One of my favorite reads is Computerworld Daily Shark. These are stories from the field, provided by IT professionals for the amusement and education of other IT professionals. Most of these stories are real head-slappers, on the order of how-can-they-be-so-dumb. Basically this is a form of group therapy for those of us in the business; we get to read about situations that are worse than the ones that are driving us crazy in our own professional lives.
The story from Wednesday 8-27-2014 tells a tale of the dangers of providing guest wireless access in a business setting. Basically, a catering and event business is providing unencrypted guest wireless access on the same network that they are running their business, point of sale and credit card operations, and in the process exposing customer and credit card information to anyone who logs on to the network, hundreds of people in a typical week. The company files are shared on a network storage device, to be conveniently available to all employees. Unfortunately they were not thinking this through, because that same file trove was available to all their guests as well.
This is very similar to what happened locally in Stillwater at the Mad Capper Saloon back in March 2010. This article claims that their network was properly secured, but I know they were providing guest wireless, and it is assumed that someone using the wireless from outside the business, perhaps in an adjacent apartment or building, and scored credit card information off the network or perhaps right off the Wi-Fi signal, if it had in fact been unencrypted.
As I mentioned in a previous article Comcast/Xfinity is covering its service area with guest wireless access turned on by default with every new cable modem they install. This is also true on the Business Class side of the house as well. Not sure how I feel about these dual network routers, it seems like it ought to be a trivial thing to break into the encrypted private network from the usual web-based settings interface.
If you are planning to provide guest access, I would recommend using a completely separate secondary wireless router, and set the two wireless routers up to give out different network addresses, for instance having one use 192.168.x.x and the second one use 172.16.x.x or 10.x.x.x. Creating a DMZ with the guest wireless in the DMZ, and the private wireless and rest of the wired business network safely hiding behind a firewall or Intrusion Detection System (IDS) is an even better idea. If you want to be extra secure, get two Internet services and use one for the business and the second one (maybe a cheaper DSL connection) for the guest network.
You also should check out the tips in setting up secure wireless in my earlier article. And nothing says your guest wireless can’t be encrypted, too. This is good protection for your guests anyway. Encryption will not keep a clever hacker from accessing the rest of your network unless you make it secure.
Securely providing guest wireless is not the do-it-yourself project that many business owners think it is. You ought to get a IT professional with a good cybersecurity background to set this service up properly.
Share
SEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com