The majority of today’s Wi-Fi access points, routers, and hotspots are highly exposed attack surfaces. Practically every security company in the business focuses on layer 7 application attacks, such as zero-day malware and ransomware. Unfortunately, very little attention has been paid to Wi-Fi layer 2 attacks, which includes tactics like flooding an access point (AP) with de-authentication frames or cracking WPA2. To help combat these vulnerabilities, more and more IT departments are creating “Trusted Wireless Environments” that automatically detect and prevent Wi-Fi threats.
Given the dramatic rise in connected devices and the fact that 74 percent of Android mobile device traffic in the U.S. flows over Wi-Fi, it’s never been more important for organizations to raise awareness and educate employees, partners, and customers about Wi-Fi security. They also must deploy new comprehensive Wi-Fi systems that include security. How do you know if your system is meeting the security standard of a "Trusted Wireless Environment?" Here are six threats that every Wi-Fi system should be able to combat:
Rogue APs: A rogue AP is an AP that has been physically connected to a network without explicit authorization from an administrator. It’s an instant PCI-DSS violation. Rogue APs are connected to the authorized network, allowing the attackers to bypass perimeter security.
Wi-Fi systems need to detect if a signal in the air is being broadcast from an AP physically connected to the authorized network. If so, it needs to be able to prevent the Rogue AP from gaining access to the LAN, which is typically done via ARP poisoning. It should also be able to prevent Wi-Fi clients from associating to it, usually via a surgical flood of deauthentication frames.
Evil twin APs: Evil twin APs will mimic legitimate APs, spoofing SSIDs and usually MAC addresses as well. Attackers can then intercept traffic as the man-in-the-middle (MitM). How exactly does this work? Once a victim is connected, the attacker can steal credentials, inject malicious code into the victim browsers, redirect the victim to a malware site, and so much more.
A Wi-Fi security system must not interfere with clients not administered by the authorized network, but at the same time must detect when evil twin APs are attempting to get authorized clients connected to them and prevent this association with deauthentication floods and other techniques.
Neighbor APs: This threat occurs when an authorized, company-managed client connects to a guest or external AP, bypassing the company’s perimeter security and security restrictions set by the firewall. There’s actually no super-secret hacker trick to this one. By choosing to connect their devices to the guest network or the coffee shop network downstairs, employees are bypassing network security.
Wi-Fi solutions must be able to automatically classify client devices managed by the company as authorized clients and prevent them from connecting to any other SSID than the ones IT administrators have defined. Prevention techniques for this threat again include surgical deauthentication floods.
Rogue clients: Any client previously connected to a rogue AP or other malicious AP within range of a private network is considered a rogue client. A client that connected to a rogue AP could have been victimized by a plethora of man-in-the-middle (MitM) attacks that include loading ransomworms, malware or client backdoors. When a rogue client connects to another network, it can spread this malware.
Wi-Fi security systems need to automatically re-classify an authorized client as a rogue client the moment it’s detected connecting to a malicious AP and prevent this client from re-associating to private authorized SSIDs until IT has confirmed the device is free of malware.
Ad-Hoc networks: This threat is essentially a peer-to-peer Wi-Fi connection between clients that lets two or more devices communicate with each other directly, circumventing network security policies and making the traffic invisible. Any employee could quickly set up an ad-hoc network between their colleagues’ devices if they wanted.
Wi-Fi solutions must be capable of automatically detecting when authorized clients, managed by corporate IT, are participating in ad-hoc networks and prevent this connection, even if encrypted using cell-splitting techniques or similar methods.
Misconfigured APs: It can be too easy for network administrators to accidentally make a configuration mistake such as making a private SSID open with no encryption, potentially exposing sensitive information to interception over the air. This can happen any time an AP isn’t set up properly.
Wi-Fi management systems need to include configuration policy settings where IT admins can specify details such as minimum encryption requirements on SSIDs broadcasted by managed APs, vendor OUIs allowed to broadcast SSIDs and so on.
In summary, creating a “Trusted Wireless Environment” that can protect against the aforementioned threats will significantly improve the safety of your organization’s Wi-Fi environments.
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
