Wi-Fi gives us freedom from wires, but it is not secure by default. Data is transmitted through the air and anyone nearby can easily capture it with the right tools and knowledge.
Whether you have a Wi-Fi network at home or your business, employing security measures is necessary to protect company files, online accounts and user privacy.
Why Protect Your Wi-Fi Network?
By default, Wi-Fi routers and access points are not secure when you purchase them. Unless you enable encryption, people nearby can easily connect to your network. At best, they just use the free wireless Internet for browsing and downloading—possibly slowing down your connections.
However, if they wanted to, they could possibly access your PCs and files. They also could easily capture your passwords or hijack your accounts for websites and services that don’t use SSL encryption, such as some Web-based email clients, Facebook and Twitter.
If your Internet service provider (ISP) set up your Wi-Fi, they likely enabled encryption. This version of encryption, however, may be an older security option that is now easily breakable: wired equivalent privacy (WEP).
Why protect your connections on other Wi-Fi networks? When you connect to outside networks, such as hotspots in coffee shops, airports, and other public places, the connection is almost always insecure. Eavesdroppers don’t even have to connect to the Wi-Fi hotspot to capture your traffic. And as with using any other unencrypted Wi-Fi network, they could possibly get hold of your passwords or hijack your online accounts.
To check the security status of your Wi-Fi and raise its security level as needed, follow these best practices:
1. Choose the Right Wi-Fi Security Options
You can use any of several separate protocols that provide different levels of security: WEP, WPA, and WPA2. You see these options when enabling or changing the wireless security on your wireless router or access points (APs).
WEP is easily breakable and protects you only from casual Wi-Fi users. Wi-Fi Protected Access (WPA) has two versions: the first is simply WPA, for a reasonable level of protection, and the second is WPA2, which provides the best protection to date. You can implement both WPA and WPA2 in two very different modes: Personal, aka Pre-Shared Key (PSK), and Enterprise (802.1X, RADIUS, or EAP). Most wireless routers and APs support both modes.
The Personal mode of WPA/WPA2 is easier to set up, but is subject to “dictionary” cracking. This means that someone could potentially come up with your passphrase by running software that repeatedly tries to guess it from a dictionary of common words, passwords and combinations. Create a long and strong passphrase when setting up the encryption.
The Personal mode, though, is not suitable if your organization has more than a couple of Wi-Fi users. In this mode, all computers and devices connecting to the network are set with the same encryption passphrase. This creates issues when employees leave the company or a device becomes lost. You would want to change the passphrase when such occasions arise—but that means you must change it on all access points and every Wi-Fi device.
The Enterprise mode of WPA/WPA2 is much more complex to set up and requires a server but it provides better security for organizations. Along with the security itself being stronger, this mode provides each Wi-Fi user with their own username and password for logging onto the Wi-Fi instead of a global passphrase. This means that if an employee leaves the company or their device is stolen, you just have to change their password on the server.
The Enterprise mode also prevents users on your network from snooping on each other’s traffic, capturing passwords or hijacking accounts since the encryption keys (exchanged in the background) are unique to each user session.
If you aren’t sure that your Wi-Fi is encrypted, you can quickly check. On a PC or device that is connected to the Wi-Fi network, simply open the list of available wireless networks and find the name of the network you use. In Windows, click the network icon in the lower right corner of your screen. Hover over the network you are connected to and see what, if any, encryption is in place.
2. Have a Separate Wi-Fi for Guests
Never allow an untrusted or unfamiliar person have access to your private Wi-Fi network. If you want to offer visitors or guests wireless Internet access, make sure that such access is segregated from your company’s main network so they can’t possibly get into your computers and files.
3. Physically Secure Your Network Gear
Make sure that your wireless router or APs are all secured from visitors. An intruder could easily plug into the network if it is in reach or reset it to factory defaults to clear the security. To prevent this, mount the hardware high on walls or above a false ceiling. Also, if your office has ethernet network ports on the walls, make sure that they are not within the reach of visitors, or disconnect them from the network. If you have a larger network with a wiring closet, make sure it is locked and secure.
4. Secure Your Wi-Fi outside the office with VPN
You also need to secure your Wi-Fi connections when on other untrusted networks, such as public hotspots. You can use a virtual private network (VPN) connection, which secures all your Internet traffic by redirecting it to the VPN server via an encrypted tunnel. This ensures that if local eavesdroppers are hanging around a Wi-Fi hotspot, they will not see your real Internet traffic, capture your passwords or hijack any accounts.
If such a VPN is not available, consider hosted services. Many free ones are designed for Wi-Fi security such as Hotspot Shield. However, for better reliability and better speeds, you might consider a paid service, such as Comodo TrustConnect.
5. Ensure Websites Are Encrypted Outside the Office
If you do not use a VPN connection to secure all your traffic when out of the office, ensure that any websites you log in to are encrypted. Highly sensitive websites, such as banks’, use encryption by default, but others, such as social networking sites and email providers, do not always do so.
To ensure that a website is using encryption, access it via a Web browser. You can see if the site supports SSL encryption by adding the letter s to its address: https:// instead of http://. If it is encrypted, you will also see some sort of notification in the browser about the security—such as a padlock or green-colored address bar. If you do not see any notification or it shows an error, it may not be secure. You should therefore consider waiting to access the site until you are on a private network at home or in the office.
As the demand for mobility and instant access become more in demand, it is important to be vigilante regarding security so the risks do not outweigh the rewards.
Submitted by Nick Pascarella, partner at TruBambu (www.trubambu.com), a business technology consultancy company.
Nick Pascarella, Trubambu
firstname.lastname@example.org | (201) 445-8790
Art Hendela, Hendela System Consultants, Inc.
Art.email@example.com | (973) 890-0324