How do you turn a massive first-mover business advantage into dust? By undermining customer Wi-Fi security.
Coworking office space rental is a great concept for casual and budget-strapped startups, freelancers and even agile multinationals. American real estate company WeWork, founded in 2010, has made this business sexy after its high-profile business acquisitions around the world and investments by top names J.P. Morgan Chase, Goldman Sachs Group and SoftBank Group.
In Jan 2019, it was valuated at US$47b, but by Sep 2019, this had plunged to less than the $12.8b that it originally started with in 2010.
Amidst earlier numerous legal and governance problems, the one that set alarm bells ringing happened in August last year when Fast Company sniffed out a catastrophic failure in Wi-Fi security in the corporation. Through its poor Wi-Fi security, which had already caused a stir back in 2016, customers’ particulars had been leaked: this included email addresses, financial records, client databases as well as scans of people’s IDs, bank account credentials, and other sensitive or downright catty information.
Onus for security rests with us
We often rely on service providers to “take care of security”. However, WeWork has shown clearly that this is not tenable. According to Jonathan Knudsen, senior security strategist, Synopsys Software Integrity Group, “every organization uses a complex supply of software, hardware, and supplies to run their business, but ultimately each organization must take control of their own risk.”
Users must realize that shared Wi-Fi networks do very little in the way of assurance about confidentiality. “Standard controls such as VPNs or always-TLS connections can help mitigate risk, just as using these same controls on the open internet helps reduce risk.”
Jonathan reminds all Wi-Fi users to be proactive in defining and implementing a sound software security strategy. “It’s surprisingly easy to get started. Without a security initiative in place, your organization’s risk depends on vendors, suppliers, and the vicissitudes of fate.”
Important lessons in Wi-Fi governance
Accessing sensitive information in any share physical space is fundamentally no different than accessing network resources over a public network such as those in coffee shops, airports or hotels. The current best mindset for lay people is: If you do not have a clear understanding of the security practices used to secure the network, do NOT use the network for sensitive data. While this statement is fairly straight-forward, it belies a reality in our modern connected world – connectivity is often more important than ensuring connectivity is secured.
Said Synopsys’ principal security strategist, Tim Mackey: “Any parent can attest to the angst their children have when there’s an internet outage as proof of that statement. Balancing the requirement for secure connectivity boils down to how teams are constructed and how information is shared within a team.”
“This should start with where the sensitive data is located, and then moves to who has access under which conditions. From there, a risk profile for the data can be created – and this includes an understanding of how team members interact with the data.”
The threat model we derive from the above analysis can then dictate what security measures should be in place, because if the data is truly critical to the operation of a business, then appropriate data controls should be part of governance polices.
“Those policies must then include how data is accessed when a shared network is used, and include important connection details such as auto-reconnect settings and the types of Wi-Fi authentication an organization accepts for team members transferring data,” Tim added.
There may not be a second chance
Catastrophically, Wework administrators used the exact same password for its Wi-Fi network. They offered add-on options for private VLAN, private SSID or a dedicated end-to-end physical network stack that tagged an extra US$250 in setup fee, or $95 for a private VLAN route. A private office network cost an extra $195 monthly. Customers took the easy way out, leaking data that can result in disastrous class-action lawsuits in time to come.
The same extinction possibility faces any enterprise that takes Wi-Fi security as an afterthought or optional luxury. “Insecure Wi-Fi networks present a significant security concern: They can reveal the data flowing from a user’s mobile device to others. This creates not only a privacy risk, but also the very real danger that others may misuse this information to commit offences such as identity fraud or siphoning of funds out of individuals’ bank accounts,” said check point software technologies’ CTO, Tony Jarvis, who recommend that security controls be installed on smartphones, and that VPNs be used when connecting to public Wi-Fi networks.