Rumors of WEP's demise are greatly exaggerated
by Michael Overly, Overly on Security
Thu, 2007-04-19 20:04
Topic(s):

Well it’s official.  WEP is dead, again.  A recent spate of articles and a new study (Breaking 104 bit WEP in less than 60 seconds) have firmly established the demise of WEP.  In light of the foregoing, certainly no business would continue to use WEP to secure its wireless networks, right?  Well the answer is not what you might think.  There are two problems.  First, we have encountered numerous businesses, particular those in the small to medium size range, that continue to use WEP.  As is so frequently the case, they set their networks up and forgot about them.  They simply don’t appreciate their lack of security.  How did we find these businesses?  We discovered them while conducting due diligence in transactions in which they would be entrusted sensitive information of a business partner.  As part of that process, we asked the businesses whether they use wireless networking and, if so, how they were securing their networks.  Amazingly, a significant number of respondents, after considerable prodding, identified WEP as their one and only method of securing their networks.  In each case, the businesses were given a choice:  upgrade your security or be disqualified from further consideration. 

Now you may say the businesses discussed above are an anomaly.  Certainly no sophisticated business would continue to use WEP.  Unfortunately, many are, but potentially without their knowledge.  This brings us to the second problem I have seen:  employees with insecure home networks remotely accessing their employer’s systems and storing sensitive company information on their home computers.  While the employer’s networks may be adequately secure and free from WEP, their information may nonetheless be stored on the inadequately secured home computers of its employees.  This is a risk businesses should be monitoring.  If employees are permitted remote access, a VPN can certainly be used to increase security over an insecure home wireless network.  But, what about the information that is downloaded from the company network and stored on the home computer?  That information may and likely will be placed at significant risk resulting from the insecurity of the employee’s home systems.  This has led some businesses to reevaluate their remote access policies to better control the security of their employees’ home computers.  This is clearly something every business should consider when their employees may be storing company proprietary/sensitive information on their home systems. 

Based on the foregoing, I expect we will continue to see the effects of WEP for the foreseeable future.  To paraphrase Mark Twain, the rumors of WEP’s death are greatly exaggerated.

» read more from Michael Overly | post a comment
Reader Feedback
Thu, 2007-06-07 05:30
WEP in the industry
By Anonymous

Simply put, WEP is still used in the industry due to the operational overhead associated with WPA and WPA2. Being a CISO at a major retail, you have no further to look than TJX to see how WEP is still used in even the largest markets despite the well known security vulnerabilities. What is necessary is the identification and implementation of compensating controls to create a multi-layer security architecture. For instance, the use of router/firewall acls and MAC filtering all add another layer of defense and lend themselves to automation.

In the end, CISOs along with operational security and network personnel must plan to develop multiple wireless security architectures balancing data comprise risk with that of business operations. You must account for warehouses, corporate, and customer wireless and how they will all overlay.

To the point about warehouses by the previous commenter, Symbol has had WPA and WPA2 capable devices in existence for over 3 years; we use them. The problem is the operational overhead associated with EAP to cycle the client authentication component on a routine basis and update your move, add, and change process for hardware to account for the proper de-provisioning of the devices. Again, it a balancing act of risk versus cost of control.

WEP won't be dead and the industries are forced to move forward. What we really need is a stick to move the ship forward which helps the business understand the penalties for not doing so. Oh yeah, we have it for credit-card merchants.....PCI DSS.

» Reply | Report as spam
Thu, 2007-05-10 03:25
WEP
By Clement Dupuis

Obviously we will continue to run into WEP issues for a little while.

There are devices such as handheld scanners that are commonly used within warehouse that have not been upgraded yet to 802.11i

Such devices will continue to be used for a little while

Take care

clement

» Reply | Report as spam

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast