1 / 43

Deepak Gupta AirTight Networks

Wireless Vulnerabilities in the Wild: View From the Trenches. Deepak Gupta AirTight Networks. Acknowledgement: Based on work presented by K N Gopinath at RSA 2011. Agenda. Why care about Wireless Vulnerabilities? (Motivation). What’s new in this talk and what are its implications?.

Download Presentation

Deepak Gupta AirTight Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Wireless Vulnerabilities in the Wild: View From the Trenches Deepak Gupta AirTight Networks Acknowledgement: Based on work presented by K N Gopinath at RSA 2011

  2. Agenda Why care about Wireless Vulnerabilities? (Motivation) What’s new in this talk and what are its implications? Wireless Vulnerability Analysis (Measurements) Threat/Vulnerability Mitigation

  3. Era of Wireless Consumerization

  4. Marshalls store hacked via wireless • Hackers accessed TJX network & multiple servers for 18+ months • 45.7 million payment credit accounts compromised • Estimated liabilities > 4.5B USD Real Life Breaches due to Insecure Use of Wi-Fi

  5. Are today’s enterprises secure enough to prevent the recurrence of such attacks? 5

  6. Enter War Driving How many of these are actually connected to my network? Not all APs are WPA/WPA2. WPA/WPA2 AP (%) NY London Paris 6

  7. War Driving Insufficient for Enterprise Threat Classification Authorized Our Study External Rogue

  8. Sensor Based Statistical Sampling Data collected over last two years 8

  9. 268,383 APs 80,515 187,868 Enterprises Deal With Lot of Non-Enterprise Devices 70% APs do NOT belong to the studied Organizations! External/ Unmanaged Authorized Similarly, About 87% Clients are Unmanaged/External!

  10. Wireless Threat SpaceAP Based Threats • Rogue APs • AP mis-configurations • Soft/Client Based APs AP

  11. Wireless Threat SpaceClient based threats • Client extrusions Connections to neighbors, evil twins • Adhoc networks Adhoc Network • Client bridging • Banned devices

  12. T3 (T-Cube) Parameters Presence of an instance of a threat (%) Threat Duration Window of opportunity for an attacker Threat Presence Threat Frequency Likelihood of presence of a threat instance

  13. Real-life data & Accurate picture of Threats How does this information help you? Get an idea of Wi-Fi threat scenario in enterprises that may be like yours Which wireless threats you should worry about first? Plan your enterprise mitigation strategy

  14. Simple (Yes/No) metric based on the presence of an instance of a threat (%) Threat Presence Threat Duration Threat Frequency 14

  15. Results From Our Survey Randomly Chosen set of IT Security Professionals % Response Rogue AP Misconf. AP Adhoc Client Extrusion Other

  16. Results Based on Our Data • Key Observations • Prominent Threats • Client extrusions • Rogue APs • AP mis-configurations • Adhoc clients • Key Implications • Organization data is • potentially at risk via Wi-Fi

  17. Let’s Dive Deeper into Nature of Threats Rogue APs Client Extrusions Adhoc Clients

  18. Enterprise Wireless Consumerization: Rogue APs1521 Rogue APs seen in our study 163 Different type of Consumer Grade OUIs seen

  19. Rogue AP Details About 1 in 10 Rogue APs have Default SSIDs About Half of Rogue APs Wide Open

  20. Rogue AP Details An open Rogue AP is Virtually THIS!

  21. Client Consumerization: Client Extrusion Client (Smartphones & laptops both) probes for these SSIDs.

  22. Topic of Hot Discussion Today!

  23. 118,981Clients 12,002 106,979 21,777 (20.4%) 636 (5.3%) Authorized Unmanaged Client Probing For Vulnerable SSIDs Retail/SMB Organizations Power of Accurate threat classification. 5.3% Vs 20.4%

  24. “Known” Vulnerable SSIDs Probed For103 distinct SSIDs recorded Certain (8%) Authorized Clients Probing for 5 or more SSIDs

  25. Adhoc Authorized Clients!565 distinct Adhoc SSIDs found, About half of them Vulnerable 15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode.

  26. So What?Illustrative Exploit via Client Extrusion Smartphone as an Attacker App1: Mobile Hotspot App2: SSLStrip Attack Tool VIDEO DEMO: Smartpot MITM Attack

  27. VIDEO DEMO: Smartpot MITM Attack

  28. How long (time interval) a threat is active before removal? Threat Presence Threat Duration Threat Frequency 29

  29. AP Threats live “longer” than Client Threats15% client threats & 30 % AP threats live for > hr Some AP based threats are active for a day or more! Histogram indicating that AP threats live longer Threat Duration Rogue AP AP Misconf. Client Extrusion Adhoc networks % Threat Instances with Given Threat Duration Data from SMB/Retail (PCI) Segment

  30. Threat instances per Sensor per month Threat Presence Threat Duration Threat Frequency 31

  31. Threat Frequency Large Enterprise Segment: Threats Per Month Per Sensor (Approx. 10,000 sq feet area) Bigger your organization, higher the likelihood of finding the threats Threat Frequency Threat Category

  32. Key Takeaways Summarized • Wireless threats due to unmanaged devices are present • Enterprise wireless environment influenced by consumerization • Certain threats more common than others • Client extrusions • Rogue AP • AP Mis-configurations • Adhoc clients • Common threats affect large enterprise and SMB organizations • Wireless threats persist regardless of sophistication of wired network security

  33. Threat Mitigation 34

  34. Let’s Ban Wi-Fi!

  35. Use WPA2 For Your Authorized WLAN! But, WPA2 does not protect against threats due to unmanaged devices

  36. Threat Mitigation Intrusions (AP Based Threats) • Wire side controls as a first line of defense (e.g., 802.1X port control) • Wireless IPS to automatically detect & block intrusions • Regular wireless scans to understand your security posture • - Cloud based solutions are available to automate wireless scans • Defense-In-Depth Mitigation Extrusions (Client Based Threats) • Educate users: clean up profiles, Use VPNs & connect to secure Wi-Fi • Deploy end point agents to automatically block connections to insecure Wi-Fi • Wireless IPS to automatically detect & block extrusions in enterprise perimeter

  37. Apply Slide: Recommended Best Practices • Self Assessment Test • Scan your network to find out how vulnerable you are • Good chance that you will find a Rogue AP, higher chance that you will find client extrusion • Follow best practices • Educate your users to connect to secure Wi-Fi • Use VPN for remote connections • Clean up the Connection profiles of Wi-Fi clients periodically • Deploy end point agents to automate some of the above • Adopt a “defense in depth” security approach • Employ wire side defenses against Rogue APs (first line of defense) • Regularly scan your wireless perimeter • If risk assessment is high and/or you store super sensitive data • Threat containment via wireless IPS should be considered

  38. Apply Slide: Recommended Best Practices Go Wi-Fi, But, The Safe Way!

  39. Questions? Thank You deepak.gupta@airtightnetworks.com 40

  40. A1: Location/Site Wise Distribution Key Observations Prominent threats are distributed across multiple sites. Key Implications You need an ability to monitor the entire organization, not just 1 or 2 sites

  41. A2: Enterprise Vs PCI (SMB/Retail) Key Observations Similar pattern with respect to prominent threats Some difference w.r.t other threats Increased adhoc connections in PCI

  42. A3: North America, Asia (Overall Threat Occurrence)

More Related