Wireless Working, Part III: The four-letter acronym every broker should know

Brokers working on customer files over wireless computer networks at work need to be on guard, because hackers can listen in on insecure networks.

If you’re working from a laptop or tablet and connecting to the corporate computer network using a WiFi card instead of an Ethernet cable, “you absolutely need to make sure you are using the latest WiFi encryption standards,” warned Dave Millar, business executive, security for IBM Canada.

In the first story in this series, information technology experts gave security tips on corporate users working from home WiFi networks. In the second installment, experts warned of the security risks to a corporation when workers are accessing the Internet over WiFi hot spots in places such as coffee shops.

In this final part of the wireless series, industry experts advise brokers how to manage a risk when using WiFi for internal communication within a corporate network.

The technology industry generally considers WiFi Protected Access 2 Enterprise (WPA2) to be the minimum standard for WiFi security. This is important to a business user because WPA and Wired Equivalent Privacy (WEP) are considerably easier for cybercriminals to hack.

WiFi devices are essentially radios that transmit and receive over the air, meaning someone else with the right equipment can listen in. A hacker does not have to be in the same room or even in the same building. In some cases, a hacker can listen in from 1,000 feet away, said Christian Gilby, director of product marketing for Hewlett Packard Enterprise Company’s Aruba unit.

Say an insurance customer’s private data ends up in the wrong hands. If it turns out the broker had a wireless network in the office that did not use the latest security standard, the broker may have some explaining to do to a regulator.

Moreover, if a broker is advising a commercial client in cyber coverage, the broker would do well to ask the client whether they are using WiFi networks and, if so, whether they are absolutely positive they are protected to the WPA2 standard.

Wireless networks can potentially be even more secure than wired networks, Gilby noted.

WPA2 uses Advanced Encryption Standard (AES), said Timothy Zimmerman, research vice president with Gartner Inc., a technology market research and consulting firm. AES is available in some products for both wired and wireless networks. It is widely considered a government-grade method of encryption.

Millar advises WiFi users to have WPA2 Enterprise with “certificates.” A certificate is essentially software loaded on to a specific person’s laptop or mobile device. When connecting to the corporate network, the wireless access point controller communicates with the mobile computer and says, “Do you have the right certificate or not?” Millar explained.

Some WiFi networks use WPA2 Personal as opposed to WPA2 Enterprise, which can be a problem if there is a password and it “just becomes common knowledge,” said Gilby. This means, for example, a disgruntled ex-employee could tell a hacker the password.

Some WiFi products also let computer network managers detect so called “man-in-the-middle” attacks, Millar said. This is when someone has a device, comes near the WiFi access point, and pretends to be the WiFi network to which the worker is trying to connect.

“When the user comes in with a user ID and password to log into the network, there is a chance that they may log into the wrong network,” Millar warned. Instead of logging into the corporate network, they are logging into the hacker’s machine “who has spoofed” the correct network.

When the user gets duped into connecting to a hacker’s WiFi devices, there is a delay and then the user is “forwarded on” to the network into which they intend to login. There could be an error message that pops up and says “do you want to connect anyway?” Millar said. “Most users say, ‘Yes, of course I want to connect.’”

So the hacker “sits there and watches all the traffic going back and forth,” Millar said.

This is the type of attack against which WPA2 Enterprise was intended to defend.