Solving Common

IT Security
Problems

an Security eBook
Contents…
Solving Common IT Security Problems

This content was adapted from Internet.com’s eSecurity Planet and Enterprise IT Planet Web sites.
Contributors: David Strom, Michael Horowitz, Sonny Discini.

2
2 What to Do When a Laptop is Stolen

4 PC Security Tips for Corporate Executives

4 8
8 The 20 Most Effective Controls to Protect
Your Enterprise

10 Seven Simple Wireless Security Tips

10 12
12 Five Advanced Wi-Fi Network Security Tips
 Solving Common IT Security Problems

What to Do When a Laptop is Stolen

By David Strom

I
had my laptop stolen once, about five years ago, Turn the Tables
from the trunk of a locked car parked at a shopping A second alternative is to look at central monitoring and
mall. You never forget that experience of being vio- image automation tools, such as Symantec’s Altiris and
lated, of being stupid. (And it seems to be getting Kaseya that can be used in a stolen laptop situation. Greg
more common, according to a story in the LA Times about Hemig, a Sacramento Kaesya VAR, did exactly that and
thieves who follow customers home from Apple Stores.) was able to recover two independently stolen laptops by
using the remote control features.
So what can users do to be more proactive, given the
number of laptops that go missing every month? One way “I was able to find out not just an IP address, which is what
is to use one of a growing number of recovery software a typical anti-theft product like LoJack would provide, but
tools that automatically “phone an actual physical address, the
home” (in the Internet sense names of the user’s girlfriend
of the word) and help you and and family, how to access their
the authorities, should they be bank accounts, and even turn
interested, in trying to track on the microphone on the lap-
it down. Think of what LoJack top and listen to what they were
does for locating cars, with the saying while they were typing,”
added information that hav- says Hemig. Scary stuff, but
ing an Internet connection can within two weeks of contacting
bring (indeed, the company is law enforcement, he was able
one that offers a laptop tool). to get back both machines to
their original owners.
While it sounds like a great idea,
there are several issues with us-
OS-Based Options
ing these tools.
Third, the versions that are of-
fered differ as to features be-
First, most of them are de-
tween Mac and Windows, with
signed for individuals, not cor-
the Mac (if it is supported at all)
porations. Absolute Software’s
usually being a poor cousin. If you have a mixed network,
Computrace has an enterprise version called Complete
this could be a determining factor as to which product
in their LoJack for Laptops line, which has tools that offer
you end up deploying. Taking Computrace as an example
more asset tracking and remote hard disk destruction that
again, the Mac version doesn’t include the special embed-
aren’t found in an individual product. zTrace Technologies’
ded BIOS agent that comes with their Windows product.
zTrace Gold, MyLaptopGPS for Windows, and Brigadoon’s
PC/Mac PhoneHome products all offer quantity pricing for
business customers, but not much else in terms of added
features over their individual versions.

2 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Solving Common IT Security Problems
Phoenix Technologies offers something similar for its OEM
BIOS customers called FailSafe, but not for the general
public. And GadgetTrak has software for both Mac and
Windows, but prices them differently.
Well-Rounded
Next, these tools are just part of an overall laptop secu-
rity solution that should also include disk encryption and
password-protecting the boot drive. If these tools live on
the hard disk and if you haven’t enabled a firmware or disk
password, any intelligent thief can just reformat your hard
drive and remove this protection, or just remove the hard
drive itself. So it makes sense to start by putting password
protection on all of your machines as first line of defense.
Disk encryption is especially important if you need to pro-
tect confidential corporate or business data, not to men-
tion personal data, such as bank account passwords as
well.
That brings me to my last point: Do you really need a ven-
dor-operated central monitoring station, or can you set
up your own central place where alerts can be sent? Gad-
getTrak, Oribicule’s Undercover for Macs and iPhones, Prey
(for Mac, Windows, and Linux), and PC/Mac PhoneHome
3 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
are all tools that don’t make use of any central monitor-
ing station. Instead, the software sends info to your e-mail
(and for GagetTrak, to Flickr) accounts directly. With some
of these products, upon booting they look for the pres-
ence or absence of a special URL that indicates the laptop
has been stolen. If so, they send information, such as the
current IP address, a snapshot from a Webcam, screen-
shots, and other details to your e-mail address.
One user of Undercover had his laptop stolen about two
years ago, also from his car. (Have you realized never to
leave a laptop in a vehicle now?) “Within a few days, we
had screenshots and camera images of the thief and work-
ing with local authorities, we were able to recover the
laptop within a week,” said Lenny, a friend of mine who
has run several major corporations and is a big fan of their
software.
While options vary depending on need, OS, and budget,
the ideal approach to protecting laptops is to cover your
bases: use password protection and disk encryption, and
employ a collection of tools, including a monitoring prod-
uct with a corresponding tracking piece on each laptop —
and remind users to never leave a laptop in a car.
 Solving Common IT Security Problems

PC Security Tips for

Corporate Executives
By Michael Horowitz

T
he recent attacks against Google and other As I recently wrote, the most important aspect of Defen-
companies highlighted “spear phishing” at- sive Computing is skepticism. Corporate executives may
tacks. The term refers to scam e-mail messages be skeptical when dealing with people, but lack awareness
designed to trick the recipient into infecting his of common online scams.
or her own computer with malicious software (malware).
Just a few days ago, Roger Thompson of AVG described
The end result of the phony yarn, spun in the body of an the hacking of the Oklahoma Tax Commission Web site.
e-mail message, is that the duped user visits an infected To be infected, the end user simply had to agree to an
Web page, opens a maliciously Adobe license agreement. The
crafted document, or runs a agreement looked legit, but it
malicious program. was from bad guys rather than
Adobe, and agreeing to it in-
Unlike regular phishing e-mails stalled malware.
that are blasted out to millions,
spear phishing, as the name Here I assume we are config-
implies, is specifically targeted. uring a computer for some-
Anyone that works with secrets one with access to corporate
that the bad guys want may be secrets, someone whose lack
sent an e-mail message tar- of technical know-how makes
geted specifically at them. The them an easy target for online
message will appear to come scammers. What steps can we
from someone they know and take to protect this person from
the topic will be something that themselves?
the sender would normally dis-
cuss. Everything about the mes- Restricted Users
sage is fraudulent, including the Running as a limited (a.k.a., re-
From address. stricted or standard) user is job one. For the sake of back-
ward compatibility Windows users, by default, run as Ad-
The fraud is successful, in part, because people trust the ministrators, which lets them change anything, anytime,
From address of an e-mail message. No one should; forg- anywhere. Despite this default behavior, Microsoft recom-
ing the From address is child’s play. But, since the From mends, and all techies agree, that people are safer running
address is correct 99 percent of the time and many don’t as limited users.
know that it is easily forged, this gets the spear phishing
message in the door, so to speak.

4 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Solving Common IT Security Problems
Windows Vista and Windows 7 users may feel that UAC
protects them, even when logged on as an administrator.
It does not.
I’ve been testing life as a restricted user for a while on both
Windows XP and Windows 7. It works better on Windows
7; XP has a number of quirks in the implementation. But
regardless of any quirks, this is perhaps the biggest weap-
on in the Defensive Computing software arsenal. Barring
severe bugs in Windows, it should prevent the installation
of any software (assuming the bigshot is not given an Ad-
ministrator password).
If, for whatever reason, running as a limited user is not an
option, Windows XP users can still get most of the protec-
tion it offers with the free DropMyRights program. This Mi-
crosoft program is used to front-end another program and
drop its rights. For example, an Administrator class user
can click on an icon for the Adobe Reader, which actually
runs DropMyRights. It, in turn, runs the Adobe Reader, but
only after dropping the rights down to those of a limited
user. Thus, if an infected PDF file tries to install software,
it fails.
Running as a limited user however does not prevent mali-
cious software from running, just from running out of cer-
tain folders (and from being permanently installed). More
steps are needed.
Internet Explorer
It took security expert Steve Gibson a while to come around
to my Defensive Computing posture, but he finally did. No
more Internet Explorer.
Just say no. Friends don’t let friends use Internet
Explorer.
In part this is unfair to Microsoft, as IE is not necessarily any
buggier than competing browsers. But it is buggy enough,
and it has a huge target painted on its back. Plus, Micro-
soft makes a bad situation worse by being slow to fix bugs.
If for no other reason than this, any other Web browser is
safer than IE.
5 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
Other browsers are updated with bug fixes when they are
needed. IE has to live in a huge bureaucracy that dictates it
only gets updated once a month. It makes headlines when
IE is patched when needed, as opposed to on schedule.
Not good for security.
In addition to the slow IE patching imposed by the once-a-
month schedule, Microsoft has a history of just being slow.
For example, the IE bug that was exploited recently to at-
tack Google and others was initially called a zero-day vul-
nerability; techie terminology for a newly discovered bug.
It turns out not have been zero day at all, more like 120
days. Microsoft was alerted to the problem four months
before it was exploited on Google.
And, we’re still not done with IE issues. Computerworld
reports that design flaws in the browser can let it expose
the entire C: disk.
There is no such thing as removing Internet Explorer, but
we can hide it. First, lock it down as best as possible. On
the Security tab (of Internet Options) set the Internet and
Local intranet zones to high security. Turn on protected
mode and DEP (note that DEP requires companion sup-
port in both the processor and BIOS).
Then get rid of all visible signs of Internet Explorer. Remove
it from the desktop, task bar, and the Start button. It’s still
there, only now the only way to run it is to navigate to
C:Program Files/Internet Explorer/iexplore.exe
Firefox and Adobe Reader
In place of Internet Explorer, I suggest Firefox; no news
here. But, it does need some work out of the box.
A great security tweak to Firefox is to force the address
bar to turn green on all secure HTTPS Web pages. It
shouldn’t be hard to train anyone that green is safe and
anything else is not. This tweak is done by editing a file
called userchrome.css.
 Solving Common IT Security Problems
Another possibility is using the portable version of Fire-
fox rather than a normally installed copy. Not only does
this allow a limited/restricted/standard user to update the
browser with new patches, it also makes the software hard-
er to find by any malware looking to infect it.
Another program that I’d ban from the computer of anyone
involved with corporate secrets is Adobe Acrobat Reader.
Like Internet Explorer, the Adobe Reader has a big tar-
get painted on it. It has also been rather buggy over the
last couple years. At one point, Adobe thought it was a
good idea to only issue bug fixes every three months. And
the procedure for updating the software is harder than it
needs to be.
In addition to the Reader itself, Adobe installs two pro-
grams that run every time Windows starts, which is an acci-
dent waiting to happen. In fact, simply hovering the mouse
over the name of a PDF file causes an Adobe program (Ac-
roRd32Info.exe) to run, no clicking required. This is true
even if the Adobe Reader is not the default program for
opening PDFs (tested on Windows XP with Adobe Reader
8.2.0).
It’s all just too intrusive for my taste.
There are many other PDF readers, any one of which will be
a lesser target. I use the one from Foxit Software. It doesn’t
do everything that Adobe Reader does, but it should be
enough for almost everyone. If, for some reason, Adobe
Reader can’t be uninstalled, then at least don’t make it the
default program for opening PDFs, and be sure to turn off
Javascript.
Other Software Issues
For years viruses have spread on USB flash drives (a.k.a.
pen drive, thumb drive, etc.) and they continue to do so.
Windows 7 is more locked down in this respect than XP,
but it is not bullet-proof.
The good news is that with a simple update to the regis-
try, you can offer 100 percent protection from all Autorun/­
AutoPlay vulnerabilities.
6 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
While Internet Explorer and Adobe Reader are the most
frequently targeted applications, bad guys also exploit
other popular software. Thus, the less software installed
the better. With this in mind, I would uninstall QuickTime,
Java, Shockwave, Real Player, and any other popular soft-
ware that is not absolutely needed.
Flash is a difficult choice. Because it’s popular, you can ex-
pect bad guys to exploit known vulnerabilities as they are
discovered. But, it’s also needed frequently. As a compro-
mise, consider the Flashblock Firefox extension. It works by
blocking Flash objects on Web pages and replacing them
with placeholders. If a particular Flash object is needed,
all you need do is click on it to run it. As I write this, the
Flashblock extension has been downloaded nearly 8 mil-
lion times.
Perhaps the king of popular software is Microsoft Office.
Consider replacing it with Open Office, the theory being,
again, software that is a lesser target. Open Office is not as
functional as Microsoft Office, but for non-techies, such as
corporate bigshots, it should be functional enough.
Did you know that the recent bug in Internet Explorer, the
one that was so critical that Microsoft released an immedi-
ate fix without waiting for the second Tuesday of the month,
also affected Microsoft Office? This didn’t get much press.
In Microsoft’s own words:
“We are also aware that the vulnerability can be exploit-
ed by including an ActiveX control in a Microsoft Access,
Word, Excel, or PowerPoint file. Customers would have to
open a malicious file to be at risk of exploitation. To pre-
vent exploitation, we recommend that customers disable
ActiveX Controls in Microsoft Office.”
Support for ActiveX controls in Office documents is a se-
curity accident waiting to happen. I read the instructions
for disabling ActiveX controls in Microsoft Office 2003.
They were so confusing, I couldn’t follow them. The saf-
est thing to do is replace Microsoft Office with competing
software.
 Solving Common IT Security Problems
Hardware Encryption
On the hardware side, I have two suggestions. First, set a
password for the hard drive in the computer. This should
be a simple thing to do and hard drive passwords are more
secure than both BIOS level startup passwords and oper-
ating system passwords.
The best encryption is, arguably, full disk encryption and if
an executive has sensitive files on his or her computer, this
might make sense. But sensitive files should not be kept on
a laptop or desktop computer. They are best stored on an
external hard drive, one that can travel with the bigshot to
places that a computer can’t go.
Two encrypted hard drives, the Lenovo ThinkPad USB
Secure Hard Drive and the Aegis Padlock, stand out for
not needing any software running on any computer; thus
they can work with computers running Windows, OS X, or
Linux.
Each has built-in buttons that are used to enter a pass-
word. Until a valid password is given, the computer can’t
see anything on the drive. After the password is validated,
the drives work like normal unencrypted hard drives. The
computer is totally unaware of the encryption. For the user,
there is no learning curve, just a password.
7 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
Another big advantage to an external encrypted hard drive
is that it can be easily and quickly locked just by unplug-
ging it from the computer.
Exploiting Friends
Is all this too much trouble? Am I over reacting?
The operation that Google uncovered at the end of 2009
was very sophisticated. The Financial Times reported that
“personal friends of employees at Google, Adobe, and
other companies were targeted by hackers.”
Friends? The article, by Joseph Menn, says
“...the attackers had selected employees at the compa-
nies with access to proprietary data, then learnt who their
friends were. The hackers compromised the social net-
work accounts of those friends, hoping to enhance the
probability that their final targets would click on the links
they sent.”
Yikes.
 Solving Common IT Security Problems

The 20 Most Effective Controls to

Protect Your Enterprise
By Sonny Discini

S
ecuring the enterprise against cyber attacks has What this really means is that offense and defense must
become one of the highest priorities of corpo- keep each other informed, and as such, the overall founda-
rate leadership. To achieve this objective, net- tion of security is built on this flow of communication. En-
works, systems, and the operations teams that terprise security teams have struggled with this, but now
support them must vigorously defend against a variety of they may have an effective model to apply.
threats, both internal and external. Furthermore, for those
attacks that are successful, defenses must be capable of The Path to Effective Controls
detecting, thwarting, and responding to follow-on attacks Before we list specific technical controls, it’s important to
on internal enterprise networks as attackers spread inside understand that because organizations do not have unlim-
a compromised network. ited funding, the only rational way they can hope to be
successful is to establish a prioritized baseline of informa-
Following in the tion security measures and con-
Footsteps of the Feds trols that can be continuously
For inspiration and guidance in monitored through automated
how to combat these threats, mechanisms.
look no further than the U.S.
government. The federal gov- When devising controls, the
ernment revamped The Federal following guiding principles
Information Security Manage- should be considered. Defenses
ment Act (FISMA) to address should focus on addressing the
the needs of securing Federal most common and damaging
computer systems. FISMA, the attack activities occurring today
U.S. ICE Act of 2009, specifi- and those anticipated in the
cally addresses the same issues near future. Enterprise environ-
many corporate security practi- ments must ensure consistent
tioners face. If you read through controls across an enterprise
the legislation, you come across to effectively negate attacks.
an interesting snippet of ver- Defenses should be automated
biage, “monitor, detect, ana- where possible, and periodically
lyze, protect, report, and respond against known vulner- or continuously measured using automated measurement
abilities, attacks, and exploitations” and “continuously test techniques where feasible. To address current attacks oc-
and evaluate information security controls and techniques curring on a frequent basis against numerous organiza-
to ensure that they are effectively implemented.” tions, a variety of specific technical activities should be
undertaken to produce a more consistent defense.

8 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Solving Common IT Security Problems
Now, when tailoring your controls to be enterprise-specif-
ic, consider the following sub controls.
Low Hanging Fruit: The intent of identifying “low hanging
fruit” areas is to highlight where security can be improved
rapidly. That is, to rapidly improve its security stance gen-
erally without major procedural, architectural, or technical
changes to its environment.
Improved Visibility and Attribution: Improving the pro-
cess, architecture, and technical capabilities of organi-
zations so organizations can monitor their networks and
computer systems, gaining better visibility into the IT op-
erations. In other words, these controls help increase an
organization’s situational awareness of its environment.
Hardened Configurations: This type of control focuses on
protecting against poor security practices by system ad-
ministrators and end users who could give an attacker an
advantage in attacking target systems. Hardened system
configuration aims to reduce the number and magnitude
of potential security vulnerabilities as well as improve the
operations of networked computer systems.
There are 15 controls that can be handled via automation
and five that require manual application. The SANS Institute
provides specific details about each of these controls.
The 15 that can take advantage of automation are:
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on ­Laptops,
Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches
5. Perimeter Defense
6. Maintenance, Monitoring, and Analysis of Security Audit
Logs
7. Application Software Security
9 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and
Services
14. Wireless Device Control
15. Data Loss Prevention
And the five that must be done manually are:
16. Secure Network Engineering
17. Penetration Testing
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training
The consensus effort to define critical security controls
is an evolving effort. In fact, changing technology and
changing attack patterns will necessitate future changes,
even after the current set of controls has been finalized. In
a sense, this will be a living document moving forward, but
the controls described in this version are a solid start in the
quest to make fundamental computer security defenses a
well understood, repeatable, measurable, scalable and re-
liable process throughout the federal government.
Although there is no such thing as absolute protection,
proper implementation of the security controls identified
will ensure an organization is protecting against the most
significant attacks. As attacks change, additional controls
or tools become available, or the state of common security
practice advances, it is critical to review these controls and
make changes as needed. Treat this list as a living docu-
ment with frequent evaluations to ensure that the most ef-
fective practices are indeed in place.
 Solving Common IT Security Problems

Seven Simple Wireless Security Tips

By eSecurity Planet Staff

T
hese days wireless networking products are so extremely convenient since you can locate a WLAN with-
ubiquitous and inexpensive that just about any- out having to know what it’s called, but it will also make
one can set up a WLAN in a matter of minutes your WLAN visible to any wireless systems within range
with less than $100 worth of equipment. This of it. Turning off SSID broadcast for your network makes it
widespread use of wireless networks means that there may invisible to your neighbors and passers-by (though it will
be dozens of potential network intruders lurking within still be detectable by WLAN “sniffers”).
range of your office WLAN.
3. Enable WPA Encryption Instead
Most WLAN hardware has gotten easy enough to set up
of WEP
that many users simply plug it in and start using the net-
802.11’s WEP (Wired Equivalency Privacy) encryption has
work without giving much thought to security. Neverthe-
well-known weaknesses that make it relatively easy for a
less, taking a few extra minutes to configure the security
determined user with the right equipment to crack the en-
features of your wireless router or access point is time well
cryption and access the wireless network. A better way to
spent. Here are some of the things you can do to protect
protect your WLAN is with WPA (Wi-Fi Protected Access).
your wireless network:
WPA provides much better protection and is also easier to
use, since your password characters aren’t limited to 0-9
1. Secure Your Wireless Administration and A-F as they are with WEP. WPA support has been built
Interface into Windows since XP.
Almost all routers and access points have an administrator
password that’s needed to log into the device and mod-
ify any configuration settings. Most devices use a weak
default password like “password” or the manufacturer’s
name, and some don’t have a default password at all. As
soon as you set up a new WLAN router or access point,
your first step should be to change the default password
to something else. You may not use this password very of-
ten, so be sure to write it down in a safe place so you can
refer to it if needed. Without it, the only way to access the
router or access point may be to reset it to factory default
settings, which will wipe away any configuration changes
you’ve made.

2. Don’t Broadcast the SSID

Most WLAN access points and routers automatically (and
continually) broadcast the network’s name, or SSID (Ser-
vice Set IDentifier). This makes setting up wireless clients

10 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Solving Common IT Security Problems
4. Remember That WEP is Better
Than Nothing
If you find that some of your wireless devices only sup-
port WEP encryption (this is often the case with non-PC
devices, such as media players, PDAs, and DVRs), avoid the
temptation to skip encryption entirely because, in spite of
its flaws, using WEP is still far superior to having no encryp-
tion at all. If you do use WEP, don’t use an encryption key
that’s easy to guess like a string of the same or consecu-
tive numbers. Also, although it can be a pain, WEP users
should change encryption keys often — preferably every
week.
5. Use MAC Filtering for Access Control
Unlike IP addresses, MAC addresses are unique to specific
network adapters, so by turning on MAC filtering you can
limit network access to only your systems (or those you
know about). In order to use MAC filtering you need to find
(and enter into the router or AP) the 12-character MAC ad-
dress of every system that will connect to the network, so
it can be inconvenient to set up, especially if you have a lot
of wireless clients or if your clients change a lot. MAC ad-
dresses can be “spoofed” (imitated) by a knowledgeable
person, so while it’s not a guarantee of security, it does
add another hurdle for potential intruders to jump.
11 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
6. Reduce Your WLAN Transmitter
Power
You won’t find this feature on all wireless routers and ac-
cess points, but some allow you to lower the power of your
WLAN transmitter and thus reduce the range of the sig-
nal. Although it’s usually impossible to fine-tune a signal
so precisely that it won’t leak outside your home or busi-
ness, with some trial-and-error you can often limit how far
outside your premises the signal reaches, minimizing the
opportunity for outsiders to access your WLAN.
7. Disable Remote Administration
Most WLAN routers have the ability to be remotely admin-
istered via the Internet. Ideally, you should use this feature
only if it lets you define a specific IP address or limited
range of addresses that will be able to access the router.
Otherwise, almost anyone anywhere could potentially find
and access your router. As a rule, unless you absolutely
need this capability, it’s best to keep remote administra-
tion turned off. (It’s usually turned off by default, but it’s
always a good idea to check.)
 Solving Common IT Security Problems

Five Advanced Wi-Fi

Network Security Tips
By Eric Geier

I
f you’ve ever Googled “Wi-Fi security,” (or you’ve is especially useful when employees leave the company or
been reading this eBook) you probably have the ba- a laptop is stolen. If you’re using the Personal mode, you’d
sics down: don’t use WEP, use WPA or WPA2; disable have to manually change the encryption keys on all the
SSID broadcasting; change default settings. If you’re computers and access points (APs).
looking for more advanced security tips for your WLAN,
consider these the following five tips for bringing enter- The special ingredient of the Enterprise mode is a RADIUS/
prise-level protection to even the smallest of networks. AAA server. This communicates with the APs on the net-
work and consults the user database. Consider using the
1. Move to Enterprise Encryption Internet Authentication Service (IAS) of Windows Server
If you created a WPA or WPA2 encryption key of any type 2003 or the Network Policy Server (NPS) of Windows Sev-
and must enter it when connecting to the wireless network, er 2008. If you want to go vendor-neutral, try the popular
you are only using the Personal or Pre-shared key (PSK) open source server, FreeRADIUS. If you find setting up an
mode of Wi-Fi Protected Access (WPA). Business networks authentication server requires more money and/or exper-
— no matter how small or big — should be protected with tise than you have, consider using an outsourced service.
the Enterprise mode, which adds 802.1X/EAP authentica-
tion to the wireless connection process. Instead of enter- 2. Verify Physical Security
ing the encryption key on all the computers, users would Wireless security isn’t all technical. You can have the best
login with a username and password. The encryption keys Wi-Fi encryption, but have someone plugging into an Eth-
are derived securely in the back- ernet port that’s in plain sight.
ground and are unique for each Or someone could come by and
user and session. hold in the reset button of an ac-
cess point, restoring it to factory
This method provides central defaults and leaving your net-
management and overall better work wide open.
Wi-Fi security.
Make sure all your APs are well
Instead of loading the encryp- out of the reach of the public
tion keys onto computers where and out of sight from employees,
employees and other users can too. Instead of sitting an AP on
recover them, each user logs into a desk, mount it on the wall or
the network with their own ac- ceiling — better yet, put them
count when using the Enterprise above a false ceiling.
mode. You can easily change or
revoke access when needed. This

12 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
 Solving Common IT Security Problems
You might consider mounting the APs out of sight and in-
stalling external antennas where you’ll get the most signal.
This will let you confine the AP even more while taking
advantage of the increased range and performance of an
aftermarket or higher gain antenna.
APs aren’t the only piece of equipment to be worried
about. All networking components should be secured.
This even includes Ethernet cabling. Though it might be a
little farfetched to some, a determined hacker could cut an
Ethernet cable to tap into the line.
Along with mounting, you should keep track of the APs.
Create a spreadsheet logging the AP models used along
with the MAC and IP addresses, and note where the APs
are located. This way you know exactly where the APs
should be when performing inventory checks or when
tracking down a problem AP.
3. Setup an Intrusion Detection/
Prevention System (IDS/IPS)
These systems usually consist of a software program that
uses your wireless adapter to sniff the Wi-Fi signals for
problems. They detect rogue APs, whether a new AP is
introduced to the network or an existing one is reset to de-
faults or doesn’t match a set of standards you’ve defined.
These systems also analyze the network packets to see if
someone might be using a hacking or jamming technique.
There are many different intrusion detection and preven-
tion systems out there that use a variety of techniques.
Open source or free options include Kismet and Snort.
Commercial products are also available from vendors,
such as AirMagnet, AirDefense, and AirTight.
4. Create Wireless Usage Policies
Along with other general computer usage guidelines, you
should have a specific set of policies for Wi-Fi access that
should at least include the following items:
13 Back to Contents Solving Common IT Security Problems, an Internet.com Security eBook. © 2010, Internet.com, a division of QuinStreet, Inc.
•List
 devices authorized to access the wireless network: It’s
best to deny all devices and explicitly allow each desired device
by using MAC address filtering on the network router. Though
MAC addresses can be spoofed, this provides reasonable con-
trol of which devices employees are using on the network. A
hard copy of all approved devices and their details should be
kept to compare against when monitoring the network and for
inputting into intrusion detection systems.
• List
 of personnel authorized with Wi-Fi access to the net-
work: This could be regulated when using 802.1X authentica-
tion (WPA/WPA2-Enterprise) by only creating accounts in the
RADIUS server for those who need Wi-Fi access. If 802.1X au-
thentication is also being used on wired side, you should be
able to specify whether users receive wired and/or wireless ac-
cess by modifying the Active Directory or using authorization
policies on the RADIUS server itself.
• Rules
 on setting up wireless routers or APs: For example,
that only the IT department can set up more APs, so employ-
ees don’t just plug in an AP from home to extend the signal. An
internal rule for IT department might cover defining acceptable
equipment models and configuration.
• Rules
 on using Wi-Fi hotspots or connecting to home net-
works with company devices: Since the data on a device or
laptop can be compromised and the Internet activity be moni-
tored on unsecured wireless networks, you may want to limit
Wi-Fi connections to only the company network. This could be
controlled by imposing network filters with the Network Shell
(netsh) utility in Windows. Alternatively, you could require a
VPN connection back to the company network to at least pro-
tect the Internet activity and to remotely access files.
5. Use SSL or IPsec on Top of Wi-Fi
Encryption
Though you might be using the latest and greatest Wi-Fi
encryption (on Layer 2 of the OSI model), consider imple-
menting another encryption mechanism, such as IPSec
(on Layer 3 of the OSI model). In addition to providing
double encryption on the wireless side, it can secure the
wired communication too. This would prevent eavesdrop-
ping from employees or outsiders tapping into an Ether-
net port.