With more enterprises deploying wireless LANs and employee-owned WiFi devices flooding enterprises, wireless LAN forensics is becoming a key component of any network forensic audit — whether to prove compliance with a regulation such as PCI DSS or in response to a security incidence. But wireless presents unique challenges to forensic audits.

Last month, at RSA 2010 conference in San Francisco, I had the oppourtunity to discuss this issue with experienced auditor and certified PCI QSA Jim Cowing. Here you can view the video recording of an abridged version of our RSA 2010 talk “Anatomy of a Forensic Audit: How Wireless Changes the Game.”

Let me summarize the highlights from the talk: Read more…

Kaustubh Phanse Best practices, Compliance, PCI, Wireless scanning, Wireless security Forensic audit, PCI DSS, WIPS, Wireless forensics, Wireless Intrusion Prevention

Wireless PCI Compliance in just 5 Minutes

This new product video from AirTight Networks shows how easy it is to automate your wireless PCI vulnerability scanning. AirTight SpectraGuard Online can be configured and running in as little as 5 minutes and 3 easy steps. AirTight eliminates the need to send staff to remote locations with a mobile analyzer to conduct the routine PCI scan for rogue APs. IT professionals should find this refreshing.

Watch AirTight’s wireless PCI scanning video

Mike Baglietto Compliance, PCI, Wireless scanning, Wireless security PCI

It seems that WLAN management and security are finally moving to the cloud. See the recent announcements by Aeohive (October 27) and Aruba Networks(October 29).

Enterprises, namely SMBs, now have multiple options and price points for managing their wireless networks. We saw this trend about 18 months ago when AirTight decided to release a SaaS verion of our wireless IPS, SpectraGuard Online.

With the introduction of these new offerings, it will be interesting to see if the ASV’s begin to offer wireless vulnerability scanning. They already offer cloud based vulnerability scanning services for the wired network, why not wireless??

Mike Baglietto Best practices, Compliance, PCI, Wireless scanning, Wireless security

An interesting survey on PCI DSS compliance was recently published by the Ponemon Institute.  There are many interesting findings in the survey some of which I summarize here.

One thing that strongly comes out is that though PCI DSS compliance is perceived as contributing to an organization’s security posture, cost factors are pestering. 60% of the respondents have said that they do not have sufficient resources to manage PCI DSS compliance even though it seems they are spending one third of their security budget on PCI DSS compliance. Another interesting and equally troubling data point that comes out of the survey is that 71% respondents say that their organizations do not have data security as enterprise level strategic initiative. No wonder TJX type breaches happen!

The data security problem is going to only get harder in the future as new networking technologies evolve; most notably wireless and Web2.0. In fact, already 38% percent respondents in the survey have said that that they think the most serious security threats are located in wireless devices. Rightly, PCI DSS has also added wireless scanning control into the compliance pack.

So it is clear that we need low-overhead enablers for organizations to achieve and maintain PCI DSS compliance. At least for wireless PCI DSS compliance, we at AirTight have developed a hosted wireless scanning solution to make PCI DSS compliance cost effective and effortless. Would like to hear from others what they think are the ways to help organizations achieve compliance without much cost and complexity.

Hemant Chaskar Compliance, PCI dss, hosted, PCI, SaaS, scanning, spectraguard online, wireless

Rouge AP is an unauthorized AP connected to enterprise wired network. It can allow access to the enterprise wired network from its RF spillage outside of the premises. While it is well established in the mainstream that wired-wireless correlation is the only robust technique to detect such rogue APs, there also have been some wireside-only scanning techniques around to detect rogue APs connected to the enterprise wired network. At first sight, wireside-only scanning appears attractive from cost and deployment perspective as it does not require RF scanners. However the reality is that wireside-only scanning fails to detect many common types of rogues on the wired network.

Recently, the PCI Security Standards Council Wireless Special Interest Group published guidelines to clarify wireless security requirements in PCI DSS 1.2. While these guidelines clearly require using wireless analyzer or wireless IDS/IPS, wireside-only scanning is still sometimes touted, albeit incorrectly, as low cost alternative to meet PCI compliance. Not only does wireside-only scanning violate PCI DSS 1.2 in letter as it does not use wireless scanners, but it also violates it in spirit as it fails to detect many common types of rogues on wired network.

To find out more about how wireside-only scanning works and its limitations please view our technical white paper - Drawbacks of Wireside-only Rogue Detection.

K N Gopinath Compliance, PCI, Wireless security PCI Compliance, Rogue AP Detection, Wireside-only detection

Any organization handling payment card data should pay immediate attention to the PCI DSS Wireless Guideline published by the PCI Security Standards Council Wireless Special Interest Group last week.

Wireless Threats That Can Compromise PCI DSS Compliance

 The key highlights are:

Read more…

Kaustubh Phanse Compliance, PCI, Wireless security PCI, PCI DSS, PCI SSC, Rogue AP, WIPS, Wireless security

AirTight is presenting a weekly series of Webinars, entitled, “How the PCI Wireless Guidelines Apply to You,” which are aimed at helping organizations understand the wireless scanning requirements of the PCI DSS release this month by the PCI SSC and provide practical information on how to address those requirements to prove compliance. The Webinars will be held each Thursday at 11 A.M. U.S. California time beginiing on July 23, 2009. Those wishing to register for the first of the series may do so by following the link above. After that there will be a document on AirTight’s website which will allow you to choose a convenient date for yourself.

Della Lowe Compliance, PCI, Wireless scanning, Wireless security PCI DSS, PCI SSC, wireless guideline

North American Electric Reliability Corporation (NERC) has promulgated Critical Infrastructure Protection (CIP) standards for cyber security in electric power industry. A recent white paper in Automation World magazine brings out challenges faced in CIP implementation due to proliferation of wireless networking. The paper lays out various scenarios such as approved wireless use, inadvertent wireless use, covert wireless use etc. which break conventional perimeter security model. It recommends state of the art wireless monitoring and control to enforce wireless perimeter security for energy assets. Read more…

Hemant Chaskar Compliance, Wireless security CIP, Critical Infrastructure, NERC

If you own an enterprise grade local area network (LAN), you need to be aware that wireless (WiFi) based intrusions can potentially be exploited to create security backdoors into your network. This is true even if you have not rolled out your wireless LAN (WLAN) or have rolled out a WLAN that adopts the best-in-breed cryptographic security.

Today, Chief Security Officers (CSOs), Chief Information Officers (CIOs) and network security administrators have different perceptions on the extent of WiFi based intrusions. Hence, they have adopted different solutions to secure their enterprise network from WiFi intrusions.

1. At the one end of the spectrum, there are users that believe that wired IDS/IPS and Networks Access Control (NAC) solutions are adequate to thwart this threat.
2. Next, there is a class of user who are believe in “moderate security”. They have adopted part time wireless intrusion detection capabilities in their networks.
3. At the other end of the spectrum, there are users that believe in dedicated & specialized wireless intrusion detection and prevention (WIPS) systems to defend against this threat. 

Independent of which of the above groups you may belong to, here is my list of 5 intrusion detection questions that you need to worry about. If you don’t agree, I would love to hear your views. Read more…

K N Gopinath Compliance, Wireless security LAN Security, Rogue AP, Wireless Intrusion Detection, Wireless security

About two and half years after the TJX debacle shook the retail industry, TJX reached a settlement with 41 US states that cost it $9.75 million. This is only part of the cost TJX is paying for ignoring its WiFi security. According to Reuters, the company is said to have set aside reserve fund of $107 million to cover losses. As a part of the settlement, TJX has agreed to meet “contemporary standards” of data security which includes upgrading its WiFi security.

This unprecedented security breach and the aftermath have, once again, brought to light the risks from unsecured WiFi networks. The PCI Security Standards Council responded well with new wireless security requirements in version 1.2 of its Data Security Standard (PCI DSS 1.2) .  The intent is there. Let’s hope that the PCI guidelines get transfered from paper into practice and history does not repeat itself!

Kaustubh Phanse Best practices, Compliance, PCI, Wireless security PCI, TJX breach