This has possibly been the hardest post yet to write. Mainly because I am at a loss for answers. There just does not seem to be a lot of solutions out there to address real wireless attacks. So, I have done my best to come up with some thoughts on how to conduct a wireless assessment that will provide some reasonable level of assurance that your network is not compromised. Note, I said ‘reasonable’ as I do not think there is a way to get absolute assurance that your network cannot be compromised when wireless is involved.
- Document the business reasons for implementing a wireless network. Just because you can, does not always mean you should. In a significant number of situations, you will find that the only reason for implementing wireless is just for the convenience it offers. Does your organization really need wireless ‘guns’ that update inventory in real time or can you use guns that record inventory and then upload it in batch when the ‘gun’ is placed in a cradle? In most situations, the cradle works just as well as the wireless solution. That is not to say that there are not situations that warrant a wireless solution. I have a number of clients that use wireless terminals and handhelds in innovative ways to improve customer service. However, until there is a real business purpose with a real return on investment, do what you can to push back and not implement wireless. But be advised, since some vendors are now only producing wireless solutions, finding a hard wired alternative may not be possible.
- Architect your wireless network to be secure from the start. There are ways to do this that are not as onerous as you might think. Primarily, it needs to be isolated away from the rest of your network. The reason is that no matter the security you implement, wireless uses the public airwaves to transmit, the key word being ‘public’. As a public network, attackers can eavesdrop on your wireless whenever they want and they can and will make attempts to crack your security all they want and there is nothing you can do to stop it. Once your wireless network is isolated, treat it as the public network it is and implement firewalls, IDS/IPS and any other security measures on your wireless network segment. Make sure that you create a consistent configuration so that you minimize the potential for introducing a mistake One of the best methods is to use those centralized, managed wireless solutions versus individual wireless access points.
- The PCI SSC needs to change requirement 11.1 to address the realities of the real world. First, I question the usefulness of wireless scanning in the first place and I would highly recommend that it be dropped. But assuming it is here to stay, for all but the very smallest of merchants, scanning with a wireless analyzer quarterly is a pipe dream. I would recommend that quarterly testing is only a requirement when it is possible. For all other merchants that wish to perform wireless testing with an analyzer I would recommend that requirement 11.1 suggest a sampling approach to ensure that all facilities are tested when significant network changes are implemented at the facility or at least once every three to four years. Let us face facts here, there is no way Best Buy, Wal*Mart or Target are going to test their hundreds or thousands of stores on a quarterly basis. It is just physically impossible. They do not even conduct individual store financial audits that often, so who thought they would get wireless scans done that often? Next, the PCI SSC has to provide in requirement 11.1 some additional alternative solutions besides an IDS/IPS on the wireless network segment. Based on my experience, almost all of my clients that are using wireless are creating a compensating control to satisfy requirement 11.1. It seems to me that if the majority of organizations with wireless are using a compensating control to meet the requirement, then the PCI SSC needs to create a requirement that does not require the majority of organizations to use a compensating control to satisfy the requirement.
- If your organization has decided to use wireless scanning with an analyzer, admit that wireless scanning requires a technical expertise that your organization likely does not have. This is a perfect project for a qualified network security consultant to perform. The costs for such projects are easy to control as they are driven by the location and number of facilities you need scanned. If your facilities are widely scattered, you may want to go with a consulting firm that better covers your locations so that you can minimize travel costs. You can also control costs by using a consistent configuration for your wireless. That way you can use a sample of facilities versus scanning every facility. However, since building construction usually varies from location to location, that may require making sure that all your facilities are scanned within a one or two year period.
- Don’t be buffaloed by a consultant’s certifications. Customers are usually baffled by all the letters following a consultant’s name (even I have a boatload of letters after my name). While certifications are good, it’s a consultant’s practical experience with security and wireless that counts. Nine times out of ten, the consultant that meets with you will not be the one that does the work. So, make sure that you and someone from your technical staff review the biographies of the consultants’ that will actually work on your project and that you personally talk to them either face-to-face or by phone. Ask them about the wireless assessment engagements they have done. Have them describe the process and make sure that it matches the process the sales person described. Ask them about the typical findings that result from such projects and make sure that they can explain their findings to both technical and non-technical personnel. And of course, make sure that you are not buying the process that I’ve discussed earlier.
- Don’t buy supposedly sophisticated looking tools. Regardless of whether you are doing it yourself or getting a consultant to assist, don’t buy based on tools. A lot of people do good work with NetStumbler/Kismet, and the right wireless card. Some of these tools are just expensive solutions using the same techniques as the person with shareware tools. So when evaluating wireless security solutions, ask the vendor tough questions about how their solution discovers rogue access points and get them to address my earlier points on why wireless scanning is flawed. In most situations, you will find that these vendors are offering a solution no better than the one you can get for free. When talking to consultants, be wary of the consultant that talks about their tools and does not talk much about their process. Consultants that talk ad-nauseam about their tools typically do not have the experience to deliver the results that you desire. They are typically going to be no better than anyone else with a scanner.
- Get a good understanding of the consultant’s process. Ask the consultant to describe their wireless security assessment process. Experienced consultants will have a number of service offerings in this area from basic scanning (essentially what I describe earlier but with a much more robust analysis of the results) to a full out wireless assessment that can resemble something out of a good spy movie. Obviously, the more sophisticated it gets, the higher the cost. However, for some clientele such as DoD contractors and the like, a very detailed and sophisticated analysis of all things wireless is what they require in order to satisfy contractual requirements. For most merchants, what they need is something towards the lower end of the cost scale that will provide them with a reasonable assurance that their network is secure. For most processors, their wireless assessment will likely be a bit more robust than a merchant’s because of the added risk they have due to the data they retain.
I have taken up a lot of bandwidth on this topic, possibly too much. However, I think you start to see that wireless is not as simple a technology to secure as some of the security standards portray. Wireless is not a technology that you just “add on” when you need it. In the end, the most critical aspect to wireless is that it requires significant forethought before being added to a network.