiple sources, which is more likely to result in a quilt security solution instead of the wall that you want. "When installing a wireless network, most small businesses don't realize the importance of sticking with one vendor across the board," says Josh Radlein, a wireless systems engineer for CDW, a provider of technology products and services in Vernon Hills, Ill. "Problems can arise when mixing various vendor products, causing weak areas prime for security attacks."Tip: Obviously, sticking with one vendor can solve the problem. But is it working? Try downloading the Microsoft Baseline Security Analyzer, which scans single systems or multiple systems across a network for common system misconfigurations and missing security updates.
4. Crank up your settings. "Wireless Encryption (WEP) should be turned on and set at the highest level," advises Gary Miliefsky, chief executive of PredatorWatch, a Chelmsford, Mass., security management company. "Administrative user name and passwords need to be changed immediately and frequently." (He says this will at the very least slow the wireless hackers down and act as a deterrent to casual cyber-thieves.)Tip: Even with your settings turned up, you still need to make sure you get your latest patch or firmware upgrade for your wireless router. If possible, buy one that comes with a built-in firewall and learn how to use it and properly configure it.
5. Don't be afraid to take drastic measures. Anil Khatod, president of AirDefense, an Atlanta wireless network security firm, says that 30% of his clients have determined wireless networks to be so risky, that they don't have them. "But even if you keep employees from using wireless, you still want to track rogues in your air space," he says. Where? They can pop up anywhere, from wireless-enabled laptops accessing your network through conventional means to PDAs, cell phones, printers and even barcode scanners. Several businesses have banned or limited cell phone use at work — a radical solution, yes, but if you're worried about the safety of your network, it's one worth considering.Tip: There are other steps you can take, short of unplugging your network, that a professional can assist you with. They include using encrypted e-mail, switching to a more secure protocol, hiding your access points' service set identifiers (SSID) and requiring authentication between a device and an access point.
Wireless network security isn't the kind of problem that will go away if you ignore it. Odds are that if you haven't thought about it, it's already an issue. But there's a way to address this through careful planning, conservative software and hardware configuration and outside-the-box thinking.
Scott Mayers, director of network solutions for Align Communications, a New York information-technology solutions company, says a small-business manager must start thinking of wireless security now. "Assess the wireless network. Determine what is visible to malicious individuals, and what is not," he says. "Then start upgrading."