The threat behind MAC spoofing
When implementing any insurance policy, you need to start with estimating the level of risk, the probability of that risk, and the potential damage should that risk become a reality.
One of the network risks that is often presented to demonstrate the ineffectiveness of 802.1x solutions is the ease of bypassing modern network access control (NAC) by using MAC spoofing. Usually, this involves spoofing the network printer or other vulnerable device.
Now, let’s put aside the fact that network printers today can support certificate or credential-based authentication, and that certain products have remedies against such attempts even when the authentication is based on MAC.
Let’s consider: is MAC spoofing a legitimate threat or an exaggerated, manageable flaw?
But before I try to analyze this risk, I want to point out the biggest advantage a NAC solution can give an organization to cope with modern cyber security threats: the ability to apply dynamic segmentation based on device type or identity.
Without going into too much detail, NAC is one of the only systems that can help you prevent lateral movement, indirectly allowing you to identify breaches and directly helping you to prevent the compromise of your crown jewels.
The threat landscape
Here are some of the most common adversaries when it comes to MAC spoofing:
- The employee – a disgruntled current or former employee
- The guest – a contractor, customer, patient, etc. who physically visits your organization for a period of time
- The hacker – a malicious person trying to attack your network and steal information, causing harm to your organization
And here are the most common attack surfaces:
- Wired, ethernet switches
One caveat: most wifi environments contain managed devices. So, for devices that do not have an 802.1x supplicant, and thus does not support certificate-based authentication (or credentials based), it is easy to setup an isolated segment and significantly lower the risk of attack.
As such, we’ll put our focus on examining wired environments, and how they’re vulnerable to the above adversaries.
Let’s be clear – MAC spoofing requires some technical knowledge to execute, which the non-technical lay person typically does not possess. Those doing it know what they’re doing, and they know it’s wrong.
With that said, it’s important to point out that a lot of damage is caused by the unintended – i.e. people clicking on a link in an email, deleting the wrong record or file, or even dropping a laptop into a pool.
Employees should be trustworthy. If they’re not, cyber security is likely not your problem. But, when someone is fired, laid off, or even just mistreated at work, there always exists the potential for them to hold a grudge. It’s human nature.
Disgruntled employees can pose a big risk. If an employee still works for an organization and he/she is determined to do damage, that’s a problem that’s nearly impossible to prevent. The network connection alone is not going to stop he/she from stealing data or worse. This individual likely already has access through other corporate devices and the credentials to access whatever data he/she wants.
At the end of the day, however, this individual’s risk of MAC spoofing can be categorized as “very low” with “low” probability and “low” potential for damage. The reason being is that the potential damage done is not necessarily related to network connection. The first line of defense against a disgruntled current of former employees is physical barriers – i.e. locked doors and other physical security.
A guest visiting your office might want to connect to your network. Most likely, this guest will not go to great lengths to hack your network if they are initially blocked. By supplying a guest network, such as a guest wifi, you will effectively eliminate that risk all together. Thus, like the employee, this individual’s risk of MAC spoofing can be categorized as “very low” for both probability and damage.
A hacker will need physical access to your network in order to do his/her job. Today, spearhead attacks can enable hackers to access your networks from afar. Doing so, however, typically requires some sort of motive.
This motivation is often dependent upon the type of business you operate. If you’re in military and defense, for example, you likely have a higher than average risk of being the target of such an attack. The same going for banking and financial services, healthcare and any other industry with highly sensitive and confidential data.
For most organizations, the threat of physical access hacking is typically low, while the potential for damage could be high. Should a retailer fear physical burglary just because a new device has connected to its network? I think not.
For most organizations, the risk of MAC spoofing is almost non-existent. This is usually fairly easy for an auditor to demonstrate, and would appear as part of a comprehensive security report. So in reality, the perception of the threat is that it’s a much larger problem than it actually is.
You can also prevent MAC spoofing by implementing stronger authentication methods that are fairly common today. One of the major roles of NAC is to provide secure authentication and authorization to the network. Thus, even if authentication is somehow breached, authorization serves as a second layer of defense that can limit access by putting potential individuals of risk in a specific “narrow” segment.
The segmentation of specific types of MAC-based devices is a best practice in NAC. Even if spoofing occurs, such a device won’t be able to access a particularly sensitive VLAN, such as those in Finance or HR, if proper segmentation has been established through your network security policies.
Cyber security data breaches are becoming increasingly common and severe. Today, banks, insurance companies, investment firms, and other financial institutions are considered to be prime targets. Due to the sensitivity and importance of their data, these institutions suffer approximately 300X more cyber breaches than any other industry.
In 2018, the financial sector reported 819 cyber incidents, an explosive increase from the 69 incidents reported for 2017 – including the infamous Equifax data breach. The total numbers for 2019 won’t be available until next year, yet we know that the financial sector has already experienced a number of significant attacks already this year. Such breaches included the attacks on Capital One, First American Financial Corp., Desjardins Group and Westpac/PayID.
Despite these pervasive cyber security threats, financial institutions are still failing to prevent, defend, prepare and respond effectively to attacks – particularly when it comes to network security. In many cases, the problem stems from executive leadership not prioritizing the cybersecurity budget or emphasizing its importance. Few organizations make prevention a priority, few apply the top recommended CIS controls or prepare employees on how to respond effectively in the event of a security incident. Unfortunately, poor network access control and other cyber security oversights lead to hundreds of millions of dollars in losses, the exploitation of personal data and more.
Some financial institutions, however, have already decided to take proactive measures this year to obtain risk monitoring, visibility and access controls. One such group is Royal London, the UK’s largest mutual life, pensions and investment company. Faced with limited network and device visibility, they had a variety of security and compliance issues to contend with. However, since implementing Portnox CORE, the company and all of its locations have instituted a higher level of cyber hygiene.
CORE is a simple to operate network access control solution that provides full visibility into every endpoint and component on the network, along with risk monitoring and enforcement capabilities. It is simple to deploy and manage and has received numerous cyber security awards.
From the moment Portnox’s on-premises NAC solution was implemented, Royal London’s security team has been able to successfully handle all challenges associated with visibility, control and compliance enforcement. This includes the ability to see all endpoints on the network, and ensure that they are properly secured according to company policies, privacy standards and regulatory compliance.
Furthermore, as risk-monitoring and other network security enforcement actions that would otherwise have to be done manually are now automated, Royal London’s IT team can devote their time to more important tasks, thereby increasing efficiency and productivity.
Fill out this form to immediately receive the full case study:
As the demand for mobility continues to increase, and Wi-Fi continues to replace Ethernet as the preferred corporate access layer, many organizations are facing similar security issues and requirements. This is particularly significant with the increasing number of guests, contractors and employees who are using their own devices on corporate networks. In recent years, there has been an increase of personal devices entering the workplace with many organizations adopting BYOD policies.
Overall, having a Bring Your Own Device (BYOD) policy has proved to be a good business policy. By allowing employees, contractors and guests to connect their own devices, such as laptops, smartphones, and tablets, to the corporate wireless network, enterprises have been able to save money while increasing productivity and team motivation (Frost & Sullivan). However, there are certain challenges to securing the organization’s WiFi network in a BYOD environment. Without addressing these issues properly, you are leaving your company’s assets and data vulnerable.
Approaches to BYOD on WiFi
Some companies allow BYOD usage for everybody, on the company WiFi, whether employees, contractors or guests, while others maintain a strict Zero BYOD-WiFi hookup. There are companies that choose the middle ground approach of allowing employees to connect their own devices on the corporate wireless network but have a separate WiFi network for guests and contractors, and some allow contractors to connect to the company WiFi for specific tasks. Either way, the question of how to handle BYOD and WiFi security seems to come up in many conversations we have with IT teams in regards to network security and secure mobile device management.
How Does BYOD Impact the Security of Company Wireless Networks?
In general, security risks comprise the most serious challenges in a BYOD environment (other than the danger of overloading your bandwidth and IT support issues). Once employees leave the company, they take their personal devices. This could mean that sensitive corporate data and assets (intellectual or physical) are unsecured, especially in environments that use passkeys for WiFi access. Enforcing security policies on the endpoints that are not owned by the company is not practiced by many companies as it seems like an impossible task for IT Departments, however, below we will discuss the easier methods and controls that can be implemented, rather easily, to make sure that WiFi-BYOD security is properly addressed.
Data leakage – If an employee neglects to install a security update on their private device, it could put your data at risk. Mobile devices such as laptops, phones and tablets are susceptible to cyber-attacks and require constant patch updates to handle security loopholes, and even a single missed patch can leave your company, and its data, vulnerable. These devices are constantly exposed to vulnerabilities and it is difficult to control which corporate data might be accessed via these endpoints.
Malware infections – If an employee were to accidentally install malware onto their device, while it is connected to the corporate WiFi network, they could spread the malware to other devices. The employee might even unknowingly install keylogging software, thereby enabling unauthorized users to obtain company usernames and passwords, and use them to gain access to sensitive or private enterprise data.
IT infrastructure – Most organizations with BYOD policies must invest time, energy, and money to assure that BYOD policies are compliant with security and privacy policies. To avoid the need to divert more time and resources later on to fix problems, IT personal must make sure to implement BYOD nac exactly according to policy from the beginning.
Mixing corporate and personal data – Sometimes it is difficult to distinguish between personal data and corporate data. If the endpoint were to be lost or stolen, company data would be at risk of exposure. There are also privacy concerns when employees leave the company.
Employee, Guest and Contractor BYOD – The Differences
Guests – Typically, these are visitors that are around for short visits, and in some work places we have observed that the same WiFi network that is used for employee devices is made available to guests.
Contractors – Most often these are professionals, outsourced to perform a specific job or project, sometimes collaborating with employees, and therefore they remain at the company (physically or virtually) for longer time periods compared with guests, and require the use of their own devices. In this case we have observed access that is granted to more sensitive data and resources, depending on the project, such as accounting, HR, legal, insurance, IT, intellectual data, technology, and more.
Employees – the permanent team members who may require access 24/7/365 depending on how geo-distributed the organization is and how quickly they need to be able to access corporate data to perform their duties.
Individual User WiFi Authentication
When examining WiFi security, it is crucial to consider the method being used to authenticate to the network. At Portnox we recommend WPA2-Enterprise, also referred to as WPA-802.1X mode. It authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate. The WPA2-Enterprise authentication method is a great fit for any enterprise, large or small, allowing organizations to properly secure their wireless networks and making sure that they are compliant with security best practices.
By implementing enterprise-grade WiFi security that can authenticate all devices requesting access to the network, all endpoints are better protected. Access can be set to identify suspicious endpoints and to deny network access. This would protect the most internal network with the most important data and assets as wells as help to safeguard technology assets and employee devices.
Implementing identity-based WiFi access control would mean that employees are granted access based on their personal user ID or credentials, thus dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Team members will have access to corporate WiFi, that would allow them access to the systems and information to best perform their jobs. However, if they leave the company, instead of having to change everybody’s password for WiFi, you only have to cancel out those individual credentials.
Practices for Securing BYOD
Using enterprise-grade WiFi security enables the company to allow access to specific SSIDs and to authenticate based on any method. Some companies set up an SSID dedicated to employees for both company-issued and personal devices. This means that employees can connect their smartphones, tablets, etc. to that WiFi network, and it is a separate SSID from the one used for guests and contractors. The guests at these companies can connect to a pure guest internet connection.
In cases where the company is using Active Directory credentials to authenticate to the network, the company cannot stop employees from connecting their BYOD. So the best practice in cases like these is to have managed corporate devices authenticated with certificates, to use personal AD credentials to authenticate employee BYOD and to have easy onboarding for guests and contractors via a separate SSID. If contractors need access to certain corporate data, temporary user credentials could be provided.
Some companies do not have Public Key Infrastructure (PKI) so they are “stuck” using personal credentials and thus, cannot completely control employee BYOD and enforce to use company vs. BYOD network. Still, when using SaaS/cloud-delivered WiFi security such as Portnox CLEAR, CLEAR itself includes a certificate authority. This means that companies can issue network authentication certificates to their corporate endpoints, without the need to deploy PKI (unless there is already such infrastructure in place).
Taking the Next Step
Allowing employees, contractors and guests to connect their devices to the company WiFi network can be done in a secure and simple way. By taking a few easy steps online, you can keep your WiFi network, company assets and data secure while incorporating a productive and user-friendly BYOD environment. Regardless of how you would like to authenticate devices, Portnox CLEAR’s Secure WiFi can help you navigate through the process and provides easy SaaS implementation within a few minutes. Contact Portnox Security today for expert advice to help you move forward with your secured BYOD & WiFi.
See a Demo of CLEAR – Please fill out this form: