I’m probably going to really stir the pot with this and my coming posts, but I think this is an important subject to discuss. I don’t have all the answers on this topic, but I know that the current approaches I see out there are just not providing the level of security that I think is needed. So, to paraphrase Bette Davis from ‘All About Eve’, “Fasten your seat belts. It’s going to be a bumpy post.”
PCI DSS requirement 11.1 states:
“Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.”
The requirement gives you two options, you use some sort of wireless analyzer or you implement a wireless IDS/IPS solution. Of course, there is also the third option of meeting this requirement with a compensating control. In this post, I will discuss the shortcomings of the wireless analyzer approach.
A lot of my clients taking the wireless analyzer approach are typically having someone (usually an internal auditor or IT support person) go out to as many of their facilities as possible and use a notebook computer, a wireless network card or the notebook’s built-in wireless adapter and a shareware tool like NetStumbler or Kismet. This person then walks the interior of the facility and the exterior perimeter of the facility using the tool to record what wireless is discovered, saving the results to a file. A pretty straight forward process – quick, easy, done.
While this process meets the PCI compliance requirements, it certainly does not ensure security or that there are not unauthorized wireless devices on the network. This is because in most instances the results are not analyzed to ensure that only authorized wireless was discovered. However, even if an organization were to analyze the results produced from NetStumbler or Kismet, they would be hard pressed to draw any conclusions from those results since you really have to analyze them in real-time, not after the fact.
Besides the fact that results are not analyzed, I seriously doubt most of my clients have the technical expertise to even conduct an informed analysis of a wireless scanner like NetStumber or Kismet. And, to add insult to injury, the test for 11.1.a states, “Verify that a wireless analyzer is used at least quarterly …” No where does the PCI DSS state that you must analyze the results of the analyzer, you just need to use a wireless analyzer quarterly. The end result is that most people, even those in the information security profession, and the organization’s management believe that this is sufficient to ensure the security of their networks. In my opinion, this is a VERY false sense of security.
So, what do I see as the shortcomings of just scanning with a notebook, NetStumbler/Kismet, etc.?
- The majority of wireless scanning is done using an omni-directional antenna. Most wireless cards use built-in antennas and those antennas are omni-directional meaning that they can receive their signals from any direction. Also, many of the external antennas are also omni-directional. The problem is that an omni-directional antenna does not provide the best method of locating potential rouge access points since it is difficult to determine the location of access points based on the direction of their signal. It takes a significant amount of walking around and detailed monitoring of signal strength to get a fix on a given access point. It’s not that it cannot be done, it’s potentially a lot of work which makes it difficult for all but the most experienced operators of wireless scanners. As a result, it can take a significant amount of time to locate all of the wireless access points in a facility and prove that they are all valid.
- This wireless scanning approach assumes the attacker wants to be found or is unaware of wireless security techniques. One of the things that fascinates me about wireless scanning is that it assumes that someone wants the access point to be found. A smart attacker would configure their rogue access point so that it is electronically ‘hidden’ on your network (I’m being purposely vague here to avoid giving away the entire store, but be assured this can be accomplished). Not that such an AP configured this way cannot be found, but the effort required to find it will be extremely difficult using the basic scanning techniques I’m talking about. As a result, with the right attacker, you will be compromised until you take your approach to a higher level.
- If you identify a rogue access point, then what? Obviously, you want to remove it from your network as soon as possible. However, most retailers I work with would be hard pressed to get this done as quickly as they like because of a lack of qualified personnel in the field that can locate the rogue unit and then remove it. As I stated earlier, it will be difficult to find a properly configured rogue access point, so the likelihood that you will even identify such a device is low.
- Then there is the whole problem of if you were hit once, what will stop the attacker from coming back? With the price of access points on eBay and the like going for as little as $5 including shipping, it’s highly likely that if you find an attacker’s access point, they can absorb the loss and quickly replace it.
I’ve taken enough of everyone’s time on explaining where I think the wireless analyzer approach falls short. Coming are my thoughts on the wireless IDS/IPS approach.