Wi-Fi has been part of our daily lives for more than 20 years. First used to connect computer devices like laptops in enterprise environments, it quickly expanded to every single home, office, and public place to connect mobile devices to a network – local or Internet – for management and data exchange. This has become even more prominent with the recent exponential growth of the Internet of Things (IoT).
Understanding Your End-User Wi-Fi Risks
It is important to be careful as Wi-Fi is one of the favorite methods for hackers to steal valuable information from our devices, either personal (e.g., credentials, credit card information, etc.) or work-related (e.g., emails, classified documents, etc.).
There are dozens of well-proven attacks relying on Wi-Fi. The most common are Man-in-the-Middle (MitM) attacks, where an attacker manages to intercept communications between two parties to alter them, while these parties believe they are legitimately exchanging information between themselves – similar to impersonation. Some of the techniques used include “DNS spoofing” or “DNS hijacking,” where the attacker manages to intercept DNS queries and return an alternative address in order to redirect traffic to a rogue server under his control, instead of the legitimate one.
Another is eavesdropping, also known as “sniffing,” where an attacker is secretly listening to the communications between two parties to gather value information, typically user credentials, credit card information, or anything that can be extracted from unsecured data transmissions. a
Protect Your End-Users’ Devices
Considering you cannot trust or control any Wi-Fi network except your own, one of the best measures you can take to ensure corporate data is not compromised is to secure your devices. From an enterprise perspective, you want to prevent any data on your managed devices from travelling over an unsecured, untrusted network.
However, you should consider the type of devices your users are using, the ownership, and the management mode before you can determine what is available to secure them as much as possible.
With Bring Your Own Device (BYOD) devices, you cannot control the device itself, only the work part, so you want to make sure that even if the device and/or connection is compromised, that all corporate information is safe. In this case, the best option would be to use a containerized solution for your work apps/data to ensure data will be safe both at rest and in transit. This way communications cannot be intercepted, nothing can be extracted by a malicious entity, and all company data remains safe.
Managing Corporate-Owned Devices
With corporate-owned devices, your UEM software should already include some Wi-Fi related policies and profiles to help control which Wi-Fi networks your devices can connect to and how. In terms of management modes, we have mainly two options: Corporate-Owned Personal Enabled (COPE) and Corporate-Owned Business Only (COBO), depending how much room we want to leave the user to install personal apps and store personal documents on the device.
Ensure corporate devices are configured and provisioned automatically on all managed devices using Wi-Fi configuration profiles so work data will only be travelling over secure and trusted networks.
The last step is to ensure all work-related data (COPE) or even all device data (COBO) is transmitting over a secure connection to your own back-end servers, either located behind firewall, on-premises, or out in the open on the Internet. For that, your UEM vendor should have either a containerized solution, a VPN-like solution, and/or its own infrastructure to ensure communications are secured, end-to-end.
Securing Corporate-Owned Devices
In addition to that, there are extra steps you can take to secure corporate-owned devices even further when required for specific use cases.
For example, you can control which Wi-Fi networks’ enterprise devices can connect and what type of information is transmitted by not allowing end-users to manually add new Wi-Fi networks (e.g., home office), connect to any public captive network (e.g., mall, hotel), or even blacklist known untrusted networks (e.g., carrier-provisioned).
To prevent data leakage, it is also recommended to disable direct Wi-Fi (when supported), so a device cannot communicate with another directly, point-to-point, and stream/transfer data without any control or monitoring over that connection.
Finally, in some extreme situations like regulated environments where security is a must, it is possible to disable Wi-Fi completely on the device so cellular network is used instead, eventually with a dedicated Access Point Name (APN) to ensure work data is still transmitting over a secure connection back to your internal network.
Note: Policy rules will differ depending on the options available, the type of device (iOS, Android), and UEM solution(s), but these should be available in most cases.
If you have any questions or concerns about how to improve your security posture, please feel free to contact us.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group