Having worked on both sides of the security assessment table, I’ve seen the challenges associated with reducing certain risks that show up on assessment reports. I’m a strong believer that unless – and until – there’s reasonable business justification for plugging a security hole, don’t waste time/effort/money doing so. The goal should be to fix the security problems that serve as the low hanging fruit first. Once you gain your momentum with information risk management and have the basics under control, then you can address the other – less pressing – concerns.
But what about Wired Equivalent Privacy, or WEP?
WEP encryption is low-hanging fruit, perhaps the lowest of the bunch. It’s implementation of encryption has had known exploits for nearly a decade. A decade! Yet time and again I see networks “protected” with WEP. Sure, many people with wireless networks aren’t even aware of the issues related to WEP. Home users, small business owners, enterprise employees, whatever – ignorance is no excuse. That is if you want to take reasonable steps to keep things locked down.
Of those who are aware of the weaknesses with WEP, I think the general perception is that only elite hackers with expensive tools can crack it. Not true, there are free tools and there are commercial tools. Both of which are very affordable and simple to use. Beyond that there’s the all-too-common fallacy: Even if the bad guys were to get in, we don’t have anything on our computers that they’d want. An awfully dangerous mindset, to say the least.
Like unencrypted laptops and mobile storage, I suspect we’ll continue to see WEP-based wireless networks for some time to come. What’s it really going to take to get people to buy into the dangers? Probably the passage of time and a few lessons learned the hard way.
Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.