wireless access point

Rogue access point defenses outlined in PCI DSS 11.1. 

Gary Glover, SecurityMetrics
By: Gary Glover
The introduction of wireless networks into business environments presents a much easier exploitation path for attackers. Obviously wireless is essential in today’s business commerce, which means security standard organizations had to come up with a wireless security process to keep hackers at bay…without adding complex traffic-restricting protocols.

Enter wireless access point scanning.

wireless access pointIn requirement 11.1, the Payment Card Industry Data Security Standard (PCI DSS) requires all merchants to scan their environments quarterly for wireless access points to ensure no unsanctioned wireless points are connected to the network (and the sensitive data within).

There’s really no hard and fast rule to prevent attackers from installing a rogue wireless access point on your network without your knowledge. That’s why regular wireless access point testing is essential to minimize your threat.

SEE ALSO: The Ultimate Cheat Sheet on Making Online PCI Compliance Work for You

Exactly what is a rogue access point?

A rogue access point is a wireless access point installed on a secure network without the knowledge of the system administrator. According to the PCI DSS, “unauthorized wireless devices may be hidden within or attached to a computer or other system component, or be attached directly to a network port or network device, such as a switch or router.”

A rogue access point could be a WLAN card plugged into a server. It could be a mobile device attached to a USB that creates a wireless access point. It could be an unknown wireless router attached to the network.

Because they are installed behind an organization’s firewall, rogue access points can be lethal to security.

Here are three main dangers of a rogue access point:
  • Someone authenticated to it is allowed access into the network (could be good guys or bad guys).
  • It’s not being monitored or managed by the system administrator.
  • It doesn’t follow normal security procedures of other wireless access points on the same network.
How does an attacker actually install the rogue access point? There are numerous ways, but one simple example is through social engineering. If an attacker used social engineering to get past an organization’s physical defenses, plugged a Wi-Fi USB device into an authorized laptop, and bridged the connection to his wireless access point through that laptop’s Internet connection, he’s in.

Hackers vs. your employees . . . why both are risky

A wireless access point doesn’t necessarily need to be installed by a hacker to be considered rogue. In fact, your own organization’s authorized users could bring the risk of a rogue access point into your environment.

Though employees may not have malicious intent, access points installed or utilized without the permission of the system administrator are considered rogue. Here are some possible situations:
  • Your IT department could misconfigure or accidentally duplicate a wireless network.
  • Employees could bring their own access points to more easily connect mobile devices, iPads, or home laptops to the corporate network.
  • An annoyed staff member sick of slow Wi-Fi may purchase and install a private wireless device on the wired network.
All of these are considered rogue because they aren’t under the same security controls as the rest of the environment’s wireless access points. This means system administrators have zero visibility into the security of that wireless environment. In addition, employees probably won’t enable security settings on their own access points, which makes it even easier for attackers to use that access point to intercept network traffic.

Hackers use rogue access points as a simple way to gain access into business systems to capture sensitive data.

One tricky way hackers use rogue access points is through evil twins (also called Wi-Fi Pineapples). Evil twins are wireless access points configured to look identical to a company’s true secure wireless network. Why? To entice authorized users to connect to the spoofed network.

If the wireless access point looks trusted with the same wireless name and unique 32-digit identifier (SSID) and MAC address, employee devices may automatically connect to it. If an evil twin is successful, an attacker can easily connect to the user’s laptop to steal authentication credentials and access the network under an authorized name.

SEE ALSO: Warbiking and Wi-Fi Insecurity

5 steps to PCI DSS requirement 11.1 compliance

There are several processes organizations can use to comply with PCI DSS requirement 11.1, but most businesses simply acquire a free or commercial tool to scan their wireless networks. Other possible methods of testing for rogue access points include physical component inspections or wireless intrusion detection systems (IDS).

Wireless scanning technologies work by building an initial database of access points in the environment, including IP and MAC addresses. As a scan runs, it identifies, compares, and flags access points that don’t coordinate with the master list. It’s up to the system administrator to manually investigate the scan’s findings and determine if they are rogue.
Here is a breakdown of the five main stages of the wireless access point scanning process.
Step 1: Discover your wireless devices
It’s difficult to determine which wireless devices to remove if you don’t have an accurate list to begin with. That’s why the PCI Council requires you to “scan all card data environment locations for known WLAN devices and maintain an up-to-date inventory.”

If you’re a small ecommerce provider and all your systems fit into a single rack in your data center, this requirement should be pretty easy. If you’re a widespread organization, it will take a bit more time.

Whether you illustrate wireless access points in a network diagram or simply compose a giant list, you must also document business justification for each wireless access point. If you can’t justify the access point’s existence, you must disable it. If you ever question if an access point is rogue, or what it’s doing in a certain area, you simply consult your business justification list.

This is also a great time to ensure you’ve physically secured your wireless devices so they are not accessible to the general public.

Step 2: Get a scanning tool and correctly configure it
In order to combat rogue WLANs, either use a wireless scanner or wireless intrusion detection/prevention system (IDS/IPS). (The PCI Council recommends large organizations use an IDS/IPS system.)

As you search for the right tool, make sure it’s wireless, not wired. Wired scanning tools are used by many organizations for additional security, but according to the PCI DSS, they have a high false positive rate and will not help you comply with requirement 11.1.

I recommend wireless scanning and IDS technologies like Fluke Networks AirMagnet, Snort (open source), Alert Logic, and Cisco.

Once you decide on your tool, it’s time for configuration. Configuration of a wireless scanning device isn’t overly complex, but it’s important to consider the tool’s log management and alerting functions. You should enable automatic alerts and a containment mechanism to eliminate rogue wireless points.

rogue access point
Step 3: Decide where to scan, and then scan your environment
Since a rogue device can potentially show up in any part of your environment, it’s important you pay attention to where you’re scanning. According to the PCI DSS, “locations that store, process or transmit cardholder data [must either be] scanned regularly or [a] wireless IDS/IPS [must be] implemented in those locations.”

This is where a network map or card data flow diagram comes into play. (You should already have one of these diagrams documented, as per PCI DSS requirement 1.1.3). It will show you how card data moves within your environment and help you analyze exactly which portions you should scan based on the locations that store, process, or transmit cardholder data.

Step 4: Remediate any found rogue access points
Not every alert your scan identifies is necessarily rogue. Your scan may have found false positives. Sometimes a scanner will identify an access point as rogue when a server automatically assigns an IP address to a new, legitimate employee laptop. Documentation is crucial to determine if a false positive is false, or something to look further into.

However, if your scan did find a legitimate rogue wireless access point, “companies should immediately remediate the rogue threat in accordance with PCI DSS requirement 12.9 and rescan the environment at the earliest possible opportunity.”

If you end up finding rogue access points set up by your own employees, this would be a great time to either write and/or enforce unauthorized access point restriction and consequence policies.

Step 5: Maintain a regular scan schedule
If there’s anything we know about attackers, it’s that they’re constantly chipping away at our walls. Don’t ever think you’re safe because you’re ‘too small’ for a hacker to care about. Hackers want data, and if they find a weakness that allows them to install a rogue access point, they’ll do it. That’s why compliance is never a point in time. It’s a process.

The PCI DSS states all organizations must scan for rogue wireless access points quarterly. However, don’t let that requirement scare you from scanning more often. The higher your scan frequency, the timelier your results.

Cut out rogue access points to protect cardholder data

A rogue access point leaves your network and its sensitive data susceptible to attackers who have a wireless connection. Evident by online evil twin tutorials and fake Wi-Fi hotspots, it’s understandable hackers are still using rogue access points to attack both business and personal networks.

Today’s hackers make an extra effort to conceal their activities, which means rogue wireless access point detection could get a lot trickier in the future. For now, it’s important to scan quarterly, ensure you’re scanning the correct locations within your environment, and have a game plan for any found rogue access points.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

PCI DSS learning center, SecurityMetrics