Intelligent CISO Issue 14 | Page 69

decrypting myths for them to take back to the office. Wi-Fi security systems need to automatically re-classify an authorised client as a rogue client the moment it is detected connected to a malicious AP and prevent this client from re-associating to private authorised SSIDs until IT has confirmed the device is free of malware. 5. Ad-hoc networks This threat is essentially a peer-to-peer Wi-Fi connection between clients that lets two or more devices communicate with each other directly, circumventing network security policies and making the traffic invisible. Any employee could quickly set up an ad-hoc network between their colleagues’ devices if they wanted. Wi-Fi solutions must be capable of automatically detecting when authorised clients, managed by corporate IT, are participating in ad-hoc networks and prevent this connection, even if encrypted using cell-splitting techniques or similar methods. 6. Misconfigured APs been victimised by a plethora of man-in- the-middle (MitM) attacks that include loading ransomworms, malware or backdoors onto the client. When a rogue client connects to another network, it can spread this malware. Ryan Orsi, Director Product Management, WatchGuard Technologies www.intelligentciso.com | Issue 14 For instance, take a person that stops by the same cafe on the way to work every day. Since they’ve connected to the cafe Wi-Fi before, their phone automatically connects once inside. One day, someone sets up an evil twin AP, tricks this person’s phone and infects it with ransomware It can be too easy for network administrators to accidentally make a configuration mistake such as making a private SSID open with no encryption, potentially exposing sensitive information to interception over the air. This can happen any time an access point isn’t set up properly (for example, by leaving default settings unchanged). Wi-Fi management systems need to include configuration policy settings where IT admins can specify details such as minimum encryption requirements on SSIDs broadcasted by managed APs, vendor OUIs allowed to broadcast SSIDs and so on. An AP on the authorised network that does not adhere to this policy should be prevented at layer two from having any clients connect to it until IT remedies the configuration error. u 69