Critical Control 7: Wireless Device Control

How do attackers exploit the absence of this control?

Major thefts of data have been initiated by attackers who have gained wireless access to organizations from nearby parking lots, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying travelling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as backdoors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

How to Implement, Automate, and Measure the Effectiveness of this Control

1. Quick wins: Organizations should ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile.
2. Quick wins: Organizations should ensure that all wireless access points are manageable using enterprise management tools. Access points designed for home use often lack such enterprise management capabilities, and should therefore be avoided in enterprise environments.
3. Quick wins: Network vulnerability scanning tools should be configured to detect wireless access points connected to the wired network. Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.
4. Visibility/Attribution: Organizations should use Wireless Intrusion Detection Systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromises. In addition to WIDS, all wireless traffic should be monitored by a wired IDS as traffic passes into the wired network.
5. Visibility/Attribution: 802.1x should be used to control which devices are allowed to connect to the wireless network.
6. Visibility/Attribution: A site survey should be performed to determine what areas within the organization need coverage. After the wireless access points are strategically placed, the signal strength should be tuned to minimize leakage to areas that do not need coverage.
7. Configuration/Hygiene: Where a specific business need for wireless access has been identified, organizations should configure wireless access on client machines to allow access only to authorized wireless networks.
8. Configuration/Hygiene: For devices that do not have an essential wireless business purpose, organizations should disable wireless access in the hardware configuration (basic input/output system or extensible firmware interface), with password protections to lower the possibility that the user will override such configurations.
9. Configuration/Hygiene: Organizations should regularly scan for unauthorized or misconfigured wireless infrastructure devices, using techniques such as "war driving" to identify access points and clients accepting peer-to-peer connections. Such unauthorized or misconfigured devices should be removed from the network, or have their configurations altered so that they comply with the security requirements of the organization.
10. Configuration/Hygiene: Organizations should ensure that all wireless traffic leverages at least advanced encryption standard (AES) encryption used with at least WiFi Protected Access 2 protection.
11. Configuration/Hygiene: Organizations should ensure that wireless networks use authentication protocols such as extensible authentication protocol-transport layer Security (EAP/TLS) or protected extensible authentication protocol (PEAP), which provide credential protection and mutual authentication.
12. Configuration/Hygiene: Organizations should ensure that wireless clients use strong, multi-factor authentication credentials to mitigate the risk of unauthorized access from compromised credentials.
13. Configuration/Hygiene: Organizations should disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.
14. Configuration/Hygiene: Organizations should disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.
15. Configuration/Hygiene: Wireless access points should never be directly connected to the private network. They should either be placed behind a firewall or put on a separate VLAN so all traffic can be examined and filtered.
16. Advanced: Organizations should configure all wireless clients used to access agency networks or handle organization data in a manner so that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by the organization.

Associated NIST Special Publication 800-53, Revision 3, Priority 1 Controls

AC-17, AC-18 (1, 2, 3, 4), SC-9 (1), SC-24, SI-4 (14, 15)

Associated NSA Manageable Network Plan Milestones and Network Security Tasks

Remote Access Security

Procedures and Tools to Implement and Automate this Control

Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial Wireless Intrusion Detection Systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the organization network.
The security team should also employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.

Control 7 Metric:

The system must be capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks. The system must be capable of identifying any new unauthorized wireless devices that associate or join the network within one hour, alerting or sending e-mail notification to a list of enterprise personnel. The system must automatically isolate an attached wireless access point from the network within one hour and alert or send e-mail notification when isolation is achieved. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until it has been removed from the network. The asset inventory database and alerting system must be able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network. While the 24-hour and one-hour timeframes represent the current metric to help organizations improve their state of security, in the future organizations should strive for even more rapid alerting and isolation, with notification about an unauthorized wireless devices sent within two minutes and isolation within five minutes.

Control 7 Test:

To evaluate the implementation of Control 7 on a periodic basis, the evaluation team staff must configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points must not be directly connected to the organization's trusted network. Instead, they must simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point must have the wireless radio disabled for the duration of the test. These systems must be configured to test each of the following scenarios:

• A wireless client with an unauthorized service set identifier configured on it.
• A wireless client with improper encryption configured.
• A wireless client with improper authentication configured.
• A wireless access point with improper encryption configured.
• A wireless access point with improper authentication configured.
• A completely rogue wireless access point using an unauthorized configuration.

When any of the above-noted systems attempt to connect to the wireless network, an alert must be generated and enterprise staff must respond to the alerts to isolate the detected device or remove the device from the network.

Control 7 Sensors, Measurement, and Scoring

Sensor: Wireless access point
Measurement: Determine if any rogue access points are connected to the network.
Score: 100 percent if no rogue access points are detected for two months. Minus 5 percent for each unauthorized access point that is discovered.
Sensor: Wireless Intrusion Detection Systems
Measurement: Utilizing the asset inventory database, determine if any clients are trying to make a connection to an access point that they are not authorized to make.
Score: 100 percent if there are no unauthorized connections attempted by clients. Minus 2 percent for each unauthorized client connection.
Sensor: Wireless vulnerability scanner
Measurement: Perform scans of all wireless access points on a monthly basis looking for known vulnerabilities or unauthorized configuration changes.
Score: 100 percent if no unauthorized changes are found. Minus 2 percent for known vulnerabilities and minus 5 percent for known vulnerabilities that were previously fixed or for unauthorized configuration changes.