The threat behind MAC spoofing
When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.
One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.
Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.
Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?
But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.
Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.
The threat landscape
Here are some of the most common adversaries when it comes to MAC spoofing:
- The employee – a disgruntled current or former employee
- The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
- The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization
And here are the most common attack surfaces:
- Wired, ethernet switches
One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.
As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.
Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.
With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.
Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.
Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.
At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.
A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.
A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.
This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.
For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.
For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.
You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.
The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.
As the demand for mobility continues to increase, and Wi-Fi continues to replace Ethernet as the preferred corporate access layer, many organizations are facing similar security issues and requirements. This is particularly significant with the increasing number of guests, contractors and employees who are using their own devices on corporate networks. In recent years, there has been an increase of personal devices entering the workplace with many organizations adopting BYOD policies.
Overall, having a Bring Your Own Device (BYOD) policy has proved to be a good business policy. By allowing employees, contractors and guests to connect their own devices, such as laptops, smartphones, and tablets, to the corporate wireless network, enterprises have been able to save money while increasing productivity and team motivation (Frost & Sullivan). However, there are certain challenges to securing the organization’s WiFi network in a BYOD environment. Without addressing these issues properly, you are leaving your company’s assets and data vulnerable.
Approaches to BYOD on WiFi
Some companies allow BYOD usage for everybody, on the company WiFi, whether employees, contractors or guests, while others maintain a strict Zero BYOD-WiFi hookup. There are companies that choose the middle ground approach of allowing employees to connect their own devices on the corporate wireless network but have a separate WiFi network for guests and contractors, and some allow contractors to connect to the company WiFi for specific tasks. Either way, the question of how to handle BYOD and WiFi security seems to come up in many conversations we have with IT teams in regards to network security and secure mobile device management.
How Does BYOD Impact the Security of Company Wireless Networks?
In general, security risks comprise the most serious challenges in a BYOD environment (other than the danger of overloading your bandwidth and IT support issues). Once employees leave the company, they take their personal devices. This could mean that sensitive corporate data and assets (intellectual or physical) are unsecured, especially in environments that use passkeys for WiFi access. Enforcing security policies on the endpoints that are not owned by the company is not practiced by many companies as it seems like an impossible task for IT Departments, however, below we will discuss the easier methods and controls that can be implemented, rather easily, to make sure that WiFi-BYOD security is properly addressed.
Data leakage – If an employee neglects to install a security update on their private device, it could put your data at risk. Mobile devices such as laptops, phones and tablets are susceptible to cyber-attacks and require constant patch updates to handle security loopholes, and even a single missed patch can leave your company, and its data, vulnerable. These devices are constantly exposed to vulnerabilities and it is difficult to control which corporate data might be accessed via these endpoints.
Malware infections – If an employee were to accidentally install malware onto their device, while it is connected to the corporate WiFi network, they could spread the malware to other devices. The employee might even unknowingly install keylogging software, thereby enabling unauthorized users to obtain company usernames and passwords, and use them to gain access to sensitive or private enterprise data.
IT infrastructure – Most organizations with BYOD policies must invest time, energy, and money to assure that BYOD policies are compliant with security and privacy policies. To avoid the need to divert more time and resources later on to fix problems, IT personal must make sure to implement BYOD nac exactly according to policy from the beginning.
Mixing corporate and personal data – Sometimes it is difficult to distinguish between personal data and corporate data. If the endpoint were to be lost or stolen, company data would be at risk of exposure. There are also privacy concerns when employees leave the company.
Employee, Guest and Contractor BYOD – The Differences
Guests – Typically, these are visitors that are around for short visits, and in some work places we have observed that the same WiFi network that is used for employee devices is made available to guests.
Contractors – Most often these are professionals, outsourced to perform a specific job or project, sometimes collaborating with employees, and therefore they remain at the company (physically or virtually) for longer time periods compared with guests, and require the use of their own devices. In this case we have observed access that is granted to more sensitive data and resources, depending on the project, such as accounting, HR, legal, insurance, IT, intellectual data, technology, and more.
Employees – the permanent team members who may require access 24/7/365 depending on how geo-distributed the organization is and how quickly they need to be able to access corporate data to perform their duties.
Individual User WiFi Authentication
When examining WiFi security, it is crucial to consider the method being used to authenticate to the network. At Portnox we recommend WPA2-Enterprise, also referred to as WPA-802.1X mode. It authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate. The WPA2-Enterprise authentication method is a great fit for any enterprise, large or small, allowing organizations to properly secure their wireless networks and making sure that they are compliant with security best practices.
By implementing enterprise-grade WiFi security that can authenticate all devices requesting access to the network, all endpoints are better protected. Access can be set to identify suspicious endpoints and to deny network access. This would protect the most internal network with the most important data and assets as wells as help to safeguard technology assets and employee devices.
Implementing identity-based WiFi access control would mean that employees are granted access based on their personal user ID or credentials, thus dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Team members will have access to corporate WiFi, that would allow them access to the systems and information to best perform their jobs. However, if they leave the company, instead of having to change everybody’s password for WiFi, you only have to cancel out those individual credentials.
Practices for Securing BYOD
Using enterprise-grade WiFi security enables the company to allow access to specific SSIDs and to authenticate based on any method. Some companies set up an SSID dedicated to employees for both company-issued and personal devices. This means that employees can connect their smartphones, tablets, etc. to that WiFi network, and it is a separate SSID from the one used for guests and contractors. The guests at these companies can connect to a pure guest internet connection.
In cases where the company is using Active Directory credentials to authenticate to the network, the company cannot stop employees from connecting their BYOD. So the best practice in cases like these is to have managed corporate devices authenticated with certificates, to use personal AD credentials to authenticate employee BYOD and to have easy onboarding for guests and contractors via a separate SSID. If contractors need access to certain corporate data, temporary user credentials could be provided.
Some companies do not have Public Key Infrastructure (PKI) so they are “stuck” using personal credentials and thus, cannot completely control employee BYOD and enforce to use company vs. BYOD network. Still, when using SaaS/cloud-delivered WiFi security such as Portnox CLEAR, CLEAR itself includes a certificate authority. This means that companies can issue network authentication certificates to their corporate endpoints, without the need to deploy PKI (unless there is already such infrastructure in place).
Taking the Next Step
Allowing employees, contractors and guests to connect their devices to the company WiFi network can be done in a secure and simple way. By taking a few easy steps online, you can keep your WiFi network, company assets and data secure while incorporating a productive and user-friendly BYOD environment. Regardless of how you would like to authenticate devices, Portnox CLEAR’s Secure WiFi can help you navigate through the process and provides easy SaaS implementation within a few minutes. Contact Portnox Security today for expert advice to help you move forward with your secured BYOD & WiFi.
See a Demo of CLEAR – Please fill out this form:
When examining WiFi security, the first layer of defense is the method being used to authenticate to the network. The most widely used methods of authentication are Open authentication, WPA2-PSK (Pre-Shared Key) and WPA2-Enterprise (read more about WPA protocols below).
As the name implies, an open authentication network allows access to all, and users are not required to authenticate at the association level. It is important to know that open networks are not encrypted, and so everything transmitted can be seen by anyone in its vicinity.
The best security practice is to completely avoid connecting to open networks. If there is an immediate need to connect, it is best not to allow devices to connect automatically but rather to select the network manually in the device settings. Open networks are easily forged, and hacking tools such as Pineapple use the fact that mobile devices are constantly searching to connect automatically to an open network. These tools perform Man-in-the-middle attacks to steal data such as passwords, credit cards, etc.
WPA / WPA2 / WPA3
WPA stands for WiFi Protected Access. This authentication method uses different encryption algorithms to encrypt the transport. Therefore, this type of network cannot be forged easily, unlike open networks, and users get privacy. Today, WPA2 is probably the most commonly used method to secure WiFi networks.
Sadly, WPA and WPA2 protocols have been hacked and are considered to be less secure. Performing a WPA2 hack requires a lot of time and is somewhat theoretical. Slowly, we are noticing a move to the WPA3 method, but for that to happen, different infrastructure is needed to support that protocol.
WPA2-PSK (and WPA3-PSK) is WiFi Protected Access (WPA) with a Pre-Shared Key. In simple terms, it is a shared password to access the WiFi network. This method is commonly used for home and small office WiFi networks. Even in a small office setting, using this method is problematic, because each time an employee leaves the company, the password must be replaced; otherwise, the former employee could still connect to the company WiFi.
Furthermore, employees tend to share the password with guests, visitors and contractors in the building, and you shouldn’t have the whole building connecting to the internet at your expense, risking the security of your data and assets in the process.
This method, also referred to as WPA-802.1X mode, authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate.
This authentication method is better suited for enterprise networks and provides much better security for wireless networks. It typically requires a RADIUS authentication server as well as a configuration process to different repositories, enabling the organization to authenticate different types of endpoints.
The underlying protocols to secure the authentication vary between different Extensible Authentication Protocols such as EAP-TTLS / EAP-TLS, EAP-PEAP, each one representing a different type of authentication method and level of security.
With WPA2-Enterprise one can use advanced features such as assigning each endpoint after authentication to a specific VLAN or assigning ACLs (Access Control Lists) to specific sections. Additionally, enterprises can audit the connection with additional details. These features are important as they allow enterprises to properly secure their wireless networks and to make sure that they are compliant with security best practices.
CLEAR is a SaaS, cloud-delivered, WiFi access control solution that allows you to secure your WiFi based on WPA2/3-Enterprise, using personal identities or digital certificates. CLEAR supports a wide range of authentication providers, from on-premises AD through cloud providers such as GSuite and Azure AD. CLEAR comes with a cloud-RADIUS, therefore there is no overhead, as there is no equipment to install or maintain. It requires no training or skilled personal to deploy and operate. In less than 10 minutes, large and small companies are deploying CLEAR’s enterprise-grade Wi-Fi security.
See a Demo of CLEAR – Please fill out this form:
Are you using a pre-shared passkey to allow access to the organization’s WiFi?
Securing WiFi access in businesses has been historically weak. Oftentimes, companies protect their Wi-Fi access with a pre-shared password, sometimes posting it on whiteboards within the company or placing it for all to use at the reception desk to enable easy access. This is primarily for modern convenience purposes, as businesses would like to enable productivity and collaboration with contractors and guests, as well as allow for staff mobility within the premises of the enterprise.
What’s the problem? And why should I care?
The problem with this practice is that this is a “home style” level of security that places the company’s data and assets (whether intellectual or physical) at risk of being damaged or stolen. If an outsider successfully connects to the company’s WiFi, they could bypass the Firewall and all traditional cyber security mechanisms applied by most companies today. Once inside, they could damage the organization’s reputation by accessing illegal web sites, or company data, whether it resides on premises or in the cloud. Accessing these items is easy, and there are many automated network tools that can enable “non-techies” to do the work. Additionally, this type of hack could easily be achieved via simple social engineering. Another reason to be worried about the use of passkeys is that WiFi hacks and damages do not require being physically present at the organization. These simple actions could be taken from a nearby public space such as the parking lot and would leave no trace. Trying to track who accessed the enterprise WiFi by using a shared password is almost impossible.
Internal players – disgruntled and former employees
One of the scariest scenarios are the hacks performed by disgruntled employees that can use their remaining access to perform nefarious activities, including damaging, sabotaging or stealing company data, resources and assets. Roughly one out of five organizations has experienced a data breach by a former employee. The Gartner analysis of criminal insiders found that 29 percent of employees stole information after quitting or being fired for future gains, while 9 percent were motivated by simple sabotage.
Attacks by disgruntled employees who commit deliberate sabotage or intellectual property theft are considered to be among the costliest risks to an organization. For example, one of our customers, a food manufacturer in the United States, fired an employee. The disgruntled employee decided to get even. Using the organization’s Wi-Fi password, he connected to the network from the parking lot and changed the temperature setting for the refrigerators. The result was the destruction of food inventory to the tune of hundreds of thousands of dollars.
Bottom line? Former employees, even those who left amicably, should no longer have access to any part of the network.
Removing employees’ access to all accounts immediately after leaving the company is the best practice to use; however, typically it is not possible to revoke all access due to shared passwords for certain systems and services. In some cases, these systems do not require a password at all, such as printers and Point of Sale devices. For certain organizations, such as law firms and medical facilities, these represent the crown jewels in terms of company data and therefore should be highly secured.
Do I have important assets on the network that I should be protecting?
With the growing numbers of Wi-Fi connected IoT devices (IP cameras, printers, etc.) in the enterprise, each network has a lot of devices that could be compromised and thereby causing data leaks, denial of service attacks or severe damage to the organization. Therefore, ensuring that IoT endpoints are segmented into separate sections of the network and cannot be accessed by outsiders is crucial.
What is the alternative to PSK?
Using enterprise-grade authentication & access services is a good idea.
The best security practice would be to have digital certificates, but at the very least, it is recommended to establish a personal identity-based authentication solution. It would enforce network access via unique user credentials, thereby dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Traditionally, this was difficult, as setting up such services required high levels of technological knowledge, as well as extensive maintenance and long and complicated deployments.
This is exactly where Portnox CLEAR can help.
CLEAR is a cloud-delivered, WiFi access control solution that among other benefits provides a cloud-RADIUS, therefore requiring no training or skilled personal to deploy and operate. There is no overhead, as there is no equipment to install or maintain, and the service is inexpensive and based on the number of devices in the enterprise. Additionally, there is no need to manage a WiFi password as authentication is based on user accounts or digital certificates (customer’s choice), and therefore all passwords are unique. In less than 10 minutes, companies are deploying CLEAR’s enterprise-grade Wi-Fi security, providing the highest level of security to any enterprise, large or small.
See a Demo of CLEAR – Please fill out this form:
The network no longer provides an air gap against external threats, but network access for devices can take up the slack. The fall of the enterprise perimeter is like the falling of a wall. It has created a new security landscape in which each endpoint, no matter from where it connects, has become its own perimeter — a weakness that can give adversaries access to the entire network.
Here you can read about the best practices to implement in the enterprise to handle threats both inside and outside the physical enterprise perimeter, allowing organizations to provide remote branches and “traveling” endpoints the same security as their corporate headquarters.
Published in Darkreading.com
With the prevalence of digital transformation in the enterprise, there is a clear necessity to balance IoT security issues and BYOD security measures that will prevent suspicious or malicious devices from gaining access to the enterprise’s assets and data centers, while at the same time, making sure that productivity and easy onboarding of devices is maintained. Employees, guests and contractors are bringing all kinds of Wi Fi enabled devices to the enterprise environment and they expect easy and quick network connectivity.
Onboarding is the process in which new devices gain access to the enterprise for the first time. Unfortunately IT departments can sometimes experience additional workloads while endeavoring to get all the devices on the network so as not to hinder business productivity. At the same time, if they are not handling the process with top security standards in mind, they could potentially place users, devices, enterprise data and the network itself at risk. The question arises: how should IT Security teams allow for BYOD, IoT, contractors, guests, etc. to securely and quickly connect to the network without placing any of its components at risk of a breach or ransomware attack? The answer: automation.
By automating the entire onboarding process enterprises can achieve the following benefits:
- Reducing the costs that are typically associated with manual work (including configuration and support activities).
- Enhancing productivity – getting team members, contractors and guests connected to work faster.
- Increasing end-user satisfaction – instead of hassling end-users with onboarding procedures, the whole process can and should be seamless.
- Decreasing the risks – unmanaged, unpatched, high-risk devices should be blocked or connected from the beginning to a separate segment of the network from where the key corporate assets are stored (the “crown jewels” of the company).
Employees, students, contractors, partners and guests should onboard their devices once and then automatically re-authenticate after that, within an environment that continuously monitors all devices on the networks and automatically provides a risk score for every device. This ongoing scoring allows security teams to understand the security posture of the devices and the network as a whole, at any given moment. At the same time, there is no need to have end users repeatedly re-enter credentials on subsequent network connections unless a device is deemed to have a high risk-score. This way the enterprise can easily onboard BYOD devices belonging to employees that are traveling, working remotely or working at a satellite office location. Additionally, this allows onboarding of IoT and smart devices for business such as flat screens, printers and IoT devices, as well as gaming consoles, smart refrigerators and more. These items, of course, must be on a separate segment from where company assets are kept.
Reducing Risks on the Network
A while ago Ofer Amitai, Portnox CEO, wrote about tips for securing endpoint devices on college campuses, institutions that are always desiring a relatively simple onboarding process. He discussed how changes in onboarding and guest access policies could reduce risks and improve network visibility and control. The principals for securing the enterprise require these steps and more. Having a clear onboarding set of policies will allow IT teams to have automated actions applied (see examples in the next section).
After handling the company’s initial network security audit and collecting the security posture of all devices, it is important to make sure that the enterprise authorization policies include conducting automated and continuous security assessments of the network. This way, every device employs baseline security measures before being allowed to connect. Additionally, the IT security team should use granular policies to govern the level of access while maintaining full visibility and control over network connected devices with the ability to revoke access at any time.
Automated Device Onboarding and Network Authentication
Having an automated onboarding set of policies can allow for automated actions such as:
- Immediately allowing Internet access
- Blocking/ disconnecting
- Segmenting a device to a separate network section
- Remediation actions
For example, IoT devices are considered to be easy to hack. Therefore, once connected to the enterprise network, these devices should be separated from where core assets are located. Having different segments on the enterprise network is a good solution for that. Additionally, if a visitor is being connected, the visitor should gain access to the Internet and not to company files, even when plugging the computer to the wired network.
Two important advanced guest network onboarding features are recommended to be included:
- Easy guest access – allowing for simple and fast connections together with the ability to continuously monitor all devices and ensure security.
- Agentless access – once the IT administrators have set up the onboarding policy – contractors and guests on protected networks should be able to self-onboard without installing an endpoint agent.
Acquiring Advanced Onboarding Capabilities
One of the technologies that can help with safe onboarding is network access control (NAC). In the past, companies used only desktops and laptops, connected and authenticated over a wired network, however; nowadays wireless networks and mobile technologies have introduced personal devices (via BYOD policies) and Internet of Things (IoT) to the workplace. In addition, increasingly stringent compliance standards, such as PCI-DSS, SOX, and ISO standards require companies to openly communicate their security controls to external auditing authorities. All of these can be achieved via NAC solutions. Network access security should be a priority for all companies moving forward.
Every enterprise today must support a rapidly proliferating world of devices and platforms. From an operational view point, this shouldn’t pose an obstruction of workflows and productivity. Ideally, the enterprise IT team will automate and secure network onboarding and authentication so that the IT helpdesk doesn’t have to intervene when guests, contractors and IoT devices need to connect. Additionally, an effective plan for secure network onboarding will on one hand improve end-user experience for BYOD, IoT, users and guests and on the other hand improve IT security as part of a layered protection strategy.
Looking to set IT security policies and automate your device onboarding?
Portnox CLEAR offers easy onboarding while never compromising on network security across the enterprise.