1 / 71

Auditing Wireless

Auditing Wireless. by Chris Gohlke Lead Senior Auditor Florida Auditor General chrisgohlke@aud.state.fl.us 850-487-9328. Introduction. 802.11 ( WiFi ) -Not Bluetooth or RFID Technology Review Standards Controls Testing Reporting. Technology Review. What is Wi-Fi.

media
Download Presentation

Auditing Wireless

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing Wireless by Chris Gohlke Lead Senior Auditor Florida Auditor General chrisgohlke@aud.state.fl.us 850-487-9328

  2. Introduction • 802.11 (WiFi) -Not Bluetooth or RFID • Technology Review • Standards • Controls • Testing • Reporting

  3. Technology Review

  4. What is Wi-Fi • Wi-Fi (sometimes written Wi-fi, WiFi, Wifi, wifi) is a trademark for sets of product compatibility standards for wireless local area networks (WLANs). Wi-Fi, short for “Wireless Fidelity,” was intended to allow mobile devices, such as laptop computers and personal digital assistants (PDAs) to connect to local area networks, but is now often used for Internet access and wireless VoIP phones. Desktop computers can use Wi-Fi too, allowing offices and homes to be networked without expensive wiring. Most computers and many other consumer electronic devices have Wi-Fi built-in.

  5. Definition - MAC and SSID • A media access control address (MAC address) is a globally unique identifier attached to most forms of networking equipment allowing each host to be uniquely identified and allows frames to be marked for specific hosts. (Note, Hackers can spoof the MAC address.) • A service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. A network's SSID is often referred to as the “network name.” The SSID is either broadcast automatically by the AP, or sent upon request (probe) from a user station.

  6. 802.11 is the Standard that defines Wi-Fi

  7. Encryption • WEP (Wired Equivalent Privacy) – very weak encryption, can be broken in minutes. • WPA (Wi-Fi Protected Access) – much better, but uses weak RC4 encryption and can be broken in a few hours. • WPA2 – like WPA, but uses the stronger Advanced Encryption Standard (AES)

  8. Why are we worried about wireless? • Eliminates the network cable. • Network accessible outside of normal physical security.

  9. Standards

  10. Standards • NIST Special Publication 800-97 - Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf • Information Supplement: PCI DSS Wireless Guideline https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

  11. Controls

  12. Controls If they have official wireless - If they don’t have official wireless- Scans for non-approved deployments Policies • Physical Security • MAC Filtering • Changing SSID/password from default • Non-broadcast SSID • Encryption • Firmware up-to-date • Scans for non-approved deployments • Policies

  13. Controls – Physical Security If you can physically access the device, you can disable all the security settings. Make sure physically exposed items are only antennas.

  14. Controls – MAC Filtering • Only preapproved MAC addresses are allowed to access the network. However, MAC addresses can be easily captured and spoofed. It also requires a lot of management overhead on a large network.

  15. Controls – Change the SSID/Password from default • If you leave it as the default, you’ve just given away info about your hardware that will make it easier for a hacker. • So change it and make it unique.

  16. Controls – Don’t Broadcast the SSID • To be able to connect, you need to know the SSID. By default, the WAP constantly shouts out its name to make it easy for users to find. Even if they don’t broadcast it, if the network is being used, it is easy to get the SSID passively from the traffic.

  17. Controls - Encryption • WEP (Wired Equivalent Privacy) – very weak encryption, can be broken in minutes. • WPA (Wi-Fi Protected Access) – much better, but uses weak RC4 encryption and can be broken in a few hours. • WPA2 – like WPA, but uses the stronger Advanced Encryption Standard (AES)

  18. Controls - Encryption

  19. Controls – Firmware Up To Date

  20. Controls – Firmware Up To Date

  21. Controls - Scans for unauthorized deployments Whether or not they are running wireless, the auditee should be performing a periodic scan for unauthorized wireless access points. If they are, they should be documenting the scan in some way.

  22. Controls - Policies As with most things, ideally they will have created policies and procedures to support the implementation of the above listed controls.

  23. Testing – Performing a Wireless Scan

  24. Testing – Basic Scanning Tools

  25. Testing – Alternative Basic Scanning Tools

  26. Testing – Advanced Scanning Tools Inssiderreplaced Network Stumbler which hadn't been actively developed since 2004.

  27. Testing – Advanced Scanning Tools with GPS

  28. Testing – When to use which tool? Start with the basic tools. Most of the time a full map is going to just be overkill and not an efficient use of your audit time. Add in the advanced tools if you have exceptions you aren’t able to locate or resolve any other way.

  29. Reporting http://www.myflorida.com/audgen/pages/pdf_files/2007-005.pdf (See Finding #3)

  30. Reporting Finding No. 3: Wireless Controls Wireless networking is quickly becoming a more widely used networking solution. Significant risks to security are presented by wireless networks as most wireless networking equipment is configured insecurely in its default configuration, flaws exist in WEP (Wired Equivalent Privacy) authentication, and the range for many wireless devices can extend beyond intended coverage areas, allowing attackers to gain access to a network without setting foot in the building in which the network is located. Good wireless security controls include provisions to change configurations before implementation to provide stronger security settings than those present in default configurations; use of more advanced authentication, such as Wi-Fi Protected Access 2 (WPA2) with Extensible Authentication Protocol (EAP) on 802.1X authentication servers; and planning to minimize how far wireless signals extend beyond coverage areas. NIST guidelines include recommended procedures for assessing the effectiveness of controls over wireless access points. These include war drives or war walks, which involve patrolling an area with portable computing devices, such as laptops, equipped with wireless access cards, attempting to detect unauthorized wireless access points attached to networks. NIST recommends that this procedure be performed weekly to semiannually, depending on the sensitivity of the systems residing on the network.

  31. Reporting Improvements were needed in controls to ensure agency authorized wireless access points were appropriately secured and in agency procedures to detect the presence of unauthorized wireless access points. Our audit disclosed the following: • Inadequate controls were used at an agency to secure authorized wireless access points. • Most agencies did not perform war drives or war walks to detect unauthorized wireless access points nor had any written procedures to do so. • We detected an unauthorized wireless network device on an agency network. • Some agencies did not have policies or procedures in place prohibiting unauthorized wireless access points from being attached to their networks. Without controls to ensure agency authorized wireless access points are appropriately secured and procedures to detect the presence of unauthorized wireless access points, agencies increase the risk of their network security being compromised by an individual with malicious intent or by users installing unauthorized wireless access points. Recommendation: The applicable agencies should implement appropriate controls to secure authorized wireless access points from attacks that can exploit insecure configurations and weak authentication mechanisms. Agencies should also perform periodic war drives or war walks to detect and remediate unauthorized wireless access points that may be present on their networks allowing attackers to bypass normal network security.

  32. Questions

  33. Hard Drive Surplus by Chris Gohlke

  34. Introduction • Technology Review • Standards • Special Legal Considerations • Controls • Testing • Reporting

  35. Technology Review

  36. Technology Review We have been taught to think that when "deleting" files and then emptying the Recycle Bin that the selected files are now gone. This is not true. What happens is that the Windows disk manager only "deletes" its known reference to the name and where a file is being stored on the hard drive. The files are actually still there and can be very easily recovered with simple software tools. 

  37. Technology Review Many people think that formatting a hard drive will permanently erase all the data on the drive. This also is not true. Formatting is only a very low level hard drive cleaning function. Formatting a hard drive does not completely erase all data as one may think. It only erases the file structure information. This means that your deleted data can be recovered by anyone possessing the right tools, until it is over written.

  38. Technology Review Imagine the hard drive of a computer is like a book. Instead of words, the hard drive is made up of binary data (0’s and 1’s). Like a book, the hard drive has a table of contents that catalogs where on the drive the 0’s and 1’s are that make up data files. Deleting and formatting drives is equivalent to removing the table of contents from the book. All of the data is still there. Software tools basically allow the computer to read the book and recreate the table of contents and thereby making all the data accessible.

  39. Technology Review This leaves three ways to truly destroy your data • Destroy the Drive • Degauss the drive • Overwrite the drive

  40. Destroy the Drive

  41. Degauss the Drive Make sure the device is rated for hard drives, not just media.

  42. Overwrite the Drive - Killdisk

  43. Standards

  44. Standards - AEIT AEIT - Information Security Policy – Agency Guidelines – Section 10 • 1.11 Each agency shall document procedures for sanitization of agency-owned computer equipment prior to reassignment or disposal. • 1.12 Equipment sanitization must be performed such that no data remains. File deletion and formatting media are not acceptable or approved methods of sanitization. • 1.13 Acceptable methods of sanitization include: • using software to overwrite data on computer media; • degaussing; or • physically destroying media. • http://www.myflorida.com/myflorida/cabinet/aeit/docs/2007%20Information%20Security%20Policy%20Guidelines.pdf

  45. Standards – F.A.C. Florida Administrative Code - 60DD-7.013 Disposition Phase • It is the sole responsibility of each agency in accordance with Rule 60DD-2.009, F.A.C., to erase all confidential or exempt information contained in all electronic memory components from information technology equipment prior to transfer or final disposition. • Property containing hazardous materials, including,……., that cannot be transferred as set forth in subparagraph 60DD-7.013(2)(d)1., F.A.C., should be disposed of consistent with Section 403.705, F.S., and Rule Chapter 62-730, F.A.C., Dept. of Environmental Protection Rules for Hazardous Waste. • https://www.flrules.org/gateway/RuleNo.asp?ID=60DD-7.013

  46. Standards - NIST NIST Special Publication 800-88 - Guidelines for Media Sanitization • Information systems capture, process, and store information using a wide variety of media. This information is not only located on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information that is created, processed, and stored by an information technology (IT) system throughout its life, from inception through disposition, is a primary concern of an information system owner and the custodian of the data. • http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf

  47. Special Legal Considerations

  48. Special Legal Considerations If suspected child pornography or other possibly illegal material is found during your testing. IMMEDIATELY notify your supervisor. Management will then contact FDLE and coordinate with law enforcement.

  49. Special Legal Considerations So, be sure to follow all the documentation procedures, including: • Logs • Chain of custody • Photos • Physical Security

  50. Special Legal Considerations

More Related