We All Weep for WEP - Page 2

Yes, disaster is a strong word, but consider what WEP’s failures have resulted in. From its earliest days of existence, WEP has been the whipping boy—sorry, that’s too easy of a pun even for an engineer—of the infosec community. So many “WEP is broken” articles were published that I firmly believe many people avoided Wi-Fi altogether for fear of being compromised by a war driver in a white van in the parking lot with a [famous name brand] potato chip can Yagi antenna. (Those fears weren’t entirely unwarranted.)

Indeed, I am convinced many organizations still fear wireless networks because of all the uproar caused by WEP.

These days, Wi-Fi Protected Access (WPA), in its various shapes and sizes, is readily available and supported, and by all accounts, it is substantially more secure than its predecessor. However, in many ways, the damage has already been done. I’m sure that WPA was slow to gain acceptance because of its association (by perception) to WEP.

In my own travels, I rarely find WPA protected networks in public places. Almost all of the commercial hotspot services have opted to use no network encryption and to move their security inward—leaving the customers responsible for defending their own data.

So, where are the big lessons in this debacle? Here are a few to consider:

• Scrutinize designs rigorously prior to releasing them. I’m a big believer in public scrutiny, but if that’s not feasible, then ensure an independent team thoroughly reviews all designs before they’re released.

• Infrastructure security defects have long-term negative impacts. As such, deciding on how to secure them should be a matter of extreme importance, which may take longer than commercial organizations want, but the longer-term payoffs are worth it.

• We’ve got to demand more of our product vendors. We can’t afford mistakes like WEP to happen.

• Don’t put all your security faith in one mechanism. Even if WPA proves itself to be highly adequate for most purposes, multiple security layers are still a good idea considering the fact that our business data is flying through the air and can be easily intercepted by miscreants who wish us harm.

I’ll bet most of the world is blissfully unaware of the problems in WEP, but we’re all feeling the pain nonetheless. I have no doubt at all that Wi-Fi would be vastly more accepted in enterprises today had it not been for WEP. Let’s not let it happen again.