The Payment Card Industry Data Security Standard (PCI DSS) is an industry security standard for organisations that hold, process or transmit cardholder data. It was developed by the PCI Security Standards Council (PCI SSC) and created to reduce credit card fraud using a top-down approach.
Under requirement 11.1 of the PCI DSS, wireless scans must be conducted on all sites owned and/or operated by an organisation that stores, processes or transmits cardholder data at least every quarter, in order to detect all access points. Any site that can access the Cardholder Data Environment (CDE) is in scope for this requirement.
Even if your organisation doesn’t use wireless, it doesn’t mean that somebody (maliciously or innocently) hasn’t installed a wireless access point. It could be causing your corporate data, credit card data, or corporate secrets to be accessible or even transmitted via the access point. It is always best practice to have a method for detecting wireless access points within your organisation.
Wireless scanning is needed more now than ever before. This is because it is becoming more difficult to protect information in the CDE and internal network from malicious attackers: new technologies and cheaper devices are just two of the ways in which it is now easier for an attacker to access a company’s corporate environment.
An attacker can set up a network with incredibly small devices (e.g. smartphones/3G dongles and off the shelf routers). They do not look out of place in the office and would not arouse suspicion from anyone. Even if there isn’t one in your bag, there is likely to be one in your home! These devices, although normally used for legitimate purposes can be used as entry points onto the corporate network.
Wireless scanning is designed to detect rogue access points that could be connected to the corporate network within a company’s environment. This could be in a server room or an ethernet port at your desk.
Wireless networks are becoming commonplace within corporate environments, and the introduction of affordable portable devices, capable of creating wireless networks in a number of ways, poses a high risk to corporate data. While internet access for employees and guests can sometimes have restrictions, employees wanting unrestricted internet can introduce wireless access points which add additional risks. These need to be measured in order to be understood.
Wireless networks carry enormous amounts of data and if this were to be intercepted and stolen, there would be no real way of detecting it. Wireless access is also a possible gateway onto the internal network: if an employee has installed a wireless router but has not configured it correctly, an attacker could be accessing the network for a significant time before it is noticed. Often it is only noticed after an attack has taken place.
Access points (APs) are the base station in a wireless LAN, allowing a wireless client to connect to the wireless network. Access points are typically stand-alone devices that plug into an ethernet hub or switch. If one of these access points is installed illegitimately, it is classed as a rogue access point. These rogue access points could potentially be leaking corporate data and give attackers a way onto the network. Even those access points which are installed innocently by employees to gain unrestricted internet access could be a severe security risk. With the advances in technology over the last ten years, it is increasingly important to ensure that all APs are known and defined within an asset list.
All too often, an employee will attempt to circumvent security-based policies without a real understanding of the levels of new risk that are being introduced. Many organisations implement policies to restrict access to certain websites from their corporate network, for example social media or email accounts. However, employees can unwittingly introduce a host of new issues if they attempt to use their mobile phone’s internet connection (as a hotspot), for their corporate device, through WiFi, whilst leaving it plugged into the corporate network (so they can continue working).
This arrangement bridges the two connections and can create an information leak. If the mobile hotspot is configured incorrectly, it is an easy access route for a malicious attacker to access the corporate network through insecure or even non-existent encryption methods.
The methods of attack are also incredibly cheap: all you would need to take advantage of a poorly configured wireless network is £20, a USB alpha wireless card (one of the many that can be put in a monitor mode to sniff traffic) and software that is official and free to download from the internet. This can be used against WEP, WPA and WPA2. The tutorials are freely available on YouTube detailing each step.
Methods of attack for the newer encryption methods (WPA or WPA2) are slightly harder, but can still be achieved if the passwords are weak or commonly-used words. Brute-forcing is the easiest way to attack these: this is basically attempting different passwords one after another from a compiled list using special software. The list is a simple text file of common passwords; it can be downloaded from the internet.
WEP encryption is still available on most routers but is widely known to be insecure. There are methods on the internet for cracking WEP that require virtually no technical skill, and can be done in a matter of minutes. WEP should not be used under any circumstances. Instead, we recommend WPA2, as it is the most up-to-date encryption method. For WEP encrypted networks, there are many ways the attacker can break in:
New access points generally use the most up-to-date encryption methods as default. Although this is good, it is always better to change the default password: some manufacturers have had their default credentials leaked online and some passwords can even be worked out through the make and serial number of the device.
The default credentials should be changed for the network: it should contain both upper and lower case letters, numbers and special characters and be at least 8 characters long. Even the network name (ESSID) should be changed as this can give away the manufacturer of the device. The default credentials for the management console of the router should also be changed: this is where the router can be configured. Many times the defaults are ‘admin’ and ‘password’ or similar. Within the router console, it is possible to manage which MAC addresses can access the network, allocate bandwidth, router passwords and so on.
Ad hoc networks are also a problem. These are usually small networks used to transfer files, play games and share an internet connection. Unless there is a specific reason for having these, it is always recommended that this capability be disabled. These networks do not need any pre-existing infrastructure. They can be created using settings within the computer itself. These networks are generally created with weak or no passwords, making it trivial for an attacker to gain access. The only defence against this is to disable the functionality before the device is issued to the employee, making sure the functionality can only be used with an administrator password.
There are some exceptions to requirement 11.1 of the PCI DSS:
Wireless networks in the corporate environment are increasing for many different reasons. The introduction of affordable portable devices that are capable of creating wireless access in a multitude of ways poses an extremely serious risk to corporate data. Wireless is invisible: you won’t know who the attacker is, how data’s intercepted or what is lost. The combination of good security rules, strong passwords and regular wireless scanning is the only defence against a threat that can only increase with time.