It's hard to stop hackers from gaining access to something as ethereal as an electronic signal. That's why it has always been challenging to secure a wireless network. If yours isn't secure, your business and its data are at great risk. Hackers may be able to monitor which sites you visit, or see the information you exchange with business partners. They also may be able to log on to your network and access your files.
Although wireless networks have been susceptible to intrusion, their security has improved greatly. Read on to see how you can make yours safer.1. INSTALL A SECURE WIRELESS ROUTER
This device connects the PCs on your network to the Internet. Note that all routers are not created equal. At a minimum, you need a router that (1) supports the least decipherable encryption, (2) conceals its identity from unauthorized, inquisitive parties outside your network, and (3) prevents anyone from entering your network via an unauthorized computer. The examples below refer to a router manufactured by Belkin International. It, and similar routers made by other companies, are widely used in today's networks; their setup procedures are very similar. The recommendations in this article apply to such devices. Note that older or less expensive routers might not offer the same functionality as the one in these examples.2. CHOOSE A SAFE ROUTER NAME
Do this by using the manufacturer's configuration software. The router's name will be visible as a broadcast point (also known as a hotspot) to you or anyone else trying to connect to a wireless network in the router's broadcast area. Do not name your router after its brand name or model (for example, Belkin, Linksys or AppleTalk). That would identify it specifically enough for hackers to look up its potential security flaws. Likewise, naming your router after yourself, your address, business name or favorite team, etc., could help hackers guess your network password. Exhibits 1, 3 and 4 illustrate typical in this case, Belkin-setup software for routers. See Exhibit 1, in which the router is assigned the name "7GHJPO9." You can make your router name secure by composing it entirely of such random letters and numbers or any other string of characters that reveal neither your router model nor your identity.3. CUSTOMIZE YOUR PASSWORD
Change the router's factory-set default password. If you reveal to hackers what model router you have, they will know its default password. And if the setup software offers you the option of permitting remote administration, disable that feature so that no one can control the settings via the Internet.
4. HIDE YOUR ROUTER NAME
After choosing a secure name, hide the broadcast of its name, also known as its SSID (service set identifier). Exhibit 1 shows how to hide the SSID by not checking the Broadcast SSID box.
Once you've done this, your router will not appear on the broadcast list of routers in your area, and your wireless network will be invisible to neighbors and hackers. You still will be broadcasting, but hackers will need sophisticated equipment to determine whether you have a wireless network.
5. LIMIT ACCESS TO YOUR NETWORK
You should prevent unauthorized computers from connecting to your wireless network using a method known as MAC address filtering (which has nothing to do with Apple Inc.'s Mac computers). To do this, you first must find out the MAC (Media Access Control) address of every PC you will let connect to your network. All computers are identified by a 12-character MAC address. To see your PC's, click Start, then Run, enter cmd and click on OK. This will open a new window with a DOS prompt.
Type ipconfig/all and hit the Enter key to see information about your PC's network interface card. Under "Physical Address," your PC's MAC address will be displayed. For example, the PC in Exhibit 2 has a physical address of 00-13-20-4F-60-67.
Once you have compiled a list of authorized MAC addresses, use the setup software to access your router's MAC address control table (see Exhibit 3). Then, type in the MAC address of each computer you will admit to your network. A PC whose MAC address is not on that list will be unable to connect to your router and network.
Note that this is not a foolproof security tip. Advanced hackers can program a fake MAC address into their computers. But they will need to know what MAC addresses are on your list of authorized computers. Unfortunately, because MAC addresses are not encrypted when transmitted, hackers can learn which MAC addresses are on the list simply by sniffing, or monitoring, your network's communication data packets. So MAC address filtering will foil only novice hackers. Still, if you discourage hackers, they might bypass your network and attack one that doesn't filter MAC addresses.
6. CHOOSE A SECURE ENCRYPTION MODE
The first form of encryption developed for wireless networks was WEP (Wired Equivalent Privacy). All encryption systems use a string of characters, called a key, to encrypt and decrypt data. To decrypt the packets being broadcast in your network, hackers have to determine the contents of its key. A longer key provides stronger encryption. The downside of WEP is that its key is only 128 bits long and never changes, making it relatively easy for hackers to figure out.
In recent years, WPA2 (Wireless Fidelity Protected Access 2) has been developed to address some of WEP's weaknesses. WPA2 uses a 256-bit key, works only on late-model routers, and is the strongest encryption available. A WPA2 encryption key constantly changes when packets are broadcast. So hackers who sniff packets to deduce WPA2 keys are wasting their time. Thus, if your router is relatively new and gives you a choice of encryption, choose WPA2, not WEP. Note that WPA1 is for enterprises and is more complex to configure. WPA2 is adequate for small businesses and individuals and is sometimes referred to as WPA-PSK (Pre-Shared Key). Exhibit 4 shows how to choose WPA-PSK (WPA2) for encryption.
WPA2 does not eliminate all risks. The biggest one is when a user signs on to a WPA2 wireless network. To gain access, the user must provide a password called a preshared key. The system administrator programs this key on each user's computer when setting up the network. When a user attempts to join the network, hackers will try to monitor this process and deduce the value of the preshared key. If they succeed, they can connect to the network.
When using wireless networks other than your own, be wary of fraudulent hotspots with fake, but realistic, login screens. For example, a con artist may set up a wireless hotspot near a branch of XYZ Bank and name it XYZ Banking. When customers with wireless laptops are near the bank, they unwittingly connect to the phony hotspot. Then the fake login screen appears, asking for their online banking user ID and password. As customers type in that information, the hacker records it. Later, the hacker goes to the real XYZ Bank Web site and easily gains access to victims' bank accounts.
Fortunately, the preshared key can be anywhere from eight to 63 characters long and can include special characters and spaces. For maximum security, the password on a wireless network should consist of 63 characters, including random combinations not found in dictionaries. The site www.grc.com/passwords.htm can produce a random 63-character password you can cut and paste into network clients and your router. If you used 63 random characters, it could take a hacker longer than a million years to deduce your password. To learn how long it could take to crack a password of any length, visit http://lastbit.com/pswcalc.asp.
7. LIMIT YOUR BROADCAST AREA
Place your router in the center of your building, away from windows or the sides of the building. By doing so, you will limit its broadcast area. Then, walk around the outside of the building with your laptop to see whether the router can be reached from a nearby parking lot or the street. (For this test, first turn on the broadcast of your router's SSID as similarly discussed in Exhibit 1 and Step 4, "Hide Your Router Name." Then, after checking your signal, turn its broadcast off.)
Hackers cannot break into a wireless network that their equipment can't reach. Some routers enable you to control the signal strength of your broadcast. If you have that option, reduce your router's signal to the lowest strength you need. Also, consider disabling your wireless router overnight and at other times when it will not be used. It is not necessary to shut down your network or Web server; simply unplug the router. This will not restrict internal users' access to your network, and it will not interfere with the availability of your Web site to its normal audience.8. CONSIDER AN ADVANCED TECHNIQUE
If, after reading this article, you decide to upgrade your router, consider using your old router as a honeypot. This is a fake router, set up to attract and frustrate hackers. Simply plug in your old router, but do not connect it to any PCs. Name the router "Confidential" and do not hide the broadcast of its SSID.9. TAKE THE INITIATIVE
Don't be a victim. Follow the above tips to protect your business and its data from intruders. Understand your router options and set them proactively.James F. Leon, CPA, CISSP, Ed.D., is a visiting assistant professor and the director of IT training in the Department of Computer Science at Northern Illinois University. His e-mail address is firstname.lastname@example.org .
Managing information security remains a priority for CPAs and the organizations and individuals they serve. The AICPA's Annual Top Technology Initiatives survey identified this issue as the most important one in technology. The survey results are available at www.aicpa.org/toptech.
Disclaimer: The recommendations in this article are only suggestions. Do not use them without carefully considering their suitability for your particular circumstances. The information technology policies and procedures in place at your firm or company take precedence over any techniques discussed in this article.