Wi-Fi Security Demands More than WPA3

We all know what can happen when we use an unsecured Wi-Fi network -- anyone can see the data we’re sending and receiving. A Wi-Fi network must be encrypted, and it should have the latest, strongest encryption, WPA3. If it does, everything’s fine, right? You might have thought so until April 2019 when several WPA3 vulnerabilities came to light.

Granted, the vulnerabilities have been patched. But unless you know there will be no further weaknesses discovered in WPA3, it’s clear you should not rely solely on a wireless encryption protocol to protect your data. I recently caught up with Bruce McCorkindale, vice-president of technology and distinguished engineer at Symantec. If you want to understand how to secure devices on wireless networks, Bruce is your man. His advice: Implement WPA3 within a Zero Trust strategy.

Zero Trust starts with the assumption that you can’t trust your network or the endpoints on it. That means doing away with the idea that your network has a perimeter that can be secured, and assuming that compromise might have – and probably has -- already occurred. “When you’re at work, treat it like you’re at Starbucks,” says McCorkindale.

If you’ve been reading up on Zero Trust, you realize there is no such thing as a Zero Trust product per se. Zero Trust is a strategy that has been embraced by standards and advisory organizations. For example,  NIST has developed its Cyber Security Framework with Zero Trust principles in mind (although Zero Trust is not mentioned by name in the framework.) Forrester has created its Zero Trust framework that it encourages its clients to implement. And Gartner has done something similar in its CARTA framework. You can start with any of these frameworks, but the end result will consist of technologies and methods you select, tailored to your own organization’s distinct needs.

Zero Trust strategies implement layered defense, or defense-in-depth, not a new concept by any means. No single piece of your strategy will be absolutely secure, but the combination of all the measures together will create a defense that will be very difficult to penetrate. For Wi-Fi networks, McCorkindale recommends these essential layers:

• Transport Layer Security (TLS). TLS is an IETF standard and the successor to SSL. TLS 1.3, completed in 2018, is faster and more secure than its predecessor.
   
• VPN. Establishing a VPN connection creates a tunnel in which traffic is encrypted using protocols such as IPSec.
   
• Multi-factor authentication. The combination of two or more of the following: What a user knows (password), what a user has (security token) and what the user is (biometric factor).

It’s important to use these measures in combination, beginning with TLS, then adding VPN and multifactor authentication. Experience has shown that traditional passwords just don’t cut it. If a bad actor obtains a user’s credentials, all the encryption in the world won’t matter. He or she will simply enjoy encrypted access to your corporate data.

Enterprise Zero Trust implementations often go further, including technologies such as User and Entity-Based Analytics (UEBA), that analyze the behavior of users and devices to detect suspicious anomalies. And Micro-segmentation might be implemented to limit the ability of users to access applications and for applications to talk to each other.

Symantec Technologies

You can implement a Zero Trust defense of your Wi-Fi traffic by stocking your arsenal with several key Symantec products. Most important are Norton Mobile Security (for consumers), SEP Mobile (for enterprises), and Norton Secure VPN products.

Both SEP Mobile and Norton Mobile Security for iOS can detect when a user is on an insecure Wi-Fi network and automatically launch a VPN connection on the user’s mobile device. NMS will also do you the favor of telling you whether your OS is out of date. This is an important feature, since many breaches result from users neglecting to update their endpoint systems and routers with the latest OS versions and security patches.

Symantec also offers VIP Security Keys, devices that plug into a USB port to enable users to verify who they are by tapping a finger. The VIP Security Keys implement the Universal 2nd Factor (U2F) standard, a protocol specified by the FIDO Alliance, a non-profit organization that is developing standards for authentication devices. VIP is also available as a mobile app that issues soft tokens.

After you implement WPA3 and these Zero Trust measures, will it be safe to relax? Um, no. Adhering to the practices above will make your defenses significantly more robust. But any security strategy is a work in progress and it’s only as effective as your own dedication to carrying it out. Forget to update your router software and you’ve created a weakness that will render the rest of your defense little more than a cyber Maginot Line. To paraphrase a famous quotation, the price of data security is eternal vigilance.