Over the past 30 years, Lisa Phifer has worked for hundreds of firms, including mobile network operators, network and wireless equipment manufacturers, security software and service providers, global Internet policymakers, large enterprises and small businesses. She owns her own consultancy service based in Santa Fe, New Mexico, and specializes in the safe business use of emerging Internet technologies with a special emphasis on mobile security.

I recently interviewed her to get her thoughts about some of the more important issues in this sphere.

You have been studying Wi-Fi and mobile security for more than two decades. Are users any safer, or do they generally still do dumb things as often?

I think users are far more aware of fundamental Wi-Fi risks than they were 10 or even five years ago. Thanks to broadband routers and mobile hotspots that arrive with WPA2 enabled, wireless networks that are unencrypted have plummeted from 65 percent in 2002 to less than 9 percent today. But public hotspots are still almost always unencrypted, users still make poor password choices in their own WLANs and very few of them understand the importance of server authentication to avoid phony evil-twin hotspots.

In addition, Wi-Fi has become so pervasive and so easy that I think most users actually give little thought as to how their smartphone is reaching the Internet at any point in time or what data it might be leaking over Wi-Fi. As a result, many users now move through their day with varying levels of security — for example, WPA2-Enterprise at the office, WPA2-Personal at home and nothing but HTTPS in between. Unfortunately, that leaves the most significant gaps open in the most public of locations, creating ample opportunity for criminals.

What do you recommend traveling end users do to stay safe when they are connecting via Wi-Fi?

The easiest way to avoid being attacked at Wi-Fi hotspots is to avoid using them. By this, I mean using cellular mobile broadband instead of Wi-Fi where available, efficient and cost-effective.

Of course, there are many places where cellular is spotty, slow or pricey. In those situations, use a reputable Wi-Fi hotspot in combination with a VPN. VPNs really offer the most protection. Even WPA2 encryption only protects your traffic over the air, while a VPN protects your traffic all the way across the Internet. On the flip side, WPA2 prevents access by those without a passphrase or login, creating a safer LAN.

If your employer doesn’t have a VPN, consider a personal VPN. If VPN really isn’t an option, stick to SSL/TLS-protected websites.

Why use reputable Wi-Fi hotspots? It’s more likely that the hotspot takes basic security measures, for example, blocking client-to-client traffic and encrypting login/payment data. However, there’s still always a chance that you connected to a phony evil twin, so I recommend authenticating the destination you’re communicating with at every possible point. Specifically, always validate server certificates; never ignore those invalid certificate warnings.

Should users just avoid doing banking and other private business over new Wi-Fi networks?

I think a properly secured Wi-Fi network can be just as safe — even safer — than a wired Ethernet LAN. For example, retailers commonly perform point-of-sale transactions over Wi-Fi networks, but they are required by regulations to take many steps to safeguard transactions. Similarly, a home Wi-Fi network can be locked down and then safely used for personal banking.

Where I personally draw the line is using public Wi-Fi hotspots. There, my decisions are based on risk and reward. If a public hotspot is blocking my VPN, I’m not going to conduct any sensitive transactions, period. But even if my VPN is working and I’m comfortable reading email, I’m not likely to do my banking on a mobile device — why take unnecessary risk?

How many businesses still don’t change their default Wi-Fi router passwords these days?

I don’t know of a published study documenting how often vulnerability assessments find factory default passwords on Wi-Fi routers. I personally have found that an alarming number of business systems and many, if not most, residential Wi-Fi routers can be accessed using factory default passwords.

However, studies of other kinds of devices routinely show that passwords are a common weakness. For example, Trustwave’s 2015 Global Security Report estimated that half of all point-of-sale asset compromises resulted from weak or default passwords. And there are dozens of websites … where anyone can easily look up any router’s factory default password. This demonstrates both the risk posed by default passwords and the demand for this information.

I would hope that most business network admins are aware of this fundamental vulnerability. Certainly those working for companies in regulated industries must comply with password update best practices or standards. They should also probe their own networks for gaps, such as routers using default passwords, and perform ongoing traffic monitoring to detect intruders that may be exploiting default passwords to penetrate the network.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…