5 tips to secure your corporate wifi network (Part 1)

Wifi access is an attractive option to companies as it allows network connectivity without laying bundles of cables in ceiling partitions and under floorboards. The lack of space on the server racks to house additional network ports may also push companies to wireless access space.

In most companies, the same wifi access is provisioned and shared among corporate staff and corporate guests, in the name of cost cutting. Unknown to the executives, this cost cutting measure exposes the corporate network and its users to cyber risks if a guest connects a rogue mobile phone or laptop to the corporate network.

As the wireless signal is sent out in all directions, the rogue guest can be sitting one level above and still be able to connect to the shared wireless network.

There are two parts to this article: Part 1 illustrates the considerations for guest wifi access and Part 2 points out the considerations for a corporate type of wifi access.

Considerations for Guest Wifi Access

  1. Physically segregate guest wifi access from the corporate wifi access
  2. Guest wifi and corporate wifi should ideally be segregated to prevent rogue guests from probing and exploiting the wifi network. If corporate servers and/or services are reachable from the guest wifi, the chance of malicious attacks increases. In some cases, the executives will only hear the intrusion from news media.

  3. Guest wifi password should not be displayed prominently
  4. Access to the guest wifi password should be given to the company’s guests and not to the delivery man who needs the wifi ‘to check back with the call center because of an ambiguous delivery address’.

  5. Guest wifi password should be changed on a periodic basis
  6. Without changing the password, the delivery man will be able to connect to the wifi network when he is in vicinity. He will not require to step into the building premises to access the wifi network. This makes data exfiltration easily undetectable as most people will be focusing on locating an unknown person with a laptop/mobile device.

  7. Guest wifi password should be at least 16 characters long
  8. Short and (English – hint hint) dictionary-based passwords increases the risk of getting cracked by attackers. Access to GPUs (Graphics Processing Units) have come down in price and they can also be rented from Amazon or Microsoft Azure for a period of time to conduct the cracking exercise.

  9. Name of the guest wifi access point should be nondescript and uncommon
  10. By being nondescript, you are hoping attackers will look for a more attractive sounding wifi access name. Nondescript means it should not be a common name either.

    Hackers have rainbow tables, essentially a huge list of pre-generated password list. The tables have been hashed with common wifi access (ssid) names, essentially shortcutting the (very very slow) brute forcing method.

    You can purchase these rainbow tables too. For US$50 + shipping (US$6 to US and US$15 for international), you can own the rainbow tables for 1 million words for top 1000 wifi access names. It’s 33 gigs tarred so make sure you have space on your local storage.

  11. Tune down the signal strength on the wifi access point
  12. The lower signal strength, the attacker has to get closer to the access point in order to communicate. This can be done if the wifi access point is enterprise grade. Wifi access points for home or home office usually does not have the functionality to turn down the signal strength.

However this doesn’t prevent the wifi access point from getting hacked if the attacker is persistent and motivated enough. What a company can do, is to try to slow down the attackers from breaking the guest wifi password.

There are methods to detect, slow down and in certain cases counter attack the attackers themselves.

Contact us

Leave a Reply

Your email address will not be published. Required fields are marked *