Between July 2005 and January 2007, TJX Companies Inc. suffered one of the largest data security breaches in the history of information security. Court documents uncovered by The Boston Globe revealed that the intruders systematically mined TJX's computer systems and made off with more than 94 million credit card numbers used by customers at the chain's stores, which include the TJ Maxx and Marshall's clothing retailers.
What was the cause of this breach? At the time of the initial intrusion, TJX relied upon a wireless network using the Wired Equivalent Privacy security model. As early as 2001, security professionals around the world have panned WEP, citing inherent weaknesses that make it possible to determine a network's wireless encryption key. In fact, a recent study demonstrated that it is possible to break a 104-bit WEP key in less than 60 seconds.
The TJX breach revealed all too well that organizations need to protect their wireless networks. Here are some best practices that will minimize exposure:
- Abandon WEP encryption immediately. It cannot be stated more clearly: WEP is almost completely useless. The only advantage it provides is a thin veil of protection against a casual attacker. The real danger of WEP is that it provides a false sense of security to users and business leaders alike. The fact that Windows calls WEP-encrypted networks "security-enabled" is an extremely dangerous mislabeling. Enterprises using WEP today should immediately begin planning to replace it with the more secure Wi-Fi Protected Access (WPA/WPA2) model.
- Educate your users. Remember: mobile users travel and use wireless networks outside of the IT department's control. Be sure that they understand the risks inherent in wireless networking and know that connecting to a "secure" external network isn't really providing much protection. Employees must also use another encryption technology to protect sensitive information. VPN and SSL connections fill this role nicely.
For more information:
Learn more about how the TJX hackers attacked security holes in the retail giant's wireless system.
Joel Dubin takes a closer look at TJX Companies' 10-K filing.
The TJX data breach has some questioning the effectiveness of PCI DSS, but others say there is a more specific problem.
- Use RADIUS authentication. All but the smallest businesses should opt for the security
provided by WPA-Enterprise, which integrates RADIUS authentication into an organization's
infrastructure. RADIUS provides granular access control and can immediately de-provision wireless
access for terminated employees. The alternative, WPA-Personal, uses a pre-shared key common to all
Looking for a rule of thumb on which version of WPA to choose? When an employee leaves, a pre-shared key will need to be changed. If the number of wireless devices in your organization prevents you from easily doing this, then RADIUS authentication is the right choice.
- Remember to secure access points. If an intruder is able to gain access to one of your wireless access points, that person might be able to reconfigure it to defeat other security controls. Be sure to implement configuration standards -- such as those available from the Center for Internet Security or device manufacturers -- to protect against a network-based intrusion. Additionally, strong physical security controls are needed to prevent an attacker from physically accessing key devices and performing a factory default reset or simply replacing an access point with a rogue device.
- Firewall off your wireless network. Wired networks are inherently more secure than wireless networks; that's just a fact of life. Physical access to network ports/cables limit access to wired networks. Wireless networks travel through walls and windows, providing outsiders with an opportunity to knock on your network's door. For this reason, it's generally a good idea to firewall off wireless networks in a separate security zone.
Wireless networking is here to stay. Mobile users depend upon it for productivity in the office, at home and on the road. It also enables a multitude of new business functions, ranging from handheld point-of-sale devices to distributed sensor networks. There's no reason to let the wireless networking security risks scare you away from leveraging it as part of your organization's technology arsenal. Follow these best practices, and you'll be well on the road to enabling productive, secure wireless computing.
By the way, did I mention that if you're using WEP in your organization, you need to get rid of it immediately? Start right now!
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.
This was first published in December 2007