Recently, one of my colleagues at Microsoft, Georgeo Pulikkathara, formerly of the MCP program, now in Trustworthy Computing, posted a blog entry (link) noting that a year had passed since the wireless incursion at TJX which ran unchecked for months, compromising potentially millions of customers' sensitive data. I spent a few minutes to, frankly, rant about my perception of the response since that time at many small and medium businesses. I felt the theme of lessons unlearned important enough to be worth a repost on my own blog:
Wireless Hackers Suspected In TJ Maxx Breach
I think the better question here is how many of you work with organizations that actually learned from it?
This was simply the largest in a long line of business incursions which utilized the wireless ingress route to compromise internal networks. This resulted from a combination of the relatively weak medium security of a wireless network combined with poor internal flow controls on the access that the wireless segment had to other internal business segments.
How many external businesses undertook a review to determine the quantifiable risk of wireless connectivity segments on corporate infrastructures?
What data classifications are the resources on networks accessible to this segment? That are routinely accessed by other resources on this segment? Which of these data streams are passed in clear text? In light or weak encryption streams (RC4 with weak IVs for instance)?
What safeguards are protecting the medium itself? Is it possible to strengthen the medium protection? For example, if you are using a WEP key, I can crack a 128 bit key on a public WEP encrypted segment given moderate to high traffic in 23 minutes. Are the device or software based limitations to the equipment using the medium that would prohibit upgrade to simple implementations of WPA?
Even passphrase based WPA (WPA-Personal for example) would provide better security to the medium access than WEP.
Based on existing security resources in the environment, are there possibilities to implement RADIUS-like authentication for medium access and device recognition? (More secure but requires endpoint support for the RADIUS supplicant.)
If the pool of devices accessing the immediate medium is limited, is MAC address based mandatory access controls via a MAC control list a reasonable implementation?
Beyond these technical measures, do you even know what wireless segments exist on your company's networks? My experience with corporate consulting customers would indicate many organizations fail to do wireless sniffing on thier own campuses. Given that lack of simple periodic auditing, how can you be sure even that the wireless segments that exist are those you control?
We have seen the repeat incursion cost here with TJX to run into millions of dollars over the past year and more. Can YOU right now quantify what the risk is to your data from an incursion? For many organizations, I would have to place my money that the answer is "no".
And so the question I have to ask is: "Its been a year. But have we learned anything at all? Is our computing environment any more trustworthy?"