The Wifi device that you have (either yourself or by someone else) are setup with:
Decide on naming your device, and also decide on the encryption technology to set up the network(your Internet access).
Of course you could decide not to encrypt but in that case you are screwed security wise. So let’s assume that Yes the network is encrypted on the Wifi device. Another admin faux pas – change the admin password, I am assuming your setup has done at least the basics.
The technology you run depends on the age of the Wifi device and it’s capabilities.
Here is an article that explains how to hack Wifi
One of the things it mentioned:
“This attack will only work on APs sold during that window of 2006 and early 2012.” AP in this context means Access Point – which is a Wifi device.
What you can do is test your Wifi device to see if it is set up with technologies that are hard to crack – if not impossible.
PCI and HIPAA compliance requires some testing to review the Wifi setups.
The reason for this is simple, if your configuration uses simple to hack encryption (like WEP) then you will be hacked and fail compliance tests.
What I am talking about is the more ‘advanced’ concept of increasing your security.
The concept of testing your devices before using them in every day use.
Here is another link to crack WPA/WPA2 without a dictionary file in 4-10 hours with reaver (a Linux software).
The key to a good defense is a long password random with upper/lower, numbers, and special characters. Brute force will take a long time, but realize that faster computers will overtake this standard as well (eventually)
Contact Us for a Wifi evaluation discussion.
Have us perform PCI or HIPAA compliance for your Wifi AP’s:
Specific HIPAA compliance istandards are located in this SANS.org document
While the Final HIPAA rules do not necessarily deal directly with wireless,
the regulations cover many separate areas that deal with PHI. In summary the
document deals with 3 major areas:
1. Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards.
The Administrative Safeguards section (164.308) provides regulation for the
management of healthcare organizations. Secondly, Physical safeguards
(section 164.310) regulate how physically secure the facility should be.
Finally Technical Safeguards (section 164.312) provide regulations for access control to the network, security and integrity of data/transmissions, auditing and authentication.
This section is most relevant to our situation.
In order to provide the highest
security to a wireless network, the relevant regulations need to be extracted from the HIPAA document and interpreted for use in the scenario presented. The following is a brief summary of the standards
that relate to our wireless scenario.
1. Access control (164.312(a)(1)) is simply what the name implies,
controlling who is granted access to the organization’s resources.
2. Auditing (164.312(b)) is maintaining logs of who accessed
a given resource at what time and where so that in the event of a security
compromise there will be an audit trail.
3. Integrity (164.312(c)(1)) consists of making sure that PHI is not
modified in any way by an unauthorized user during transmission
4. Person authentication (164.312(d)) is authenticating that the person
the computer says they are is really the correct person. This could
be argued that it should be done at the server, but I think we can take it a step further and authorize the user when they transition from the wireless to the wired network.
5. Transmission security (164.312(e)(1)) is ensuring that the network
transmissions are kept private and since the media is the air this is
a high priority in wireless environments.
Updated 11/9/2015 7:17pm UTC (added password suggestion)