Paul Blore, MD at Netmetix, Cloud Network Specialists:
WiFi still remains vulnerable but the majority of businesses think that simply because they’re using encryption on their WiFi network, that it makes it secure – it doesn’t.
Whilst unnerving for businesses, the recent KRACK flaw within the design of WPA2 wireless protocol has exposed a very specific risk that would allow a hacker to effectively decrypt the WiFi encryption, it doesn’t necessarily present a significant risk to users.
Any secure websites such as banking, or online retailing, use an additional browser encryption layer over and above the WiFi WPA2 encryption and this has been unaffected by the exposed vulnerability.
It is highly likely that the IT security industry has known about this vulnerability for some time and we can expect to see software patches and updates from the manufacturers to address the problem in the coming days.
What presents a much bigger and immediate threat for WiFi users are the more general vulnerabilities that are inherent with WiFi communications, such as ‘man in the middle’ attacks, whereby a hacker sits in the vicinity of the wireless network to masquerade as a legitimate wireless access point and then eavesdrop on those unsecured connections – also known as ‘drive-by attacks’. The tools required to launch a man-in-the-middle attack are readily and cheaply available off the internet and don’t require specialist skills to use.
With KRACK being a relatively niche risk for users, businesses need to start looking at the overall bigger picture in terms of how they protect their business and the security measures they have in place.
A key issue is that many businesses still see IT as a tactical overhead rather than a strategic decision that is vital to the success of their business. SMEs in particular, can often feel they are too smaller fish to fry for hackers to target but fundamentally, if data is valuable to a business, then it’s going to be valuable to the hackers. Cost effective measures are available to foil the vast majority of attacks and cloud computing can be a very significant and cost-effective weapon in your armoury.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.