auditing wireless n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Auditing Wireless PowerPoint Presentation
Download Presentation
Auditing Wireless

Loading in 2 Seconds...

play fullscreen
1 / 71

Auditing Wireless - PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on

Auditing Wireless. by Chris Gohlke Lead Senior Auditor Florida Auditor General chrisgohlke@aud.state.fl.us 850-487-9328. Introduction. 802.11 ( WiFi ) -Not Bluetooth or RFID Technology Review Standards Controls Testing Reporting. Technology Review. What is Wi-Fi.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Auditing Wireless' - media


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
auditing wireless

Auditing Wireless

by

Chris Gohlke

Lead Senior Auditor

Florida Auditor General

chrisgohlke@aud.state.fl.us

850-487-9328

introduction
Introduction
  • 802.11 (WiFi) -Not Bluetooth or RFID
  • Technology Review
  • Standards
  • Controls
  • Testing
  • Reporting
what is wi fi
What is Wi-Fi
  • Wi-Fi (sometimes written Wi-fi, WiFi, Wifi, wifi) is a trademark for sets of product compatibility standards for wireless local area networks (WLANs). Wi-Fi, short for “Wireless Fidelity,” was intended to allow mobile devices, such as laptop computers and personal digital assistants (PDAs) to connect to local area networks, but is now often used for Internet access and wireless VoIP phones. Desktop computers can use Wi-Fi too, allowing offices and homes to be networked without expensive wiring. Most computers and many other consumer electronic devices have Wi-Fi built-in.
definition mac and ssid
Definition - MAC and SSID
  • A media access control address (MAC address) is a globally unique identifier attached to most forms of networking equipment allowing each host to be uniquely identified and allows frames to be marked for specific hosts. (Note, Hackers can spoof the MAC address.)
  • A service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. A network's SSID is often referred to as the “network name.” The SSID is either broadcast automatically by the AP, or sent upon request (probe) from a user station.
encryption
Encryption
  • WEP (Wired Equivalent Privacy) – very weak encryption, can be broken in minutes.
  • WPA (Wi-Fi Protected Access) – much better, but uses weak RC4 encryption and can be broken in a few hours.
  • WPA2 – like WPA, but uses the stronger Advanced Encryption Standard (AES)
why are we worried about wireless
Why are we worried about wireless?
  • Eliminates the network cable.
  • Network accessible outside of normal physical security.
standards1
Standards
  • NIST Special Publication 800-97 - Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf
  • Information Supplement: PCI DSS Wireless Guideline https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf
controls1
Controls

If they have official wireless -

If they don’t have official wireless-

Scans for non-approved deployments

Policies

  • Physical Security
  • MAC Filtering
  • Changing SSID/password from default
  • Non-broadcast SSID
  • Encryption
  • Firmware up-to-date
  • Scans for non-approved deployments
  • Policies
controls physical security
Controls – Physical Security

If you can physically access the device, you can disable all the security settings. Make sure physically exposed items are only antennas.

controls mac filtering
Controls – MAC Filtering
  • Only preapproved MAC addresses are allowed to access the network. However, MAC addresses can be easily captured and spoofed. It also requires a lot of management overhead on a large network.
controls change the ssid password from default
Controls – Change the SSID/Password from default
  • If you leave it as the default, you’ve just given away info about your hardware that will make it easier for a hacker.
  • So change it and make it unique.
controls don t broadcast the ssid
Controls – Don’t Broadcast the SSID
  • To be able to connect, you need to know the SSID. By default, the WAP constantly shouts out its name to make it easy for users to find. Even if they don’t broadcast it, if the network is being used, it is easy to get the SSID passively from the traffic.
controls encryption
Controls - Encryption
  • WEP (Wired Equivalent Privacy) – very weak encryption, can be broken in minutes.
  • WPA (Wi-Fi Protected Access) – much better, but uses weak RC4 encryption and can be broken in a few hours.
  • WPA2 – like WPA, but uses the stronger Advanced Encryption Standard (AES)
controls scans for unauthorized deployments
Controls - Scans for unauthorized deployments

Whether or not they are running wireless, the auditee should be performing a periodic scan for unauthorized wireless access points. If they are, they should be documenting the scan in some way.

controls policies
Controls - Policies

As with most things, ideally they will have created policies and procedures to support the implementation of the above listed controls.

testing advanced scanning tools
Testing – Advanced Scanning Tools

Inssiderreplaced Network Stumbler which hadn't been actively developed since 2004.

testing when to use which tool
Testing – When to use which tool?

Start with the basic tools. Most of the time a full map is going to just be overkill and not an efficient use of your audit time. Add in the advanced tools if you have exceptions you aren’t able to locate or resolve any other way.

reporting
Reporting

http://www.myflorida.com/audgen/pages/pdf_files/2007-005.pdf (See Finding #3)

reporting1
Reporting

Finding No. 3: Wireless Controls

Wireless networking is quickly becoming a more widely used networking solution. Significant risks to security are presented by wireless networks as most wireless networking equipment is configured insecurely in its default configuration, flaws exist in WEP (Wired Equivalent Privacy) authentication, and the range for many wireless devices can extend beyond intended coverage areas, allowing attackers to gain access to a network without setting foot in the building in which the network is located. Good wireless security controls include provisions to change configurations before implementation to provide stronger security settings than those present in default configurations; use of more advanced authentication, such as Wi-Fi Protected Access 2 (WPA2) with Extensible Authentication Protocol (EAP) on 802.1X authentication servers; and planning to minimize how far wireless signals extend beyond coverage areas.

NIST guidelines include recommended procedures for assessing the effectiveness of controls over wireless access points. These include war drives or war walks, which involve patrolling an area with portable computing devices, such as laptops, equipped with wireless access cards, attempting to detect unauthorized wireless access points attached to networks. NIST recommends that this procedure be performed weekly to semiannually, depending on the sensitivity of the systems residing on the network.

reporting2
Reporting

Improvements were needed in controls to ensure agency authorized wireless access points were appropriately secured and in agency procedures to detect the presence of unauthorized wireless access points. Our audit disclosed the following:

  • Inadequate controls were used at an agency to secure authorized wireless access points.
  • Most agencies did not perform war drives or war walks to detect unauthorized wireless access points nor had any written procedures to do so.
  • We detected an unauthorized wireless network device on an agency network.
  • Some agencies did not have policies or procedures in place prohibiting unauthorized wireless access points from being attached to their networks.

Without controls to ensure agency authorized wireless access points are appropriately secured and procedures to detect the presence of unauthorized wireless access points, agencies increase the risk of their network security being compromised by an individual with malicious intent or by users installing unauthorized wireless access points.

Recommendation: The applicable agencies should implement appropriate controls to secure authorized wireless access points from attacks that can exploit insecure configurations and weak authentication mechanisms. Agencies should also perform periodic war drives or war walks to detect and remediate unauthorized wireless access points that may be present on their networks allowing attackers to bypass normal network security.

hard drive surplus

Hard Drive Surplus

by

Chris Gohlke

introduction1
Introduction
  • Technology Review
  • Standards
  • Special Legal Considerations
  • Controls
  • Testing
  • Reporting
technology review2
Technology Review

We have been taught to think that when "deleting" files and then emptying the Recycle Bin that the selected files are now gone. This is not true. What happens is that the Windows disk manager only "deletes" its known reference to the name and where a file is being stored on the hard drive. The files are actually still there and can be very easily recovered with simple software tools. 

technology review3
Technology Review

Many people think that formatting a hard drive will permanently erase all the data on the drive. This also is not true. Formatting is only a very low level hard drive cleaning function.

Formatting a hard drive does not completely erase all data as one may think. It only erases the file structure information. This means that your deleted data can be recovered by anyone possessing the right tools, until it is over written.

technology review4
Technology Review

Imagine the hard drive of a computer is like a book. Instead of words, the hard drive is made up of binary data (0’s and 1’s). Like a book, the hard drive has a table of contents that catalogs where on the drive the 0’s and 1’s are that make up data files. Deleting and formatting drives is equivalent to removing the table of contents from the book. All of the data is still there. Software tools basically allow the computer to read the book and recreate the table of contents and thereby making all the data accessible.

technology review5
Technology Review

This leaves three ways to truly destroy your data

  • Destroy the Drive
  • Degauss the drive
  • Overwrite the drive
slide41

Degauss the Drive

Make sure the device is rated for hard drives, not just media.

standards aeit
Standards - AEIT

AEIT - Information Security Policy – Agency Guidelines – Section 10

  • 1.11 Each agency shall document procedures for sanitization of agency-owned computer equipment prior to reassignment or disposal.
  • 1.12 Equipment sanitization must be performed such that no data remains. File deletion and formatting media are not acceptable or approved methods of sanitization.
  • 1.13 Acceptable methods of sanitization include:
    • using software to overwrite data on computer media;
    • degaussing; or
    • physically destroying media.
  • http://www.myflorida.com/myflorida/cabinet/aeit/docs/2007%20Information%20Security%20Policy%20Guidelines.pdf
standards f a c
Standards – F.A.C.

Florida Administrative Code - 60DD-7.013 Disposition Phase

  • It is the sole responsibility of each agency in accordance with Rule 60DD-2.009, F.A.C., to erase all confidential or exempt information contained in all electronic memory components from information technology equipment prior to transfer or final disposition.
  • Property containing hazardous materials, including,……., that cannot be transferred as set forth in subparagraph 60DD-7.013(2)(d)1., F.A.C., should be disposed of consistent with Section 403.705, F.S., and Rule Chapter 62-730, F.A.C., Dept. of Environmental Protection Rules for Hazardous Waste.
  • https://www.flrules.org/gateway/RuleNo.asp?ID=60DD-7.013
standards nist
Standards - NIST

NIST Special Publication 800-88 - Guidelines for Media Sanitization

  • Information systems capture, process, and store information using a wide variety of media. This information is not only located on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information that is created, processed, and stored by an information technology (IT) system throughout its life, from inception through disposition, is a primary concern of an information system owner and the custodian of the data.
  • http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf
special legal considerations1
Special Legal Considerations

If suspected child pornography or other possibly illegal material is found during your testing. IMMEDIATELY notify your supervisor. Management will then contact FDLE and coordinate with law enforcement.

special legal considerations2
Special Legal Considerations

So, be sure to follow all the documentation procedures, including:

  • Logs
  • Chain of custody
  • Photos
  • Physical Security
controls3
Controls
  • Procedures
  • Documentation
  • Physical Security
  • Erasure
  • Options for Inoperable Hard Drives
  • Environmental???
  • Licensing???
  • Other Media???
controls physical security1
Controls – Physical Security
  • Prior to being wiped – must limit access just as you would limit access to the data on the drive
  • After being wiped – just protecting against the theft of the value of the item(probably minimal at this point)

So they should be doing the data wipes in a timely manner to shorten the window where the computer could “disappear.”

controls erasure
Controls - Erasure
  • Destroy the Drive
    • Evidence?
    • Observe them doing it
  • Degauss the drive
    • Observe them doing it
    • Inspect the degausser
    • Test for effectiveness
  • Overwrite the drive
    • Observe them doing it
    • Inspect the software/version
    • Test the effectiveness
controls erasure1
Controls - Erasure

Is the auditee testing for effectiveness?

controls inoperative drives
Controls – Inoperative Drives

What do they do if the drive doesn’t work?

Just because they can’t get it to work doesn’t mean it is permanently broken or that the data is gone.

Physical destruction is always a good fallback.

controls environmental optional
Controls – Environmental (Optional)

How are they disposing of their e-waste? Most is somewhat toxic and should not be going to the landfill. They should have specific recycling contracts in place or agreements to donate used computers. Is there documentation to support that the equipment went where it was supposed to and didn’t just get trashed, or go home with employees?

controls licensing optional
Controls – Licensing (Optional)

Are surplus computers being reloaded with an OS before they go out the door?

Are these copies licensed?

Why are they installing these copies?

controls other media optional
Controls – Other Media (Optional)
  • Is the auditee aware of the risks?
  • Have they put procedures in place?
  • Is the copier a rental?
  • Can they access the hard drive?
  • Could we?
  • Is the hardware proprietary?
  • Is it connected to the Internet to call home?
  • Is the only security, security by obscurity?
  • This is probably one of the next can of worms.
testing population
Testing - Population

Ideally (yeah right) they’ve kept all the hardware that they’ve designated as surplus and wiped during your audit period and they’ve got it well-organized in a nice clean, air-conditioned room. If so, pull a sample from the list they give you and have fun.

testing population1
Testing - Population

Worst cast (pretty likely) is that surplus goes out the door pretty quickly. This leaves you a very limited window to test from. Unfortunately you may have to have them specifically hold items for you to test, which does increase the risk that your test items are not representative of the procedures they follow under normal circumstances. WORK WITH YOUR ATL AND SUPERVISOR TO COME UP WITH THE BEST SAMPLING METHODOLOGY FOR YOUR CIRCUMSTANCES.

testing1
Testing

If they physically destroy the drives, beyond observations, there is nothing we need to do to test the effectiveness of their erasure procedure. This makes our life easy, so we like this.

testing2
Testing

If they degauss, we will need to hook up the drives to our testing apparatus, BUT, most likely, if the degauss worked, the chips that control the drive were also damaged and the drive itself is now inoperable, and it won’t function, so we won’t be able to test beyond hooking it up to see if it works. If the drive does work, proceed with testing to see if any data can be recovered. It is possible that the degauss removed the data successfully, but that the drive still functions.

testing caveat1
Testing - Caveat

A write blocker is a handy device to make sure you don’t write to the drive while accessing it. We use one by Tableau

reporting4
Reporting

Last multi-agency surplus audit was in 08.

  • Agency for Workforce Innovation (AWI)
  • Department of Agriculture and Consumer Services (DACS)
  • Department of Health (DOH)
  • Fish and Wildlife Conservation Commission (FWCC)
  • Office of State Courts Administrator (OSCA)

http://www.myflorida.com/audgen/pages/pdf_files/2009-083.pdf

reporting drives not erased
Reporting – Drives Not Erased

During our audit, we noted instances where computer hard drives in some surplus computers were not completely erased. We found some entity-specific IT security system data on some hard drives. Such data is identified in the Florida Statutes as being confidential. In response to audit inquiry, management of the applicable entities stated that the hard drives in question were not completely erased because of either human error or issues with the erasure tools that were employed. We are not disclosing additional specific details of these matters in this report to avoid the possibility of compromising confidential entity information. However, we have notified appropriate entity management of the specific matters. Due to the confidential nature of these findings, we have requested that the selected State entities not provide a written response to this finding and, accordingly, no response to this finding is included in this report.

Details will be Confidential