An interesting survey on PCI DSS compliance was recently published by the Ponemon Institute. There are many interesting findings in the survey some of which I summarize here.
One thing that strongly comes out is that though PCI DSS compliance is perceived as contributing to an organization’s security posture, cost factors are pestering. 60% of the respondents have said that they do not have sufficient resources to manage PCI DSS compliance even though it seems they are spending one third of their security budget on PCI DSS compliance. Another interesting and equally troubling data point that comes out of the survey is that 71% respondents say that their organizations do not have data security as enterprise level strategic initiative. No wonder TJX type breaches happen!
The data security problem is going to only get harder in the future as new networking technologies evolve; most notably wireless and Web2.0. In fact, already 38% percent respondents in the survey have said that that they think the most serious security threats are located in wireless devices. Rightly, PCI DSS has also added wireless scanning control into the compliance pack.
So it is clear that we need low-overhead enablers for organizations to achieve and maintain PCI DSS compliance. At least for wireless PCI DSS compliance, we at AirTight have developed a hosted wireless scanning solution to make PCI DSS compliance cost effective and effortless. Would like to hear from others what they think are the ways to help organizations achieve compliance without much cost and complexity.
One critical requirement from wireless intrusion prevention system (WIPS) is that it should offer robust protection against rogue wireless access points. The protection should entail instant detection followed by automatic blocking (prevention). Rogue AP detection should be free from false alarms – both on positive and negative sides.
Rogue AP means unauthorized AP wired to (connected to) monitored enterprise network. In other words, rogue AP satisfies two conditions: i) It is not on the authorized AP list, AND ii) it is wired to the monitored enterprise network.
The first of the above two conditions is easy to test, just compare BSSID of detected AP with your managed AP BSSID list. The second condition is where things start to become interesting. Accurately and reliably detecting if every AP seen in air is wired or not wired to the monitored enterprise network requires technological sophistication. Based on the level of sophistication, three types of rogue AP detection workflows are prevalent in wireless intrusion prevention system (WIPS) solutions available in the market. Read more…
Wireless scanning, Wireless security
Finally the news that everybody in the WiFi world has been waiting for! Exactly six years after the 802.11n task group was formed, 802.11n got the final ratification as IEEE standard last Friday.
It has also been reported that 802.11w (protection for 802.11 management frames) was also approved as a standard in the IEEE Standards Board meeting.
If you are now looking forward to rolling out a fresh 802.11n deployment or migrating parts of your WLAN to 802.11n, you may want to look at this informative white paper 802.11n The Good The Bad The Ugly: Will You Be Ready? and watch the archived webinar 802.11n deployment checklist — what you need to know before you start by Sri Sundaralingam and Lisa Phifer.
When talking about wired security, enterprise IT administrators talk about multiple layers of defense such as internet firewalls, VPNs, admission control, email filtering, content filtering, web application scanning and many others. It is like a hacker has to peel multiple layers of an onion before getting to the core. Each layer of security is independent and is preferably sourced from different vendors. Each layer compounds the amount of work that a hacker has to perform to get in.
When considering the security of a wireless network, the same enterprise IT administrators are content with the basic security mechanisms integrated into the wireless LAN infrastructure by vendors such as Cisco Systems and Aruba Networks. IT departments have a hard time understanding why an inner layer of defense for wireless network security is needed in the form of an advanced wireless intrusion prevention system (WIPS). The wireless network security posture of an organization is the weakest when the security integrated into wireless LAN infrastructure is the only layer protecting the core network. Without an inner WIPS layer, the core network is open to rogue APs, unauthorized client connections, ad-hoc networks, MAC spoofing and many other attacks that the wireless LAN infrastructure security cannot protect against.
The recently announced improved version of the original Beck-Tews attack on WPA/TKIP appears to have put the wireless security community in a tizzy again. In this post, I argue that the new attack is neither groundbreaking in academic terms, nor is it more worrying in practical terms.
The proposed attack assumes (somewhat unrealistically) that the AP and client cannot hear each other but the attacker can hear both (and can thus act as a man-in-the-middle). In terms of attack speed as well, it is actually slower than the original attack under its stated assumptions.
Security is hard to get right and shortcuts — be it coding shortcuts or design shortcuts – come back and haunt the product designers when the rubber hits the road.
The recently discovered “skyjacking” vulnerability of the Cisco LAPs seems to be a classic example. The “Over The Air Provisioning” (OTAP) feature allows an out-of-the-box Cisco LAP to automatically discover available WLC controllers to connect to by listening to wireless OTAP packets broadcast by neighboring Cisco LAPs. This feature obviously has attractive plug-and-play benefits for the end user but has also resulted in some critical security holes in the Cisco wireless infrastructure as reported recently. Malicious OTAP packets transmitted by an intruder can make a LAP connect to a “rogue” WLC controller on the Internet. This controller can modify the wireless settings of the AP in devious ways resulting in an AP that is in your airspace, connected to your wired network but completely controlled by an attacker.
Many security vulnerabilities are due to coding bugs (for example, inadequate input checking or the infamous buffer overflows). In contrast, the skyjacking vulnerability has its root, in my opinion, in two questionable design decisions that were probably made as early as the requirements definition stage.
Rouge AP is an unauthorized AP connected to enterprise wired network. It can allow access to the enterprise wired network from its RF spillage outside of the premises. While it is well established in the mainstream that wired-wireless correlation is the only robust technique to detect such rogue APs, there also have been some wireside-only scanning techniques around to detect rogue APs connected to the enterprise wired network. At first sight, wireside-only scanning appears attractive from cost and deployment perspective as it does not require RF scanners. However the reality is that wireside-only scanning fails to detect many common types of rogues on the wired network.
Recently, the PCI Security Standards Council Wireless Special Interest Group published guidelines to clarify wireless security requirements in PCI DSS 1.2. While these guidelines clearly require using wireless analyzer or wireless IDS/IPS, wireside-only scanning is still sometimes touted, albeit incorrectly, as low cost alternative to meet PCI compliance. Not only does wireside-only scanning violate PCI DSS 1.2 in letter as it does not use wireless scanners, but it also violates it in spirit as it fails to detect many common types of rogues on wired network.
To find out more about how wireside-only scanning works and its limitations please view our technical white paper - Drawbacks of Wireside-only Rogue Detection.
Compliance, PCI, Wireless security