Enterprise IT Watch Blog

Aug 26 2010   6:04AM GMT

WEP: Only one letter away from ‘weep’

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Having worked on both sides of the security assessment table, I’ve seen the challenges associated with reducing certain risks that show up on assessment reports. I’m a strong believer that unless – and until – there’s reasonable business justification for plugging a security hole, don’t waste time/effort/money doing so. The goal should be to fix the security problems that serve as the low hanging fruit first. Once you gain your momentum with information risk management and have the basics under control, then you can address the other – less pressing – concerns.

But what about Wired Equivalent Privacy, or WEP?

WEP encryption is low-hanging fruit, perhaps the lowest of the bunch. It’s implementation of encryption has had known exploits for nearly a decade. A decade! Yet time and again I see networks “protected” with WEP. Sure, many people with wireless networks aren’t even aware of the issues related to WEP. Home users, small business owners, enterprise employees, whatever – ignorance is no excuse. That is if you want to take reasonable steps to keep things locked down.

Of those who are aware of the weaknesses with WEP, I think the general perception is that only elite hackers with expensive tools can crack it. Not true, there are free tools and there are commercial tools. Both of which are very affordable and simple to use. Beyond that there’s the all-too-common fallacy: Even if the bad guys were to get in, we don’t have anything on our computers that they’d want. An awfully dangerous mindset, to say the least.

Like unencrypted laptops and mobile storage, I suspect we’ll continue to see WEP-based wireless networks for some time to come. What’s it really going to take to get people to buy into the dangers? Probably the passage of time and a few lessons learned the hard way.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Wireless-based surveillance systems: Who’s watching who’s watching you? - Enterprise IT Watch Blog
    [...] How so? Well, given the lack of oversight, these devices are often installed with the defaults. Maybe WEP, maybe no encryption at all. Maybe a strong password, maybe the default. Furthermore, the central [...]
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: