News of a major vulnerability within the standard WPA2 protocol has been rippling around the world. IT organizations are scrambling to audit their WiFi security posture in light of this development – and rightfully so. Below, we’ll offer our take on the KRACK WiFi security threat and the steps you can take to improve your security.
What is the WPA2 KRACK Vulnerability?
Essentially, an attacker that is within range of a potential target can take advantage of the vulnerability by using a key reinstallation attack (KRACK). This method allows the attacker to read a large amount of information that was assumed to be encrypted, including passwords, emails, credit card info, and more. This attack works with all modern protected WiFi networks on a wide variety of devices, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, and Linksys (Source).
With this revelation, one thing is certain: until you take action, your WiFi-enabled devices are not safe. Your data is at risk of being read by malicious attackers, and as a result your entire organization’s security is at risk at the moment as well.
5 Steps to Improve Your WiFi Security Posture
With the news of this massive security issue, many are wondering what steps they can take to make sure that they are protected from an attack. While at the time of writing this attack is still very new, there are measures that you can take to help reduce the level of risk around this vulnerability.
#1 Ensure that you keep your devices up to date.
The main target of KRACK is clients, so making sure that you have the most recent software installations is critical. Developers will release patches to help solve or mitigate the issue, and keeping your software up to date is one of the best ways to secure your information.
Note: The most at risk device is Android phones. While everyone needs to be careful and keep their devices patched, Androids have been shown to be very easy to hack with this method. If you have an Android, it is vital that you keep it updated. Windows and Mac OS platforms have been shown to be much safer, but it is still important to make sure you have the most recent updates implemented (Alex Hudson). If you have a Windows machine, you can already update your machine to a version that fixes this issue with a release that was made public on October 10th.
#2 Avoid the use of public WiFi.
Not only should you stay away from public WiFi networks, if possible opt to use cellular data or wired ethernet connections for extremely sensitive data transfers (pcworld.com). The only way to guarantee that your info is safe from this vulnerability is to avoid WiFi in general, but we all know that is difficult to do.
#3 Take advantage of HTTPS encryption.
If you must use public WiFi, try to stick to websites that employ HTTPS encryption. Properly set-up HTTPS encryption adds another layer of security on to your online communications, helping to reduce the risk of being stolen through KRACK. It is still not a guarantee, as HTTPS can be bypassed in other ways (Krackattacks.com), but having the extra layer of security is a big help.
#4 Use a Virtual Private Network (VPN).
A VPN will hide the entirety of your network traffic. This is a great step toward protecting your information, and while again not a guarantee that your information will be completely safe, is a major step in the right direction. Just ensure that you get a legitimate VPN provider, as there are some malicious free VPNs out there that may try to steal your information as well (pcworld.com).
#5 Employ a RADIUS server.
When considering which type of network security to employ for your enterprise, the fact of the matter is that using a standard WPA2 passphrase for network authentication just doesn’t cut it. KRACK vulnerabilities aside, it requires the use of shared passwords (otherwise known as pre-shared keys or PSK), which are incredibly easy to get out into the wrong hands, and lacks a solid authentication process. The most secure network security protocol that you can employ for a business is WPA2 Enterprise. This protocol is designed for the enterprise, and requires a RADIUS server for authentication.
While it won’t be able to help secure your organization against the KRACK vulnerability, employing a RADIUS server is still the most secure authentication method that you can take with a WiFi network. It eliminates the security risk that comes with shared passwords (PSK) by having associated user accounts with each person accessing the network, the authentication process can be employed on the wired or WiFi network, it enables additional methods of control over the network, and much more (summitdata.com)
While the benefits may seem clear to many, it is actually not as common to have a RADIUS server for WiFi authentication as you may think. This is because of how difficult it can be to implement. RADIUS servers can take many hours to set up all of the on-prem hardware properly, then many more hours to configure, and then even more hours to maintain going forward. For some, the cost and hassle of setting RADIUS up just doesn’t feel like it’s worth it. For that reason, we recommend a cloud-based RADIUS-as-a-Service, such as the one included in our own cloud-based directory service, JumpCloud.
WiFi Security is More Important than Ever Before
If there’s one thing that stands out from the revelation of the KRACK vulnerability, it’s how important securing your WiFi network is. Your entire organization relies on it to handle secure information transfers, credentials, emails, and much much more, and having any sort of compromise in it can ruin your company. Breaches in major companies are making headlines quite often now, and it is causing them to take major hits in public opinion and stock value.
Don’t let your network security fall by the wayside anymore. Paranoia with security breaches is never retroactive, so it’s vital that you get ahead of these risks while you can.
While it is important to take the steps above, it isn’t necessary to reinvent the wheel and do this all on your own – especially when it come to employing RADIUS. Instead of having to deal with the challenges of setting up a RADIUS server and implementing it in the office, we recommend that you take advantage of a cloud RADIUS instead.
Try Our Cloud RADIUS Service Today at No Cost
JumpCloud’s RADIUS-as-a-Service feature means that all of the implementation and ongoing maintenance is handled by the provider, taking the weight of the task off of IT admins.
You can try out JumpCloud’s RADIUS-as-a-Service feature for free, by signing up for a free DaaS account. Your first 10 users are free forever, so you can test it out for yourself to make sure it works in your organization. We also invite you to reach out to us if you have any questions about KRACK or otherwise. We would be happy to help explain how our RADIUS-as-a-Service works and how it can improve an organization’s WiFi security posture in light of the recent KRACK WPA2 vulnerability.
This is a Security Bloggers Network syndicated blog post authored by Jon Griffin. Read the original post at: JumpCloud