By Jason McWhirr, Information Security Consultant
The likelihood that your customers will experience a data breach at some stage is unfortunately now a fact of life. It’s not if it will happen, it’s when will it happen?
In the previous article, Ransomware – Did you update your incident response plan? we discussed how ransomware can cause serious challenges, especially if a business has not got an incident response plan in place.
In this article we discuss why it’s important to ensure that there are no unauthorised wireless access points within a security conscious organisation. We recommend the steps your customers should take to ensure that they are secure and compliant with all applicable PCI DSS requirements.
What is an unauthorised or ‘rogue’ access point and why is it an issue to an organisation’s security?
Wireless access points are devices connected to an organisation’s computer network that allow wireless devices, such as employee laptops, to be able to join the network without the use of a restricting physical network cable. For many companies wireless networking is the default and a great way to give mobile employees access to core organisational resources.
However, a major drawback of wireless networks is that they are more susceptible to attack as they are generally openly visible and available for connection 24/7 to anyone internal or external to the organisation, just like a website on the Internet.
Protection measures are required to keep these systems up-to-date, to protect them from unauthorised access, to secure information sent over the wireless networks and to alert when incidents occur.
Unauthorised or ‘rogue’ wireless access points, can be installed by external malicious attackers or well-meaning employees which can then bypass all security and defences within an organisation, so it is important to implement processes to try and prevent this scenario.
Employees have been known to add their own access points to enable the use of wireless in a non-wireless enabled area. This may be because the employee doesn’t know to engage or is deliberately bypassing their IT department and their security focussed policies and procedures. It may also be because the organisation does not have sufficient control of their network.
Malicious external attackers will try to attack an organisation in the same way by adding a wireless access point to an unprotected internal network jack, which gives them the access they need to then attempt to hack the company’s systems from the company’s own premises or car park – unbeknown to the organisation.
The 2013 KVM bank hacks showed that attackers don’t just target publically accessible network jacks, they may use social engineering techniques to gain physical access that allows them to plant their wireless devices in more sensitive areas of the organisation.
PCI DSS requires that the cardholder data environment (CDE), the place where cardholder data is stored, processed, and transmitted, is protected from unknown ‘rogue’ wireless access points and that all authorised wireless access points are installed correctly in a secure configuration. This may be a PCI DSS requirement but it is also good IT security practice.
For all authorised wireless access points connected to the CDE there are PCI DSS requirements intended to ensure all access points have a standardised and secure configuration. These requirements include;
- Perimeter firewalls must be installed between the all wireless networks and the organisation’s CDE – PCI DSS requirement 1.2.3.
- Vendor defaults must be changed at installation (usernames, passwords, encryption keys, etc.) – PCI DSS requirement 2.1.1.
- Strong cryptography must be used for authentication and encryption – PCI DSS requirement 4.1 & 4.1.1.
- Wireless access points must be protected from tampering by restricting physical access to them – PCI DSS requirement 9.1.3.
Any unauthorised wireless access points are unlikely to meet many or all the above requirements and could present a major security risk to an organisation.
Testing for wireless access points
PCI DSS requirement 11.1 requires organisation to perform a quarterly test for the presence of authorised and unauthorised wireless access points, however this should be very much treated as a minimum security requirement – especially for organisations with large, remote, or diverse wireless networks.
Testing, scanning or physically inspecting to identify unauthorised wireless access points can be a manual function depending on the network size and functionality of the wireless network solution; however this requirement is generally met by using an automated system.
Some wireless network solutions have in-built testing functions which will automatically alert an administrator if unauthorised access points are discovered. For organisations without this functionality, Wireless Intrusion Prevention Systems (WIPS) or Intrusion Detection Systems (WIDS) are dedicated systems which provide periodic wireless access point testing and alerting.
These actions should help to fulfil the PCI DSS testing requirement. They must be supported by processes to ensure the organisation keeps an inventory of their authorised wireless access points – PCI DSS requirement 11.1.1.
Alerting and response
If unauthorised wireless access points are detected, or reported by staff, this must be reported as a security incident following the organisation’s incident response plan. Procedures must be defined so that the organisation’s security incident response team know what to do when an unauthorised wireless access point is detected. This is a requirement under PCI DSS – requirement 11.1.2.
The security incident response team should then take the following steps:
- Investigate – Identify the location of the unauthorised wireless access point/device
- Establish – Is the unauthorised wireless access point being used for legitimate business purposes.
- If a legitimate business need is identified, retrospective management approval must be sought and the proper PCI DSS controls implemented to ensure the secure configuration and use of the wireless access point (e.g. change default passwords and settings, enable strong authentication and encryption, etc.). Network segmentation may be required (PCI DSS requirement 1.2.3)
- Locate – Any unauthorised wireless access points/devices must be shutdown and removed.
- Document – Update the security incident report with the specific response actions that were taken.
- Review – consider how the incident occurred and how to avoid a similar incident in the future. This may require updates to policies, procedures or training and awareness.
Traditionally the correct response in relation to the discovery of unauthorised wireless access points/devices would have been to switch them off and remove them. As we have shown above, an unauthorised wireless network may not be linked to malicious intent, it may be meeting a business need but have bypassed the proper procedures for authorisation and installation.
The updated PCI DSS v3.2 standard introduced the new requirement 6.4.6 and expanded the scope of requirement 6.4.5 to ensure that all organisations consider how they control all types of changes to their network and systems, maintain compliance by implementing applicable PCI DSS requirements when changes are made, and therefore don’t end up discovering unauthorised insecure wireless devices/networks that business units took upon themselves to introduce.
Usage policies (PCI DSS requirement 12.3) in particular should be used to educate employees in the correct usage and implementation of technology, to try and prevent unauthorised wireless access points (and other technologies) being installed incorrectly and without approval.
Sysnet has extensive experience in compliance and security. Our passion for pragmatic and innovative solutions when it comes to addressing cybersecurity allows us to be the thought leaders in the market when it comes to multi-layered and complicated challenges related to security. For further information email firstname.lastname@example.org or request a call back.
If you are a merchant that requires technical or PCI DSS help, please click here