Every now and then we run into network administrators and CSOs that brag about how their organization is not vulnerable to wireless security threats, only to see their rash confidence fizzle out once the results from a wireless vulnerability assessment or penetration test are out.
Today, most are aware that Open WiFi on enterprise network is foolish and using WEP encryption is a bad idea and that WPA2/802.1x is the way to go. Then where do they go wrong?
Much has been said about using ‘Best Practices’ alone to secure enterprise WiFi, including no-WiFi policy. However, as security experts will vouch, most breaches happen because of naive insiders.
Imagine such a person as your employee and ask yourself the following questions.
Can you expect all your employees to follow the prescribed WiFi best practices?
Can you be confident that such a person will not connect to a neighboring hotspot, just because his or her desk has spotty WiFi coverage?
Can you be certain that such a person will not bring in a ‘Linksys’ as advised by the radio host; and plug it into the ethernet under the desk and create a Rogue AP?
Can you be certain that this person will not connect to both the WiFi and Ethernet at the same time while connected to the hotspot?
If these questions are hard to answer, you must consider Wireless Intrusion Prevention System!
Just how vulnerable are home WiFi networks? With the abundance of news stories about data privacy, hacking attacks, malware, phishing schemes, retail credit card breaches and the like, I am surprised to see such a large number of home users are still either unconcerned or unaware about securing their data. This video from Fox News, Washington DC shows that weak Wi-Fi security is still all too common in many home Wi-Fi networks.
AirTight Networks security analyst Rick Farina is featured showing how just easy it is for a hacker to find unsecured Wi-Fi in a residential neighborhood. Unfortunately, one thing that gets overlooked in these stories is just how often these same home Wi-Fi devices will show up in the corporate networks, unknowingly providing unecumbered access to sensitive data.
It seems that WLAN management and security are finally moving to the cloud. See the recent announcements by Aeohive (October 27) and Aruba Networks(October 29).
Enterprises, namely SMBs, now have multiple options and price points for managing their wireless networks. We saw this trend about 18 months ago when AirTight decided to release a SaaS verion of our wireless IPS, SpectraGuard Online.
With the introduction of these new offerings, it will be interesting to see if the ASV’s begin to offer wireless vulnerability scanning. They already offer cloud based vulnerability scanning services for the wired network, why not wireless??
One critical requirement from wireless intrusion prevention system (WIPS) is that it should offer robust protection against rogue wireless access points. The protection should entail instant detection followed by automatic blocking (prevention). Rogue AP detection should be free from false alarms – both on positive and negative sides.
Rogue AP means unauthorized AP wired to (connected to) monitored enterprise network. In other words, rogue AP satisfies two conditions: i) It is not on the authorized AP list, AND ii) it is wired to the monitored enterprise network.
The first of the above two conditions is easy to test, just compare BSSID of detected AP with your managed AP BSSID list. The second condition is where things start to become interesting. Accurately and reliably detecting if every AP seen in air is wired or not wired to the monitored enterprise network requires technological sophistication. Based on the level of sophistication, three types of rogue AP detection workflows are prevalent in wireless intrusion prevention system (WIPS) solutions available in the market. Read more…
Security experts warn Wi-Fi users to be more vigilant against hackers
Experts say it’s difficult to distinguish between legitimate and rogue networks
Wi-Fi Alliance says spread of Wi-Fi hasn’t led to an ‘epidemic’ of hacking
Users urged to protect their networks, use VPN for sensitive data
LONDON, England (CNN) — You’re sitting in an airport lounge and seize the chance to check your e-mails before your flight departs. You log on and are tempted by a wireless Internet provider offering free Internet access. So, do you take it?
Security experts warn that hackers may be masquerading as free public Wi-Fi providers to gain access to the laptops of unsuspecting travelers. Read more…
What % of WiFi laptop users in your organization are vulnerable to WiFishing attacks? The odds are very high that you don’t have an exact answer.
WiFish Finder is a tool for assessing whether WiFi devices active in the air are vulnerable to ‘Wi-Fishing’ attacks. Assessment is performed through a combination of passive traffic sniffing and active probing techniques. Most WiFi clients keep a memory of networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed networks and then using a set of clever techniques also determines security setting of each probed network. A client is a fishing target if it is actively seeking to connect to an OPEN or a WEP network. Clients only willing to connect to WPA or WPA2 networks are not completely safe either!
To find out why – you’r welcome to try out WiFish Finder a vulnerability assessment tool built by Sohail and Prabhash, members of security research team at AirTight Networks. Sohail is presenting WiFish Finder at DefCon 2009 today. Demo version of this tool (Version 1.0) can be downloaded from http://airtightnetworks.com/fileadmin/downloads/WiFishFinder-v0.1.zip
Sohail is also planning to release WiFish Finder Ver 2.0 with speed, usability and feature enhancements (such as PEAP vulnerability detection) upon his return from Las Vegas. To download full featured version of WiFish Finder and for tips on protecting your laptop from Wi-Fishing attacks, visit http://www.airtightnetworks.com/wifishfinder.This URL will be operational in 4-5 days.
What % of WiFi laptop users in your organization are vulnerable to WiFishing attacks? Well, you only have to wait another 4-5 days to find out the answer!
AirTight is presenting a weekly series of Webinars, entitled, “How the PCI Wireless Guidelines Apply to You,” which are aimed at helping organizations understand the wireless scanning requirements of the PCI DSS release this month by the PCI SSC and provide practical information on how to address those requirements to prove compliance. The Webinars will be held each Thursday at 11 A.M. U.S. California time beginiing on July 23, 2009. Those wishing to register for the first of the series may do so by following the link above. After that there will be a document on AirTight’s website which will allow you to choose a convenient date for yourself.
In my previous blog post (5 Wireless Intrusion Detection Questions You Need to Worry About), I talked about the key questions that are related to the detection of Wireless (WiFi) based intrusions in your enterprise. Today, let’s turn the focus on to the other important aspect of WiFi security – Intrusion Prevention. Here are the 5 questions you should ask on wireless intrusion prevention in your enterprise. Let me know if your answer to all of these questions is in the affirmative.
Does my wireless security solution provide accurate and automatic prevention? If your solution requires a manual intervention for blocking a detected intrusion, you may be too late. Hence, the key to any intrusion prevention solution is the ability to automatically block the intruder. Although this requirement may seem obvious, it is interesting to note that getting this right is non trivial. For example, a poor implementation can end up blocking your neighbor’s communication - highly undesirable and in certain regions, illegal. Unless your security solution can accurately classify WiFi communication (authorized, unauthorized and don’t care/external), you will not be able to achieve this key functionality.Read more…
Douglas Haider compares the pros and cons of quarterly wireless vulnerability scanning vs. a full time wireless IPS to satisfy PCI DSS compliance requirement 11.1. Douglas writes:
“This requirement begs me to ask which is “better” option?Quarterly manual scans or a wireless IDS/IPS?
Maybe it’s the former IT auditor in me, but I think the best way to meet this requirement is by deploying a wireless IDS/IPS.
I agree, the goal of PCI is securing cardholder data than quarterly scanning can’t be taken seriously. Cost is obviously the biggest issue for merchants with multiple locations. But surely a hosted wireless scanning services with a low monthly fee would be cheaper AND provide round the clock security, wouldn’t it?
