The NSA guidance acknowledges the inherent insecurity risks of Wi-Fi communications. However, it shifts responsibility to end-users and their behavior. To begin with, relying entirely on the user to ensure security is akin to ‘create a stronger password’ guidance which we all know has proven to fail and until this day has created one of the largest security challenges in an attempt to rectify. Moreover, some of the guidelines might achieve an adverse result – for example, disabling auto-connect increases the risk of connecting to a rogue access point due to human error. Other guidelines may create a false sense of security, such as the preference of “encrypted public networks” over “open public networks” – which are essentially equivalent from a security perspective.
Undoubtedly, the NSA has taken a step in the right direction to bring awareness and promote security. Yet, the approach of “educating the user” can only be applied successfully to select individuals. It cannot be applied effectively to a large number of end-users and devices – which is what happens in an enterprise environment. Enough that we look at a guideline like “make sure you choose to forget a public network after you use it” to get the sense that this is not a behavior expected to be widely adopted (that said, I am in favor of having this as a feature pushed by device vendors).
The reality is that no amount of verbal or written guidelines will prevent successful attacks over the airspace. Instead, agencies, contractors, and enterprises need to acknowledge that their airspace is being used for cyber attacks. Enterprise devices – with wireless capabilities – connected to sensitive networks are inherently exposed to attacks launched from compromised devices on external networks (aka Antenna for Hire). This is regardless of whether they choose to connect to public Wi-Fi networks or not. While user behavior does affect the ability of organizations to secure their networks, the only way to ensure consistent security is by applying the right protection technology. In that respect, organizations must start applying monitoring and protection technologies to their network airspace.