slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Deepak Gupta AirTight Networks PowerPoint Presentation
Download Presentation
Deepak Gupta AirTight Networks

Loading in 2 Seconds...

play fullscreen
1 / 43

Deepak Gupta AirTight Networks - PowerPoint PPT Presentation


  • 98 Views
  • Uploaded on

Wireless Vulnerabilities in the Wild: View From the Trenches. Deepak Gupta AirTight Networks. Acknowledgement: Based on work presented by K N Gopinath at RSA 2011. Agenda. Why care about Wireless Vulnerabilities? (Motivation). What’s new in this talk and what are its implications?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Deepak Gupta AirTight Networks' - maren


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Wireless Vulnerabilities in the Wild:

View From the Trenches

Deepak Gupta

AirTight Networks

Acknowledgement: Based on work presented by K N Gopinath at RSA 2011

agenda
Agenda

Why care about Wireless Vulnerabilities? (Motivation)

What’s new in this talk and what are its implications?

Wireless Vulnerability Analysis (Measurements)

Threat/Vulnerability Mitigation

real life breaches due to insecure use of wi fi

Marshalls store hacked via wireless

  • Hackers accessed TJX network & multiple servers for 18+ months
  • 45.7 million payment credit accounts compromised
  • Estimated liabilities > 4.5B USD
Real Life Breaches due to Insecure Use of Wi-Fi
enter war driving
Enter War Driving

How many of these are actually connected to my network?

Not all APs are WPA/WPA2.

WPA/WPA2 AP (%)

NY

London

Paris

6

slide7

War Driving Insufficient for Enterprise Threat Classification

Authorized

Our Study

External

Rogue

enterprises deal with lot of non enterprise devices

268,383 APs

80,515

187,868

Enterprises Deal With Lot of Non-Enterprise Devices

70% APs do NOT belong to the studied Organizations!

External/

Unmanaged

Authorized

Similarly, About 87% Clients are Unmanaged/External!

wireless threat space ap based threats
Wireless Threat SpaceAP Based Threats
  • Rogue APs
  • AP mis-configurations
  • Soft/Client Based APs

AP

wireless threat space client based threats
Wireless Threat SpaceClient based threats
  • Client extrusions

Connections to neighbors,

evil twins

  • Adhoc networks

Adhoc Network

  • Client bridging
  • Banned devices
t 3 t cube parameters
T3 (T-Cube) Parameters

Presence of an instance of a threat (%)

Threat Duration

Window of opportunity for an attacker

Threat Presence

Threat Frequency

Likelihood of presence of a threat instance

real life data accurate picture of threats
Real-life data & Accurate picture of Threats

How does this information help you?

Get an idea of Wi-Fi threat scenario in enterprises that may be like yours

Which wireless threats you should worry about first?

Plan your enterprise mitigation strategy

slide14

Simple (Yes/No) metric based on the presence of an instance of

a threat (%)

Threat Presence

Threat Duration

Threat Frequency

14

results from our survey randomly chosen set of it security professionals
Results From Our Survey Randomly Chosen set of IT Security Professionals

% Response

Rogue AP

Misconf. AP

Adhoc

Client Extrusion

Other

results based on our data
Results Based on Our Data
  • Key Observations
  • Prominent Threats
    • Client extrusions
    • Rogue APs
    • AP mis-configurations
    • Adhoc clients
  • Key Implications
  • Organization data is
  • potentially at risk via Wi-Fi
slide17

Let’s Dive Deeper into Nature of Threats

Rogue APs

Client Extrusions

Adhoc Clients

enterprise wireless consumerization rogue aps 1521 rogue aps seen in our study
Enterprise Wireless Consumerization: Rogue APs1521 Rogue APs seen in our study

163 Different type of Consumer Grade OUIs seen

rogue ap details
Rogue AP Details

About 1 in 10 Rogue APs have Default SSIDs

About Half of Rogue APs Wide Open

rogue ap details1
Rogue AP Details

An open Rogue AP is Virtually THIS!

client consumerization client extrusion
Client Consumerization: Client Extrusion

Client (Smartphones & laptops both) probes for these SSIDs.

client probing for vulnerable ssids retail smb organizations

118,981Clients

12,002

106,979

21,777 (20.4%)

636 (5.3%)

Authorized

Unmanaged

Client Probing For Vulnerable SSIDs Retail/SMB Organizations

Power of Accurate threat classification.

5.3% Vs 20.4%

known vulnerable ssids probed for 103 distinct ssids recorded
“Known” Vulnerable SSIDs Probed For103 distinct SSIDs recorded

Certain (8%) Authorized Clients Probing for 5 or more SSIDs

adhoc authorized clients 565 distinct adhoc ssids found about half of them vulnerable
Adhoc Authorized Clients!565 distinct Adhoc SSIDs found, About half of them Vulnerable

15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode.

so what illustrative exploit via client extrusion
So What?Illustrative Exploit via Client Extrusion

Smartphone as an Attacker

App1: Mobile Hotspot

App2: SSLStrip Attack Tool

VIDEO DEMO: Smartpot MITM Attack

slide29

How long (time interval) a threat is active before removal?

Threat Presence

Threat Duration

Threat Frequency

29

ap threats live longer than client threats 15 client threats 30 ap threats live for hr
AP Threats live “longer” than Client Threats15% client threats & 30 % AP threats live for > hr

Some AP based threats are active for a day or more!

Histogram indicating that AP threats live longer

Threat Duration

Rogue AP

AP Misconf.

Client Extrusion

Adhoc networks

% Threat Instances with Given Threat Duration

Data from SMB/Retail (PCI) Segment

slide31

Threat instances per Sensor per month

Threat Presence

Threat Duration

Threat Frequency

31

threat frequency
Threat Frequency

Large Enterprise Segment: Threats Per Month Per Sensor

(Approx. 10,000 sq feet area)

Bigger your organization, higher the likelihood of finding the threats

Threat Frequency

Threat Category

key takeaways summarized
Key Takeaways Summarized
  • Wireless threats due to unmanaged devices are present
    • Enterprise wireless environment influenced by consumerization
  • Certain threats more common than others
    • Client extrusions
    • Rogue AP
    • AP Mis-configurations
    • Adhoc clients
  • Common threats affect large enterprise and SMB organizations
    • Wireless threats persist regardless of sophistication of wired network security
use wpa2 for your authorized wlan
Use WPA2 For Your Authorized WLAN!

But, WPA2 does not protect against threats due to unmanaged devices

threat mitigation
Threat Mitigation

Intrusions (AP Based Threats)

  • Wire side controls as a first line of defense (e.g., 802.1X port control)
  • Wireless IPS to automatically detect & block intrusions
  • Regular wireless scans to understand your security posture
  • - Cloud based solutions are available to automate wireless scans
  • Defense-In-Depth Mitigation

Extrusions (Client Based Threats)

  • Educate users: clean up profiles, Use VPNs & connect to secure Wi-Fi
  • Deploy end point agents to automatically block connections to insecure Wi-Fi
  • Wireless IPS to automatically detect & block extrusions in enterprise perimeter
apply slide recommended best practices
Apply Slide: Recommended Best Practices
  • Self Assessment Test
    • Scan your network to find out how vulnerable you are
    • Good chance that you will find a Rogue AP, higher chance that you will find client extrusion
  • Follow best practices
    • Educate your users to connect to secure Wi-Fi
    • Use VPN for remote connections
    • Clean up the Connection profiles of Wi-Fi clients periodically
    • Deploy end point agents to automate some of the above
  • Adopt a “defense in depth” security approach
    • Employ wire side defenses against Rogue APs (first line of defense)
    • Regularly scan your wireless perimeter
    • If risk assessment is high and/or you store super sensitive data
      • Threat containment via wireless IPS should be considered
apply slide recommended best practices1
Apply Slide: Recommended Best Practices

Go Wi-Fi, But, The Safe Way!

slide40

Questions?

Thank You

deepak.gupta@airtightnetworks.com

40

a1 location site wise distribution
A1: Location/Site Wise Distribution

Key Observations

Prominent threats are

distributed across

multiple sites.

Key Implications

You need an ability to monitor the entire organization, not just 1 or 2

sites

a2 enterprise vs pci smb retail
A2: Enterprise Vs PCI (SMB/Retail)

Key Observations

Similar pattern with respect

to prominent threats

Some difference w.r.t other threats

Increased adhoc connections in PCI