Transcript Presentation Slides

Slide Heading
Security Auditing
Wireless Networks
Ted J. Eull
viaForensics
October 12, 2011
Introductions
viaForensics
• Digital security via forensics. Leader in mobile forensics and
security assessment
• Apply methods used for computer crime investigation and incident
response proactively to enhance security.
• Based in Oak Park, IL (Chicago suburb)
Ted Eull, VP Technology Services
•
•
•
•
10+ years in IT consulting, corporate and security
Background in Web app development
GWAPT, CRISC pending
Not a wireless pen test specialist (sorry)
Agenda or contents slide
Why? Reasons to security audit your wireless devices and network
What? Identifying your wireless network components
How? Wireless
audit & technical security assessment process
Slide
Heading
Who and When? Internal/External, frequency of assessment
Recommendations and Resources
Why: Reasons to audit
CobiT
Linking Business
Goals to IT Goals
Many reasons to
leverage wireless
Key reasons to
security audit 
Why: Reasons to audit
• Regulations, regulations
• Both industry and government
– PCI / Payment Card Industry
– GLBA / Gramm–Leach–Bliley Act
– Federal Financial Institutions Examination Council / FFIEC
– Health Information Portability and Accountability Act /
HIPAA
– Federal Energy Regulatory Commission / FERC
– Sarbanes-Oxley / SOX
Why: Duh.
• Protect your business / organization
• Sensitive and proprietary information
• Clients and business partner data
• Reputation
• The reasons behind the regulations
Why: Wireless Issues
From the FFIEC IT Examination Handbook
http://ithandbook.ffiec.gov/it-booklets/information-security/securitycontrols-implementation/access-control-/network-access-.aspx
Wireless Issues
Wireless networks are difficult to secure because they do not have a well-defined
perimeter or well-defined access points. Unlike wired networks, unauthorized monitoring
and denial of service attacks can be performed without a physical wire
connection. Additionally, unauthorized devices can potentially connect to the network,
perform man-in-the-middle attacks, or connect to other wireless devices. To mitigate those
risks, wireless networks rely on extensive use of encryption to authenticate users and
devices and to shield communications.
More 
Why: Wireless Issues
Wireless Issues (continued)
If a financial institution uses a wireless network, it should carefully evaluate the risk and
implement appropriate additional controls. Examples of additional controls may include one
or more of the following:
•
•
•
•
•
•
Treating wireless networks as untrusted networks, allowing access through protective
devices similar to those used to shield the internal network from the Internet
environment;
Using end-to-end encryption in addition to the encryption provided by the wireless
connection;
Using strong authentication and configuration controls at the access point and on all
clients;
Using an application server and dumb terminals;
Shielding the area in which the wireless LAN operates to protect against stray emissions
and signal interference; and
Monitoring and responding to unauthorized wireless access points and clients.
Why: The threats
Data Interception
• Can be intercepted at distance with directional antennas (Wi-Fi
sniper rifles clocked at > 10 miles)
• WEP can be cracked in seconds
• TKIP vulnerable to a keystream recovery attack which can allow
injection of certain frames, this can enable ARP poisoning and DoS
for example. AES is better.
• WPA/WPA2 vulnerable to dictionary attacks, rainbow tables and
brute forcing.
• Many large organizations adopt a standard 802.11x configuration
using EAP-TLS with user certificates and a RADIUS server for
authentication. Although considered very secure, be aware that it
can still expose username and domain in the clear when
authenticating.
Why: The threats
Denial of Service
• Signal/frequency jamming
• Cheap portable devices from China
• Deauth Attack
• Management frames are sent in the clear for 802.11a/b/g/n which
includes deauth frames. 802.11w protects management frames which
prevents deauth attacks but only adopted by a few vendors
• A small laptop or handheld device can send out deauth requests
continually which drops clients. Can even be targeted at a certain
vendor (e.g. all Apple devices)
• WIDS should detect this
• Channel Reservation
• Attacker can send out repeated frames with a maximum wait duration
and silence the channel, for equipment that follows 802.11 spec
Why: The threats
Rogue Access Points
• Unauthorized APs plugged into the internal LAN.
• Can be detected by some enterprise APs which scan
for nearby rogue APs, and also by scanning the internal
LAN for the management interface of popular wireless
routers.
• Can be detected by regular site surveys using Wi-Fi
scanning equipment and directional antennas.
• Spectrum analyzer capability is useful to catch highly
covert installations and devices tuned off-band so as to
avoid detection from standard equipment.
Why: The threats
Misconfigured APs
• With the vast number of configuration options it requires a great deal of
planning, testing, on-going maintenance and training to operate a large WiFi installation.
Ad Hoc and Software APs
• Can allow for an attacker to connect directly to a corporate laptop inside a
building and route traffic onto the corporate LAN, bypassing network
security.
Client Driver Attacks
• Exploiting bugs in Wi-Fi drivers of clients to remotely execute code on a
victim's device without even needing a Wi-Fi network.
• Defense is to keep client drivers patched, but still exposed to zero days
Why: The threats
Misbehaving Clients and Evil Twin APs
• Clients forming unauthorized connections accidentally or
intentionally
• If corporate SSID is hidden, it will cause the client device to
continually probe for it wherever it goes, leaking information and
providing the ability for devices to be tracked.
• If a client has previously connected to a hidden open network, or
an open network with a common name such as Starbucks,
McDonalds, then an attacker can easily trick the client into
connecting to their AP from where a MITM attack can occur.
• If a user is allowed to connect to any Wi-Fi networks then they
could be enticed to connect to an attacker's AP with the promise of
free Wi-Fi or because it looks like an official corporate one.
Why: In short
• Because it is a scary cyber world out there
• To determine whether wireless technologies are
properly managed and secured, in accordance
with overall enterprise IT governance
What: Wireless components
• WLAN
• IEEE 802.11 Spec
• aka Wi-Fi
• b/a/g/n
•
•
•
•
Router/access point
Wireless clients
Typical range has nearly doubled in 10 years
Anything else?
What: More than WLAN
What: More than WLAN
Identify all use of wireless to evaluate potential risk
•
•
•
•
•
Cellular (3G, LTE)
Bluetooth
Radio-frequency identification / RFID
Near field Communication / NFC
Zigbee
Not all may require security assessment, but each should be
understood and evaluated
What? More than WLAN
When identifying wireless in the enterprise, think
outside the WLAN
•
•
•
•
Warehouse (RFID)
PC & Mobile accessories (Bluetooth)
“Smart Meters” (Wi-Fi, Zigbee)
And most of all…
What? More than WLAN
Mobile devices and more mobile devices
By 2013, mobile phones will overtake PCs as the most
common Web access device worldwide [Gartner].
• Often consumer devices (iOS, Android)
• Cellular + Wi-Fi
• Inexpensive
• Flexible
• Fast evolving
• Easy to secure
• Just kidding
How: Audit Process
• You decided auditing wireless is a good idea
• Risk Assessment
• Identify technology in use
• Threat Profiling: start bottom-up. i.e. Consider all
threats to the tech in use
• STRIDE threats: Spoofing Identity, Tampering with data,
Repudiation (insufficient logging), Information Disclosure, Denial
of Service, Elevation of Privileges
• Try to construct realistic scenarios
• Find pre-constructed scenarios
• Have business stakeholders involved
How: Audit Process
• Evaluate Risk
• Consider industry and company-specific regulatory,
policy and risk factors
• Use DREAD or other rating system
• Damage + Reproducibility + Exploitability + Affected Users +
Discoverability
• Consider potential cost of “worst case scenario”
• Evaluate security countermeasures and controls in
place which can mitigate threats
How: Technical Process
• Perform Security Assessment: Scope
•
•
•
•
Scope Appropriate for Risk
Vulnerability assessment vs. penetration testing
Test active production systems
Plan to trigger detection / countermeasures
How: Technical Process
• Perform Security Assessment: Review
• Design review of Wi-Fi infrastructure
•
•
•
•
Authentication
Defense in depth
Physical AP placement, security
Signal Coverage
• Configuration review of Wi-Fi infrastructure to make
sure it is configured correctly
• Firmware versions
• Review mobile device controls and security
How: Technical Process
• Perform Security Assessment: Scan
• Site survey with directional antenna and some good
scanning software to identify rogue APs. Use a
spectrum analyzer to pick up covert or malfunctioning
wireless devices.
• Test WIDS/WIPS if present by undertaking malicious
activity such as deauth attacks and Evil Twin APs
• Scans for client devices, such as:
• Pineapple Karma attack to see who connects
• Sniffing authentication to corporate Wi-Fi
• Scanning for vulnerable client Wi-Fi drivers (can crash
devices)
How: Technical Process
• Wi-Fi Pineapple and Jasager
– Jasager = “The Yes Man”
– Portable Wi-Fi router built for initiating MITM
position
– Web interface for attacker, showing currently
connected clients with their MAC address, IP
address (if assigned) and the SSID they
associated with
– Run scripts on IP assignment
– Full logging for later review
– Extensible, with additional modules
– Easy to set up phishing attacks
– About $100 from http://hakshop.com/
How: Technical Process
• Perform Security Assessment: Mobile Devices
• Forensic analysis of mobile devices that access
network and store data
• Assess data exposure
• Test efficacy of security controls (e.g. passcode,
remote wipe)
• Examples of issues uncovered:
•
•
•
•
Network username/password easily recoverable
Corporate email in user backups
Passcode enforcement and remote wipe failure
Keychain dump (iOS)
How: Technical Process
• Mobile Risk Study from viaForensics
•
•
•
•
•
•
•
Focused on iOS & Android
Key issues, recommendations
Risk scenarios, risk map
Corporate policy recommendations
Comparison to BlackBerry
Lab tests of MS Exchange ActiveSync policy implementation
Technical review of encryption, passcode protection, malware
vulnerability, etc.
• High-level overview of Mobile Device Management (MDM)
software
• Available this month (online purchase/download)
Who: Internal or External
• Some level of internal assessment capability
should be maintained
• Leverage external specialized expertise for more
complete vulnerability assessment or pen test
• Experienced testers should perform more than
automated scans
• Security certifications good, wireless-specific even
better (e.g. GAWN)
When: And how often
• Depends on enterprise audit program
• At least annual basic assessment
• Identify technologies, infrastructure, devices
• Check configurations, logging
• Level set with overall security policies
• Regular mobile device audits
• Frequency of vulnerability scans, pen tests depends on
corporate risk evaluation
• Ongoing security through active monitoring, such as
WIDS/WIPS
Recommendations
WEP
Recommendations
• Assume all wireless traffic can be intercepted
• Isolate wireless from corporate LAN
• If Wi-Fi on LAN is necessary, use strong authentication,
isolated VLAN and NAC
• Use IDS/IPS for continuous monitoring
• Test security systems such as WIDS
• Implement reliable VPN for mobile workers, use GPO to
require VPN when off LAN
• Assess how mobile devices are being used and where
data is going
• Policy and training for users on wireless security
Resources
• ISACA
•
•
What every IT auditor should know about wireless telecommunication
(2006) http://www.isaca.org/Journal/Past-Issues/2006/Volume4/Pages/What-Every-IT-Auditor-Should-Know-About-WirelessTelecommunication1.aspx
Mobile Computing Security Audit/Assurance Program (2010)
http://www.isaca.org/KnowledgeCenter/Research/ResearchDeliverables/Pages/Mobile-ComputingSecurity-Audit-Assurance-Program.aspx
• viaForensics Mobile Risk Study
• http://viaforensics.com/mobile-risk-study
Resources
• RFID tools (rfidiot, proxclone reader/cloner)
• http://hackaday.com/2007/03/25/rfidiot-rfid-io-tools/
• http://proxclone.com/reader_cloner.html
• Other tools
•
•
•
•
•
Aircrack http://www.aircrack-ng.org/
Kismac / KisMAC http://www.kismetwireless.net/
Wireshark http://www.wireshark.org/
Ettercap http://ettercap.sourceforge.net/
Pineapple http://hakshop.com/products/wifi-pineapple
Questions?
Closing comments (if any)