Article

Is Wireless Really Worth the Risk?

If indeed wireless is here to stay, what are the security risks and what can be done to remediate them?

Why should I conduct wireless scanning?

The Payment Card Industry Data Security Standard (PCI DSS) is an industry security standard for organisations that hold, process or transmit cardholder data. It was developed by the PCI Security Standards Council (PCI SSC) and created to reduce credit card fraud using a top-down approach.

Under requirement 11.1 of the PCI DSS, wireless scans must be conducted on all sites owned and/or operated by an organisation that stores, processes or transmits cardholder data at least every quarter, in order to detect all access points. Any site that can access the Cardholder Data Environment (CDE) is in scope for this requirement.

But my organisation doesn’t use wireless

Even if your organisation doesn’t use wireless, it doesn’t mean that somebody (maliciously or innocently) hasn’t installed a wireless access point. It could be causing your corporate data, credit card data, or corporate secrets to be accessible or even transmitted via the access point. It is always best practice to have a method for detecting wireless access points within your organisation.

Is wireless scanning really that important?

Wireless scanning is needed more now than ever before. This is because it is becoming more difficult to protect information in the CDE and internal network from malicious attackers: new technologies and cheaper devices are just two of the ways in which it is now easier for an attacker to access a company’s corporate environment.

An attacker can set up a network with incredibly small devices (e.g. smartphones/3G dongles and off the shelf routers). They do not look out of place in the office and would not arouse suspicion from anyone. Even if there isn’t one in your bag, there is likely to be one in your home! These devices, although normally used for legitimate purposes can be used as entry points onto the corporate network.

What to look for in your wireless scanning provider

Wireless scanning is designed to detect rogue access points that could be connected to the corporate network within a company’s environment. This could be in a server room or an ethernet port at your desk.

  • The wireless scanning provider should offer quarterly scanning of all the necessary sites.
  • You should view an example report to be sure that it lists all non-official access points found, their location, encryption type and connection method (ADSL, etc.), and that it details risks and remediation methods for each.
  • The provider should cover the entire site from the perspective of a potential, unauthenticated attacker. This gives the scenario more realism and includes how far the corporate wireless is detectable outside the building.
  • Tools should include a wireless spectrum analyser with a greater range than standard built-in wireless in laptop/mobile devices. This means that networks can be detected from further afield (e.g. from the car park or even the café across the street), in the same way that an attacker would.
  • The analyser should cover all common 802.11 frequencies (including bands a, b, g and n).
  • They should also check the physical security of each device (where it is, who has access to it, etc.).
  • If an unofficial access point has been detected, they should be able to locate the suspect device.
  • This should then be investigated to ascertain as much as possible about the device – from its owner, why it was installed and when, to how secure its encryption method is.

What are the risks?

Wireless networks are becoming commonplace within corporate environments, and the introduction of affordable portable devices, capable of creating wireless networks in a number of ways, poses a high risk to corporate data. While internet access for employees and guests can sometimes have restrictions, employees wanting unrestricted internet can introduce wireless access points which add additional risks. These need to be measured in order to be understood.

Wireless networks carry enormous amounts of data and if this were to be intercepted and stolen, there would be no real way of detecting it. Wireless access is also a possible gateway onto the internal network: if an employee has installed a wireless router but has not configured it correctly, an attacker could be accessing the network for a significant time before it is noticed. Often it is only noticed after an attack has taken place.

Access points (APs)

Access points (APs) are the base station in a wireless LAN, allowing a wireless client to connect to the wireless network. Access points are typically stand-alone devices that plug into an ethernet hub or switch. If one of these access points is installed illegitimately, it is classed as a rogue access point. These rogue access points could potentially be leaking corporate data and give attackers a way onto the network. Even those access points which are installed innocently by employees to gain unrestricted internet access could be a severe security risk. With the advances in technology over the last ten years, it is increasingly important to ensure that all APs are known and defined within an asset list.

Accidental introduction of risk

All too often, an employee will attempt to circumvent security-based policies without a real understanding of the levels of new risk that are being introduced. Many organisations implement policies to restrict access to certain websites from their corporate network, for example social media or email accounts. However, employees can unwittingly introduce a host of new issues if they attempt to use their mobile phone’s internet connection (as a hotspot), for their corporate device, through WiFi, whilst leaving it plugged into the corporate network (so they can continue working).

This arrangement bridges the two connections and can create an information leak. If the mobile hotspot is configured incorrectly, it is an easy access route for a malicious attacker to access the corporate network through insecure or even non-existent encryption methods.

Malicious attackers

The methods of attack are also incredibly cheap: all you would need to take advantage of a poorly configured wireless network is £20, a USB alpha wireless card (one of the many that can be put in a monitor mode to sniff traffic) and software that is official and free to download from the internet. This can be used against WEPWPA and WPA2. The tutorials are freely available on YouTube detailing each step.

Methods of attack for the newer encryption methods (WPA or WPA2) are slightly harder, but can still be achieved if the passwords are weak or commonly-used words. Brute-forcing is the easiest way to attack these: this is basically attempting different passwords one after another from a compiled list using special software. The list is a simple text file of common passwords; it can be downloaded from the internet.

Wired Equivalent Privacy (WEP)

WEP encryption is still available on most routers but is widely known to be insecure. There are methods on the internet for cracking WEP that require virtually no technical skill, and can be done in a matter of minutes. WEP should not be used under any circumstances. Instead, we recommend WPA2, as it is the most up-to-date encryption method. For WEP encrypted networks, there are many ways the attacker can break in:

  • Passive attacks – statistical analysis
  • Active injection attacks – based on known plain text
  • Active decryption attacks – tricking the access point
  • Dictionary attacks – analysing large amounts of traffic and comparing credentials

The issue with default credentials

New access points generally use the most up-to-date encryption methods as default. Although this is good, it is always better to change the default password: some manufacturers have had their default credentials leaked online and some passwords can even be worked out through the make and serial number of the device.

The default credentials should be changed for the network: it should contain both upper and lower case letters, numbers and special characters and be at least 8 characters long. Even the network name (ESSID) should be changed as this can give away the manufacturer of the device. The default credentials for the management console of the router should also be changed: this is where the router can be configured. Many times the defaults are ‘admin’ and ‘password’ or similar. Within the router console, it is possible to manage which MAC addresses can access the network, allocate bandwidth, router passwords and so on.

Ad hoc networks

Ad hoc networks are also a problem. These are usually small networks used to transfer files, play games and share an internet connection. Unless there is a specific reason for having these, it is always recommended that this capability be disabled. These networks do not need any pre-existing infrastructure. They can be created using settings within the computer itself. These networks are generally created with weak or no passwords, making it trivial for an attacker to gain access. The only defence against this is to disable the functionality before the device is issued to the employee, making sure the functionality can only be used with an administrator password.

Alternatives to wireless scanning

There are some exceptions to requirement 11.1 of the PCI DSS:

  • If the client has port level security such as 802.1x, so that an attacker cannot plug in an access point (AP). 802.1x is an IEEE standard for port-based security. This means that an authentication certificate needs to be presented to the network by the device to allow access, otherwise the device will not be able to see the network. This, when implemented correctly, gives a significant increase in network security, as illegitimately installed wireless (or any other) devices will never be allowed access to the network through ethernet. However, using 802.1x does mean that setting up the network and managing devices can become quite time-consuming and connectivity issues can arise if it is not implemented correctly. Initial roll-out of 802.1x can be laborious and involve a lot of troubleshooting.
  • If the client has a WIDS (Wireless Intrusion Detection System), where alerts are correctly monitored and they adopt appropriate internal processes to respond to those alerts. Having aWIDS system has significant advantages over manual wireless scanning. WIDS can monitor your wireless network 24 hours a day, 7 days a week. Once installed and fully working, it does not require any additional work: the system will detect if a device has been installed and will automatically block it, while notifying the WIDS user. Some of the WIDS systems can even determine if the device is plugged into the corporate network. They can detect a rogue network within seconds of it being installed and then notify you of its exact location. However, this is not always the most practical solution. WIDS are expensive to buy, install across sites, control and integrate with existing systems. They require specialist installation and training to be able to monitor and use them productively, so in some cases they can be more of a hindrance than a help.

Conclusion

Wireless networks in the corporate environment are increasing for many different reasons. The introduction of affordable portable devices that are capable of creating wireless access in a multitude of ways poses an extremely serious risk to corporate data. Wireless is invisible: you won’t know who the attacker is, how data’s intercepted or what is lost. The combination of good security rules, strong passwords and regular wireless scanning is the only defence against a threat that can only increase with time.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.