How coffee house wifi is reflective of your cybersecurity maturity

Forbidding use of coffee house wireless is emblematic of immature security programs

Johnny walks into a coffee house, boots up his work computer and goes online. The next day he gets a talking to from the security team - open wireless networks are dangerous, you violated security policy!

We need to actively crush the old way of thinking. It is outdated, it is wrong, and it holds us back.

Limiting functionality to achieve security is an anti-pattern

Here's an activity to illustrate the point. Do you recognize any of these classic pieces of security advice? Perhaps you've shared them recently. Step back for a moment and consider what we're actually saying when we give this guidance.

  • Don't use your computer on untrusted wifi
  • Don't browse to "unknown" websites
  • Don't click on links from emails
  • Don't open attachments
  • Don't open QR codes

All of the above statements are attempts to limit normal functionality of computers and the internet.

Image the same type of "advice" in the real world.

  • Don't drive your car on bumpy roads
  • Don't drive in the rain
  • Don't go above 25 mph in any circumstance

This guidance would be absurd and would be directly opposing the normal use of vehicles. Perhaps if we were talking about the original Model-T then this guidance would be appropriate - but that's because the vehicle was not capable of more advanced uses.

In today's world the "classic" cybersecurity advice is attempting to tell owners of high performance modern vehicles that a little bit of rain or bumps in the road will result in catastrophic failure. That just isn't right. Instead, if our vehicles are well maintained and operated within reason by the owner, then far more is possible.

Looking back, it is understandable why we originally gave this restrictive security advice. But times have changed and we must change too or be left as curmudgeons yelling for people to get off our lawns!

Stepping back 10 years or so, we didn't want people to use coffee house wireless networks because 10 years ago SSL/TLS was not commonly or correctly adopted (remember Firesheep?). But 10 years is eons in technology time. Now SSL/TLS is both ubiquitous on all sites that matter and even enforced at the browser level directly in many cases (HSTS, etc).

With widespread adoption of SSL/TLS we've eliminated the primary concern of untrusted wireless - the ability for someone on the network to monitor or modify unencrypted traffic.

So we're good, right?

Counter point - But what about a malicious attacker on the same local network, you ask? They could exploit local vulnerabilities on any listening services on the device. Then potentially use this access to pivot to other devices on the company network via an active vpn or remote access trojan for later use.

First, we need to be more realistic about threat models and likelihood. It is a technically true statement that an individual could be targeted on a coffee house network, but is that likely? It is also a true statement that a vehicle on a road could be swept away by a tornado, but we don't stop driving because cars lack tornado defenses. (Side note - if you are thinking of an individual that really is highly targeted and is actually at risk at a coffee house because their advisories or physically following them, then great. That's good threat modeling and turn up the defenses for that user - but don't subject everyone to the same level of very costly limitations.)

Second, this scenario is assuming numerous security control failures and then blaming the resulting risk on the coffee wireless. More specifically:

  • the device should be fully patched so there are no known vulnerabilities to be exploited,
  • the device should have a local firewall enabled so unnecessary services aren't even accessible,
  • the company network should be designed such that compromise of a device does not yield extensive lateral movement to other important services

Counter point - Well, cybersecurity is about layers of defenses and what if our devices aren't fully patched? They would be at risk and we need to restrict access to coffee house wireless networks.

Cybersecurity is actually about risk management and the appropriate controls to manage risk to a sufficient level for an organization based on unique threat models and risk appetite. The arbitrary application of more layers of security ad nasuem is lazy at best and, more specifically, is a distraction from the real issues.

To cut to the main point, the issue with coffee house wireless networks isn't the network itself. Instead it is the immaturity of our cybersecurity programs to have confidence that the defensive controls, which are in our control (patching, device hardening, network isolation, etc), are properly and uniformly applied across our fleet at all times.

So, don't blame the user and tell them to stop using coffee house networks in the name of "cybersecurity" - instead reflect on your cybersecurity program and capabilities and ask why the controls we know will work aren't being applied in all situations.

Crippling functionality in the name of cybersecurity is the old way of thinking from another time. Instead, ask yourself how we can deploy better core cybersecurity controls to enable our users to do more - safely.