Advice for responding to the WPA2 security flaw

Posted in: Business Insights, Technical Track

By now everyone’s likely heard about the serious vulnerability affecting the Wi-Fi security protocol WPA2 that secures the wireless communications of just about every consumer device out there.

The Key Reinstallation Attacks (KRACK) allow an attacker to control the encryption keys in use and potentially lead to the ability to decrypt the wireless traffic between the device and the wireless access point.

Encryption is fundamental to any data security strategy and individuals and businesses alike need to take all vulnerabilities to encryption technology seriously.

MITIGATING THE IMPACT OF KRACK

There are some mitigating facts that businesses should consider when evaluating their response:

The issue is with the wireless encryption applied to the communication channel. Other encryption mechanisms at different layers of the OSI stack are still in place and secure. Most sensitive data that is transmitted over any network is also encrypted with another mechanism called TLS or HTTPS. This is the lock you see in your browser. So while the wireless encryption is no longer secure, the next layer of TLS encryption keeps the data secure.
For many businesses, core IT systems don’t use wireless connectivity and wouldn’t be directly impacted. Console and remote connectivity to these core systems should require encrypted communications higher up OSI stack like SSH or TLS secured web consoles. So in many cases, this is an end-user device issue.
To exploit the vulnerability, the attacker needs to be within Wi-Fi range of the network. If you’re confident with your physical security perimeter, this vulnerability becomes harder to exploit.

RESPONDING TO SOFTWARE VULNERABILITIES

Consider a twofold approach:

Your security team should be monitoring the situation closely and plan to communicate specific patching requirements to the company. Information is notoriously bad in the first 24 hours of a major vulnerability, so it is important to keep looking for the latest information from trusted vendors. One thing is sure; the patching requirements will be widespread requiring every laptop, tablet and phone operating system to be updated on top of network infrastructure.
Consider a monitoring strategy using vulnerability management programs to track your organization’s progress in applying the required patches. Also determine what tools your network vendors can provide to detect this vulnerability in action. Taking advantage of the vulnerability is pretty simple to detect using standard network tools like WIPS and rogue AP detection. This may turn into the best immediate mitigation strategy for corporate WiFi networks.

After organizations gain traction with corporate end-user devices and have monitoring in place, change focus to less obvious targets like IoT devices and assisting team members with their personal APs and devices at home.

BEST PRACTICES FOR KEEPING YOUR SYSTEMS SAFE ON AN ONGOING BASIS

With the endless possibilities of things that can put your systems at risk, there are a few ways to offset threats and react efficiently and quickly the next time something makes your business vulnerable.

Working with a trusted technology service provider is one step in the right direction. This combined with regular, automated patching and risk-based analysis is the foundation for responding to security vulnerabilities. We know widespread patching takes considerable time and effort to complete. Gather and analyze the data you need to provide assurance your systems aren’t being exploited between the time vulnerabilities are released and when they can be effectively patched.

Useful sources of information include:
https://www.krackattacks.com/
https://blogs.cisco.com/security/wpa-vulns

*Note: The views expressed above are my own and draw on my years of expertise in IT security.

email

Want to talk with a technical expert? Schedule a tech call with our team to get the conversation started.

Interested in working with Marc? Schedule a tech call.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *