Keeping Your Corporate Wi-Fi Secure
Corporate Wi-Fi networks play a vital role in enabling seamless connectivity and productivity within organizations. They enable organizations of any size to extend network connectivity, and allow clients to gain access to sensitive resources and data in a secure manner.
However, these networks are a prime target for cybercriminals seeking to gain unauthorized access to, and compromise of, company resources. Here we will explore the effective ways to keep your corporate Wi-Fi network secure from these attackers. By implementing these measures and building a defence-in-depth strategy, organizations can safeguard their sensitive data and maintain a robust and secure wireless infrastructure.
- Define an appropriate wireless access policy, to be used as a framework with guidelines for installation, management, and inventory of the corporate Wi-Fi solution.
- Conduct regular security awareness training for employees, educating them about Wi-Fi security best practices, such as avoiding public Wi-Fi networks and recognizing phishing attempts.
Location, location, location
- Try to position your Wi-Fi router or wireless access points out of view, in a secure tamper-proof location, where possible.
- Avoid excessive coverage. Ensure access points are placed in areas that require coverage. Where possible, adjust the RF power transmission or use directional antennas to essentially point the Wi-Fi coverage at a desired area.
- Set up a dedicated segmented guest Wi-Fi network and subnet for visitors or external devices. This can limit their access to sensitive company resources and ensure separation from the main corporate network. Ensure appropriate security is also applied to this guest network.
- Change the SSID Name. A Wi-Fi SSID based on the model or manufacturer of the device can provide cybercriminals with enough information to find vulnerabilities associated with the device. It is recommended to change the SSID to a benign, simple name.
- As a bonus, hiding the SSID name can also prevent anyone using a simple device from seeing the wireless network and attempting to gain access.
- Change the default login details of wireless routers or wireless access points. A lot of older devices have publicly available login details that can be retrieved with a simple google search. Ensure you avoid usernames that contain “admin” and use strong passphrases that are a minimum of 15 characters long, with a mix of uppercase/lowercase letters, numbers, and special characters.
- Stay up to date! Ensure Wi-Fi access points and routers are kept up to date by installing the latest firmware updates and patches provided by the manufacturer. This helps to address security vulnerabilities and enhances network protection.
- Use strong WPA2/WPA3 encryption. It is imperative to ensure your network traffic is encrypted, so attackers cannot eavesdrop on websites you may visit. WPA3 is the most secure option you can employ, with greater defence against password-guessing attacks and use of stronger encryption ciphers. Where only pre-shared keys can be used, ensure these are strong and change them regularly.
- Disable WiFi Protected Setup (WPS). Anyone with access to the WPS button can access your corporate Wi-Fi. PIN-based WPS can also be easily brute-forced, enabling unauthorized access to the network.
- Disable ethernet ports, where possible. An attacker can potentially circumvent all the protections placed on the wireless network, by simply plugging into the ethernet port of the wireless router/access point.
- Utilise built-in security features. Most enterprise Wi-Fi solutions include a number of security features such as intrusion detection, monitoring the network for malicious activity, web-filtering, anti-malware, geo-IP firewalling and more.
Authentication and Authorization
- Consider authenticating devices using certificates. EAP-TLS is one example of a certificate-based authentication method, which uses certificates to authenticate both the client and authentication server. This method of authentication allows a device with a valid certificate to connect to the network, and so, prevents attackers without the certificate from gaining access.
- Ensure regular auditing of logs is employed to monitor for unauthorised access attempts and breaches.
- Prevent any rogue access points. These could be setup by a malicious user or simply by a well-intentioned colleague trying to extend network availability. However, these will almost certainly not be as secure as the rest of the wireless infrastructure and could provide unintended access to the corporate network.
- Perform regular security assessments of the Wi-Fi network. By performing periodic security audits and penetration testing to identify vulnerabilities in the Wi-Fi network, you can address any issues promptly and proactively to maintain a secure environment.
Cyberfort can help with this. Please get in touch with a member of our Sales team for more details of our Wireless Security Assessment, or any other services we provide.