Over-the-Air Credential Theft is the act of stealing credentials “over-the-air”, often during Wi-Fi or VPN authentication. This is often accomplished using a Man-in-the-Middle (MITM) or Evil Twin attack: Spoofing an SSID within the physical vicinity of devices that are configured to connect to that SSID, causing devices to send their credentials to the spoofed SSID instead of the legitimate one. This can occur on campus, or at a nearby facility frequented such as a Cafe or Store. According to the 2018 Credential Spill Report, an average of 1 million credentials were exposed daily in 2017, with no indication that this number will decrease.
How Do I Prevent Over-the-Air Credential Theft?
Offer Technology for Easy Configuration
An area of vulnerability for over-the-air credential theft is
when users manually configure their devices for WPA2-Enterprise.
When users omit a few difficult-to-configure settings, such as
RADIUS certificate installation, they lose all the security
benefits of WPA2-Enterprise and are susceptible to over-the-air
credential theft. Providing onboarding/configuration technology
to network users not only creates a better user experience, but
it also significantly reduces the risk of over-the-air
credential theft.
Replace Passwords with Certificates
While utilizing onboarding/configuration technology can minimize
risks for over-the-air credential theft, they are not foolproof
since users can choose not to utilize them. Using
certificate-driven security guarantees that users go through an
enrollment process that ensures their devices are properly
configured and organizations can rest assured that privacy is
protected.
CONFIGURE DEVICES FOR
Server Certificate Validation
Server certificate validation prevents over-the-air credential
theft by configuring devices to validate the identity of the
SSID’s server before sending credentials.This security measure
is often overlooked for two primary reasons: the organization
does not know about it, and it’s difficult for end users to
configure. Misconfiguring server certificate validation is easy,
especially since devices can be misconfigured and still connect
to the network, which negates the security benefits of
WPA2-Enterprise. Manually configuring it on Windows devices,
shown in the video, takes 14 steps.
REPLACE PASSWORDS WITH
Certificate-Based Authentication
We provide everything an organization needs to deploy EAP-TLS,
certificate-based 802.1X for Wi-Fi security. The #1 rated
onboarding client to enroll certificates, certificate management
tools, managed device auto-enrollment gateways, a RADIUS server
and much more is included in the SecureW2 solution. Plus, we’re
vendor neutral. You can plug and play any part of our solution,
so there’s no need to forklift your existing network
infrastructure.
USE A BEST-IN-CLASS
Onboarding Client
Starting with a great end user experience, the JoinNow Suite
provides customizable and adaptable onboarding clients that set
up devices for Wi-Fi, VPN, Web and SSL Inspection security.
JoinNow takes the frustration out of delivering secure networks
by delivering all turnkey backend services for device
enrollment, authentication and management. In an age where BYOD,
IoT, and managed devices reign, our technology provides the
answers by leveraging the components you currently own.
Powerful Certificate Management and Configuration Features
Remotely Troubleshoot Devices
SecureW2 software allows you to troubleshoot errors in
real-time with individual devices and monitor network
connections. View and fingerprint which devices are connecting
to the network while they are being onboarded, and
simultaneously monitor any connection messages users may
encounter. Detailed information about individual devices such
as network adapters, MAC addresses, driver versions, and
manufacturer and driver dates help network admins begin the
troubleshooting process and gather analytics from the cloud.
End-user data including device type, operating system/build
version, and application version is securely reported back to
the cloud and made available for network admins for use in
assessing connection patterns and creating network visibility
Configure Server Certificate Validation
Server certificate validation is one of the most important
ways of preventing over-the-air credential theft. Manually
configuring server certificate validation isn’t supported by
Apple devices, and is very difficult to do on Android and
Windows devices. SecureW2’s onboarding client ensures that
devices of all operating systems are configured for server
certificate validation when they are setup for network access.
Create Robust Certificate Policies
SecureW2 makes it easy to track and manage certificates.
Certificate policies allow the administrator to determine the
lifecycle and permissions of client certificates, as well as
automated notifications to users, administrators, and external
systems regarding the issuance, revocation, and expiration of
certificates. For example, you could create a policy that
gives students certificates with a 4-year expiration, and
staff an 8-year expiration.
Revoke User Access After They Leave
SecureW2 comes with a built-in CRL (Certificate Revocation
List) and provides mechanisms to validate current user status
in the organization. Network administrators can also manually
delete certificates from the management portal at any time.
You can rest easy knowing that only current members of the
organization have access to the network.
