USS Nimitz at Pearl Harbor RIMPAC 2012
To me this notion seems preposterous, when I was in the US Navy you couldn’t even plug a USB into a workstation for fear of compromising the network; now ‘Wifi’ is being pumped through hanger bays, berthing’s, and cargo holds across the fleet. The unique problem that is presented with BYOD (Bring Your Own Device) cannot be overstated; Imagine the impossible task of juggling bees, if you grab ahold of one it has the potential of stinging you. When you toss them up to make room for the next one in sequence, you have the potential of the bee you just tossed in the air (and most likely angered) flying too far out of range to continue the complex task of juggling, or worse that bee comes to enact revenge on the strange being throwing it ( and all its cousins) around. It’s just a nightmare when every machine is a snowflake, and everyone’s complacency for security means there will be infected machines, weak configurations, and just horrible cyber hygiene. This is the question of our age; “Will you give up security for convenience?” The answer for most people is “absolutely”, and that is terrifying. Some people are going as far as saying these security measures are impacting their lives; “Plaintiff has to input the received six-digit verification code on the first device he is trying to log into. Each login process takes an additional estimated 2-5 or more minutes with 2FA.”…give me a break. If it takes you 2-5 minutes to open a SMS, or a MFA app, you need a new phone, or you need to stop SnapChatting when you’re at work. If you want to maintain your bad habits, go for it, but don’t try to sue a company for trying to keep YOU safe. (On a side note, SMS is an extremely insecure way of 2FA, as SMS can be easily intercepted rendering your “2FA” useless.) So what do we do? Turn off all Wifi? Disconnect entirely? No, its not an option, so what can we do? There is always a way in… always. So when it comes to a Wi-Fi implementation there are certain measures that can and should be taken. This is how I would secure the Wi-Fi on my warship.
If your equipment has served you since the Obama years, it’s time for new AP’s; a majority of older equipment is susceptible to ‘Krack Attacks”, really the only answer is WPA 3 which is gaining steam ( by that I mean general population use is years away); with the pace criminals are getting out exploits I’ll need a follow-up soon. I can’t stress enough how important it is to change the default credentials for devices; if you don’t, your Nest camera could be hacked after some light reading, just a simple google search away. In the age of DIY, with the unfathomable number of instructional videos, courses, and forums, we have such a “Let me do it” mentality; but, could maybe your network security be a realm you should leave to the experts? No, I didn’t think so; but hey its your credit card, PII, and medical data at risk, no big deal.
Is your hardware now the latest, most hardened, hunk of plastic, metal, and circuit boards money can buy? Oh,… ok so we can make what you have work,… I guess. The first thing we can do to help is segregate your network; which is our nerd lingo for “limiting access to stuff based on users’ ‘needs’ to access”. Think of a department store, you (customer) only need access to all the aisles that have product on them; you don’t need to be able to get to shipping and receiving, or in the back-stock room. So why would you allow the general public access to a network where company data lives? The best way to get started is to find a couple “groups” of people that make sense for only needing access to certain resources and applications; lock those groups down to where the computers/users can only do the task required of them to be productive. There will always be the snowflakes (utterly unique configurations/ users that need special attention) once they have been melted into the pool with everyone else, or catered to, you can keep refining this process to again lock down all machines to only perform the task they should be performing.
Ok you bought the nice new shinny ‘thing’, we messed with the settings to get what we want, but what about modern services (VPNs, Voip, SDWAN/QOS) I have said it several times and will continue to say it to whoever will listen, encryption is our only shot at liberty. Part of what is happening when you bump up to WPA 3 is your encryption is much more robust to the Wi-Fi AP; but what I’m getting at is a service like NordVPN. You see if everything you do is obfuscated and must be broken apart to analyze, threat actors are lazy, most likely they will not invest the time and just move on to the next compromised machine, where everything they’re looking for is in plain text. It is yet another step you have to do and another service to subscribe to, but you know “security, or convenience?” you decide.
The last, and probably most important thing you can do is train/inform your “users”. There are ways to “Manage BYOD” in environments, but user/knowledge is power; with the pace of change in Cyber-Sec no one can know everything that is going on presently. There are “hacks” every other week it seems as explained by my comrade in the fight against cyber-fiends, Nick Espinosa, and they are major companies falling to a few lines of code. The good news is Cyber-Sec doesn’t have to be this complicated, get out of the DIY mindset, let the professionals lose sleep, and pull their hair out.
Stay Safe, Happy Computing.