Last Updated on November 7, 2017
News and conjecture on the KRACK (Key Reinstallation Attack) Wi-Fi vulnerability have been making rounds through the media since its recent public announcement. The attack, which exploits a security flaw in the WPA2 Wi-Fi protocol, allows hackers to eavesdrop on unencrypted traffic. The scope of the vulnerability is perhaps unequaled in the history of cybersecurity, as it affects practically every Wi-Fi enabled device on earth in one way or another.
There is some comfort in knowing that developers are rushing to produce fixes on the fast track. But even with patches on the way from many vendors, it will be a long time before every network has all the necessary patches applied to prevent the information exposure that KRACK makes possible. And what about devices that can’t be patched—including millions of IoT (Internet of Things) devices?
Securing Internet of Things Devices
The IoT is an interconnected network of assorted devices that we don’t necessarily even think of as computers in the traditional sense. Sensors on assembly lines, chips in our cars, automated personal assistants… even toasters and coffee makers are becoming members of the IoT. A big issue these devices bring to the table is that oftentimes they are misconfigured (or even intentionally configured) to reside on the network alongside devices managing critical data, creating wide-open attack vectors into private data and pivots for attackers to exploit. Hackers have been able to gain access to entire networks thanks to a misconfigured printer, for example.
Securing IoT devices may be the single biggest issue companies face in attempting to mitigate the risks of KRACK. While computers, servers, mobile devices and even many routers can quickly be patched against the attack, what about all those Wi-Fi security cameras, the break room refrigerator, or older hardware like switches or gateways that won’t receive updates for a while, if ever?
To carry out a KRACK attack, the attacker must be in proximity to the Wi-Fi network he or she is targeting. This means the network itself is primarily where the risk from KRACK lies.
The challenge is many companies don’t think of their local Wi-Fi network as being at risk, because it’s “behind the firewall” and therefore a trusted environment. Some organizations might not require authentication on internal network resources, for instance.
But since that boundary may now be easily penetrated via a KRACK-type attack, businesses must immediately rethink their threat models.
4 Ways to Secure Your Network to Resist KRACK Attacks
Here are a few approaches to help secure your network to resist KRACK attacks:
1) Maintain an Effective Physical Security Policy
It’s important to keep outside attackers out of range of your network in the first place. Enforce entry requirements for critical areas (such as key cards for server rooms) and educate staff on the risks of allowing unknown people to access work areas.
2) Design a Good Network Perimeter
Your network perimeter should include a correctly configured firewall and an intrusion prevention system.
3) Enforce a Strict patching and Update Policy
Ensure that everything that can be patched is patched. Maintain frequent updates, and practice due diligence to stay informed on the status of your devices.
4) Isolate Vulnerable Devices
Isolate devices that don’t have patches or may be vulnerable to attack. Just because a device is on the internal network, doesn’t mean it is safe from exploitation. If a vulnerable device needs to be connected to the network for updates, consider removing its connection when updates aren’t occurring. This could apply to things like fridges and security cameras.
To get fast, expert guidance on how to reduce your risk from hackers dealing KRACK, contact Pivot Point Security.
Interested in a checklist to see how ready you are for an ISO 27001 certification audit?
It's a little more complicated than just checking off a few boxes.
To learn more, download our ISO 27001 Un-Checklist now!