Rogue access point defenses outlined in PCI DSS 11.1.
The introduction of wireless networks into business environments presents a much easier exploitation path for attackers. It goes without saying that your wireless networks should be protected by industry accepted encryption (i.e., WPA2). But how do you ensure that your customers are connecting to your protected wireless network? And how do you know if someone has added a wireless access point to a network that should not be exposed that way?
Enter wireless access point scanning. In requirement 11.1, the Payment Card Industry Data Security Standard (PCI DSS) requires all merchants to scan their environments quarterly for visible wireless access points to ensure that no unsanctioned wireless points are connected to the card data network (and the sensitive data within).
There are many ways that attackers could install a rogue wireless access point on your network without your knowledge. It’s also possible that someone from within your organization could install an access point where it should not be to make their job easier. That’s why regular wireless access point testing is essential to minimize your threat.
Exactly what is a rogue access point?
A rogue access point is a wireless access point installed on a secure network without the knowledge of the system administrator. According to the PCI DSS, “unauthorized wireless devices may be hidden within or attached to a computer or other system component, or be attached directly to a network port or network device, such as a switch or router."
A rogue access point could be a small wireless access point plugged into an existing firewall or switch, or into an unused wall network connector (like at a personal desk), etc. It could be a mobile device attached to a USB that creates a wireless access point, or even a wireless card plugged into a server.
Because they are installed behind an organization’s firewall, rogue access points can be lethal to security.
Here are three main dangers of a rogue access point:
Someone authenticated to it is allowed access into the network (could be good guys or bad guys).
It’s not being monitored or managed by the system administrator.
It doesn’t follow normal security procedures of other wireless access points on the same network.
How does an attacker actually install the rogue access point? There are numerous ways, but one simple example is through social engineering. If an attacker uses social engineering to get past an organization’s physical defenses, plugs a small wireless access point into an open network port or maybe a Wi-Fi USB device into an authorized laptop, and bridges the connection to their wireless access point through that laptop’s Internet connection, they’re in.
Wireless access point protection: hackers vs. your employees . . . why both are risky
A wireless access point doesn’t necessarily need to be installed by a hacker to be considered rogue. In fact, your own organization’s authorized users could bring the risk of a rogue access point into your environment.
Though employees may not have malicious intent, access points installed or utilized without the permission of the system administrator are considered rogue. Here are some possible situations:
Your IT department could misconfigure or accidentally duplicate a wireless network.
Employees could bring their own access points to more easily connect mobile devices, iPads, or home laptops to the corporate network.
An annoyed staff member sick of slow corporate Wi-Fi may purchase and install a private wireless device on the wired corporate network.
All of these are considered rogue because they aren’t under the same security controls as the rest of the environment’s wireless access points. This means system administrators have zero visibility into the security of that wireless environment. In addition, employees probably won’t enable security settings on their own access points, which makes it even easier for attackers to use that access point to intercept network traffic.
Hackers use rogue access points as a simple way to gain access into business systems to capture sensitive data.
One tricky way hackers use rogue access points is through evil twins (also called Wi-Fi Pineapples). Evil twins are wireless access points configured to look identical to a company’s true secure wireless network. Why? To entice authorized users to connect to the spoofed network.
If the wireless access point looks trusted with the same wireless name and unique 32-digit identifier (SSID) and MAC address, employee devices may automatically connect to it. If an evil twin is successful, an attacker can easily connect to the user’s laptop to steal authentication credentials and access the network under an authorized name.
5 steps to PCI DSS requirement 11.1 compliance
There are several processes organizations can use to comply with PCI DSS requirement 11.1, but most businesses use a free commercial scanning tool. Other possible methods of testing for rogue access points include physical component inspections or wireless intrusion detection systems (IDS).
Wireless scanning technologies work by building an initial database of access points in the environment, including IP and MAC addresses. As a scan runs, it identifies, compares, and flags access points that don’t coordinate with the master list. It’s up to the system administrator to manually investigate the scan’s findings and determine if they are rogue.
Here is a breakdown of the five main stages of the wireless access point scanning process.
Step 1: Discover your wireless devices
It’s difficult to determine which wireless devices to remove if you don’t have an accurate list to begin with. That’s why the PCI Council requires you to “scan all card data environment locations for known wireless access devices and maintain an up-to-date inventory.”
If you’re a small ecommerce provider and all your systems fit into a single rack in your data center, this requirement should be pretty easy, a quick look would identify unknown hardware. If you’re a widespread organization, it will take a bit more time.
Whether you illustrate wireless access points in a network diagram or simply compose a giant list, you must also document business justification for each wireless access point. If you can’t justify the access point’s existence, you must disable it. If you ever question whether or not an access point is rogue or what it’s doing in a certain area, you should simply consult your business justification list.
This is also a great time to ensure you’ve physically secured your wireless devices so they are not accessible to the general public.
Step 2: Get a scanning tool and correctly configure it
In order to combat rogue wireless networks, either use a wireless scanner or wireless intrusion detection/prevention system (IDS/IPS). (The PCI Council recommends large organizations use an IDS/IPS system.)
As you search for the right tool, make sure it’s wireless, not wired. Wired scanning tools are used by many organizations for additional security, but according to the PCI DSS, they have a high false positive rate and will not help you comply with requirement 11.1.
Once you choose your tool, it’s time for configuration. Configuration of a wireless scanning device isn’t overly complex, but it’s important to consider the tool’s log management and alerting functions. You should enable automatic alerts and a containment mechanism to eliminate rogue wireless points.
Step 3: Decide where to scan, and then scan your environment
Since a rogue device can potentially show up in any part of your environment, it’s important you pay attention to where you’re scanning. According to the PCI DSS, “locations that store, process or transmit cardholder data [must either be] scanned regularly or [a] wireless IDS/IPS [must be] implemented in those locations.”
This is where a network map or card data flow diagram comes into play. (You should already have one of these diagrams documented, as per PCI DSS requirement 1.1.3). It will show you how card data moves within your environment and help you analyze exactly which portions you should scan based on the locations that store, process, or transmit cardholder data.
Step 4: Remediate any found rogue access points
Not every alert your scan identifies is necessarily rogue. Your scan may have found false positives. Sometimes a scanner will identify an access point as rogue when a server automatically assigns an IP address to a new, legitimate employee laptop. Documentation is crucial to determine if a false positive is really false or something to look further into.
However, if your scan did find a legitimate rogue wireless access point, “companies should immediately remediate the rogue threat in accordance with PCI DSS requirement 12.9 and rescan the environment at the earliest possible opportunity.”
If you end up finding rogue access points set up by your own employees, this would be a great time to either write and/or enforce unauthorized access point restriction and consequence policies.
Step 5: Maintain a regular scan schedule
If there’s anything we know about attackers, it’s that they’re constantly chipping away at our walls. Don’t ever think you’re safe because you’re ‘too small’ for a hacker to care about. Hackers want data, and if they find a weakness that allows them to install a rogue access point, they’ll do it. That’s why compliance is never a point in time. It’s a process.
The PCI DSS states that all organizations must scan for rogue wireless access points quarterly. However, don’t let that requirement scare you from scanning more often. The higher your scan frequency, the timelier your results.
Cut out rogue access points to protect cardholder data
A rogue access point leaves your network and its sensitive data susceptible to attackers who have a wireless connection. Evident by online evil twin tutorials and fake Wi-Fi hotspots, it’s understandable that hackers are still using rogue access points to attack both business and personal networks.
Today’s hackers make an extra effort to conceal their activities, which means rogue wireless access point detection could get a lot trickier in the future. For now, it’s important to scan quarterly, ensure you’re scanning the correct locations within your environment, and have a game plan for any found rogue access points.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is VP of Security Assessments at SecurityMetrics with over 14 years of PCI audit experience and 30 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.