PCI DSS Rogue Wireless Access Point Protection

Incorporating wireless networks into corporate environments provides a much simpler way for attackers to infiltrate. Industrially approved encryption (WPA2) will secure wireless networks. So how do you enable your customers to connect to your secure wireless network? How do you know if he’s adding a wireless access point to a network that doesn’t have to be exposed?

PCI DSS requirement 11.1 mandates that you check your environment quarterly to make sure no uncontrolled wireless hotspots connect to the card data network and sensitive data.

Without your knowledge, there are several ways attackers can install a rogue wireless access point on your network. It is also possible for anyone inside the company to create an unauthorized access point. Therefore, it is essential to test wireless access points to reduce your threat regularly.

What is an Unauthorized (rogue)Access Point?

An unauthorized (rogue) access point is a wireless access point connecting to a secure network without the system administrator’s knowledge. “Unauthorized wireless devices can be hidden within or connected to a computer or other system component, or can be connected directly to a network port or network unit, for example, a switch or router,” says PCI DSS.

The rogue access point can be a small wireless access point connected to an existing firewall or switch or an unused wall outlet. It can be a USB-connected mobile device that provides a wireless access point or even a wireless card connected to a computer.

Rogue access points can be security hazards once they are placed behind an organization’s firewall.

There are three main dangers of an unauthorized access point:

  • Access to the network is granted to an unauthenticated person.
  • The system administrator does not monitor or manage it.
  • Rogue wireless access points on the same network do not follow standard security procedures.

How does the attacker set up a fake access point? There are various forms, but social engineering is a prime example. Using social engineering, an attacker could plug a small wireless access point into an open network port or even a Wi-Fi USB device into a permitted laptop and connect the connection to the wireless access point to circumvent an organization’s physical defense.

How Should PCI DSS Wi-Fi Protection Be?

The wireless access point doesn’t even need to be created by a hacker to be considered rogue. Your organization’s approved users can put your environment at risk from a rogue access point.

See Also: How to Provide Corporate Wireless Network Security?

Access points installed or used without the system administrator’s permission are considered fraudulent, even if the employees do not have malicious intentions. Here are some possible situations:

  • IT department may misconfigure a wireless network or copy it by mistake.
  • Employees can bring their access points to the corporate network to connect mobile devices, iPads, or home laptops more easily.
  • A frustrated employee complaining of bad corporate Wi-Fi could set up a private wireless system on their wired corporate network.

These are considered rogue because the rest of the network is not subject to the same security controls as wireless access points. This means that system administrators have zero control over the security of the wireless environment. Besides, employees do not strictly allow security settings on their access points, making it much easier for attackers to use the access point to intercept network traffic.

Hackers use fake access points as an easy way to gain access to capture confidential data through business systems.

One dangerous way hackers use malicious access points is by evil twins (also called Wi-Fi Pineapple). Evil twins are wireless access points designed to look the same as the company’s existing secure wireless network to convince users to connect to the fake network.

If the wireless access point looks okay with the same wireless name and specific 32-digit identifier (SSID) and MAC address, it can be automatically connected by employees’ devices. If a lousy twin succeeds, the attacker can easily connect to the user’s laptop to steal authentication information and use an authorized name to access the network.

Five Steps to Compliance with PCI DSS Requirement 11.1

Organizations can use many methods to meet PCI DSS requirement 11.1. However, most businesses use a free commercial scanning tool. Other possible rogue access point monitoring and detection methods include physical component controls or wireless intrusion detection systems (IDS).

Wireless scanning technologies work by creating a database of initial access points, including IP and MAC addresses. Identifies, compares, and marks access points that do not communicate with the master list when a scan runs. It is up to the system administrator to manually analyze the scan results and decide whether they are fraudulent.

Here is an explanation of the five main stages of the wireless access point scanning process:

1. Explore your wireless devices

It is difficult to determine which wireless devices to remove unless you have a specific list to start with. Therefore, the PCI requires you to “check all locations in the data card environment and keep up-to-date inventories for defined wireless access devices.”

This requirement is fairly straightforward if you are a small e-commerce company and all your systems are in your data center in one place. Finding unknown hardware will be quick. When you are a big company, it will take a little longer.

If you show wireless access points in a network diagram or write a giant list, you also need to record each wireless access point’s business logic. If you cannot explain the existence of the access point, you should disable it. If you doubt whether an access point is fraudulent or what it does in a particular area, check your list of business reasons.

You should also make sure you physically secure your wireless devices so that they are not public.

2.Get a scan tool and install it correctly

Use a wireless scanner or a wireless intrusion detection/prevention system (IDS / IPS) to combat malicious wireless networks. The PCI Council recommends for large organizations to use the IDS / IPS system.

When finding the right device, make sure it is wireless, not wired. Many organizations use wired scanning devices for additional protection, but they have a high false-positive rate compared to PCI DSS and will not help you meet PCI DSS requirement 11.1.

Wireless scanning and IDS technologies such as Fluke Networks AirMagnet, Snort (open source), Warn Logic, and Cisco is widely used.

After choosing your vehicle, it is time to set it up. Configuring a wireless scanning system is not very complicated, but it is crucial to consider the daily management and alert functions of the vehicle. It would be best if you had automatic alerts and a containment mechanism to remove rogue wireless spots.

3.Decide where you can scan and then examine your surroundings

Because a rogue system can potentially appear elsewhere in your environment, it’s essential to be careful where you scan. According to the PCI DSS, the locations to be scanned periodically are areas that store, process, or transmit cardholder data or require wireless IDS / IPS at these locations.

The places to scan are where the network’s topology or the flowchart of card data comes into play. It will show you how card data flows in your environment, and locations that depend on where cardholder data is stored, processed, or transmitted will help you determine which parts to scan.

4. Take precautions against discovered unauthorized access points

Not every warning you find in your scan is automatically fraudulent. Your scan may have found false positives. Often, when a server automatically assigns an IP address to a new and legitimate employee’s laptop, the browser can mark an access point as a rogue. The inventory you keep is critical in deciding whether a false positive is indeed wrong or something to investigate further.

However, if your call detects a valid rogue wireless access point, you should immediately fix the fake threat as required by PCI DSS requirement 12.9 and rescan the area as soon as possible.

If you encounter illegal access points being set up by your staff, it would be an excellent time to write or enforce unauthorized limits on access points and their effects.

5. Establish a regular time frame for scans

Never think that you are safe because you are “too small” to worry about a hacker. Hackers want to capture data and do so if they find a loophole that allows them to set up a rogue access point. Therefore, compliance is never a time limit. Adaptation is an ongoing process.

PCI DSS states that each company should run a quarterly scan for rogue wireless access points. Don’t let the requirement stop you from browsing more often, though. The higher your scan frequency, the more time your results will take.

Final Words

A rogue access point leaves your network and confidential data vulnerable to wireless attackers. The evil twin guides online and fake Wi-Fi hotspots clarify hackers are still using phony access points to target business and personal networks.

Today’s hackers make extra efforts to cover their operations, which means that detecting wireless access points as a rogue will become much more difficult in the future. Right now, it’s necessary to run a quarterly scan, make sure you scan the correct locations on your network and make sure you have a strategy for any rogue access points you discover.

Due to the prevalence of Wi-Fi in our lives, it has also become a target for hackers. If not handled properly, Wi-Fi can create one of the most prominent attack vectors for criminals trying to carry out Trojan attacks.

Attackers can hack your wireless network with unsecured Wi-Fi while remaining within the range of your wireless router. The intruder can then control all your private computers, smart devices, and cell phones. Gaining full access to your life and files and potentially exposing you to requests for data theft, malware, and extortion.

Poor safety habits have a significant adverse effect on all unprepared consumers, especially for companies that still lack the Wi-Fi network’s critical security. Companies must take essential security measures and apply industry best practice standards that reduce risk factors in technology. Organizations are at risk due to human factors that can be difficult to track and predict.

Also, it is still challenging to detect Wi-Fi hacking without employees’ proper technical solutions and expertise. Wi-Fi networks should be used as a vital part of IT infrastructure. Expert staff can better monitor their protection to instantly secure and detect any threat.

See Also: PCI SSC Information Supplement: PCI DSS Wireless Guidelines

Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Related posts

Latest posts

Best Practices Against Ransomware Attacks and Hardening Guidelines

These best practices can help your organization manage the risk posed by ransomware and respond to a ransomware outbreak in a coordinated and effective manner.

What Are the Ransomware Infection Vectors

Ransomware events can severely impact business processes and deprive organizations of the data they need to run their business and deliver mission-critical services.

What Are the Ways to Reduce PCI Scope

If you can limit the amount of cardholder data you have, you'll have fewer data to audit.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!