Auditing Wireless. by Chris Gohlke Lead Senior Auditor Florida Auditor General firstname.lastname@example.org 850-487-9328. Introduction. 802.11 ( WiFi ) -Not Bluetooth or RFID Technology Review Standards Controls Testing Reporting. Technology Review. What is Wi-Fi.
Lead Senior Auditor
Florida Auditor General
If they have official wireless -
If they don’t have official wireless-
Scans for non-approved deployments
If you can physically access the device, you can disable all the security settings. Make sure physically exposed items are only antennas.
Whether or not they are running wireless, the auditee should be performing a periodic scan for unauthorized wireless access points. If they are, they should be documenting the scan in some way.
As with most things, ideally they will have created policies and procedures to support the implementation of the above listed controls.
Inssiderreplaced Network Stumbler which hadn't been actively developed since 2004.
Start with the basic tools. Most of the time a full map is going to just be overkill and not an efficient use of your audit time. Add in the advanced tools if you have exceptions you aren’t able to locate or resolve any other way.
http://www.myflorida.com/audgen/pages/pdf_files/2007-005.pdf (See Finding #3)
Finding No. 3: Wireless Controls
Wireless networking is quickly becoming a more widely used networking solution. Significant risks to security are presented by wireless networks as most wireless networking equipment is configured insecurely in its default configuration, flaws exist in WEP (Wired Equivalent Privacy) authentication, and the range for many wireless devices can extend beyond intended coverage areas, allowing attackers to gain access to a network without setting foot in the building in which the network is located. Good wireless security controls include provisions to change configurations before implementation to provide stronger security settings than those present in default configurations; use of more advanced authentication, such as Wi-Fi Protected Access 2 (WPA2) with Extensible Authentication Protocol (EAP) on 802.1X authentication servers; and planning to minimize how far wireless signals extend beyond coverage areas.
NIST guidelines include recommended procedures for assessing the effectiveness of controls over wireless access points. These include war drives or war walks, which involve patrolling an area with portable computing devices, such as laptops, equipped with wireless access cards, attempting to detect unauthorized wireless access points attached to networks. NIST recommends that this procedure be performed weekly to semiannually, depending on the sensitivity of the systems residing on the network.
Improvements were needed in controls to ensure agency authorized wireless access points were appropriately secured and in agency procedures to detect the presence of unauthorized wireless access points. Our audit disclosed the following:
Without controls to ensure agency authorized wireless access points are appropriately secured and procedures to detect the presence of unauthorized wireless access points, agencies increase the risk of their network security being compromised by an individual with malicious intent or by users installing unauthorized wireless access points.
Recommendation: The applicable agencies should implement appropriate controls to secure authorized wireless access points from attacks that can exploit insecure configurations and weak authentication mechanisms. Agencies should also perform periodic war drives or war walks to detect and remediate unauthorized wireless access points that may be present on their networks allowing attackers to bypass normal network security.
We have been taught to think that when "deleting" files and then emptying the Recycle Bin that the selected files are now gone. This is not true. What happens is that the Windows disk manager only "deletes" its known reference to the name and where a file is being stored on the hard drive. The files are actually still there and can be very easily recovered with simple software tools.
Many people think that formatting a hard drive will permanently erase all the data on the drive. This also is not true. Formatting is only a very low level hard drive cleaning function.
Formatting a hard drive does not completely erase all data as one may think. It only erases the file structure information. This means that your deleted data can be recovered by anyone possessing the right tools, until it is over written.
Imagine the hard drive of a computer is like a book. Instead of words, the hard drive is made up of binary data (0’s and 1’s). Like a book, the hard drive has a table of contents that catalogs where on the drive the 0’s and 1’s are that make up data files. Deleting and formatting drives is equivalent to removing the table of contents from the book. All of the data is still there. Software tools basically allow the computer to read the book and recreate the table of contents and thereby making all the data accessible.
This leaves three ways to truly destroy your data
Make sure the device is rated for hard drives, not just media.
AEIT - Information Security Policy – Agency Guidelines – Section 10
Florida Administrative Code - 60DD-7.013 Disposition Phase
NIST Special Publication 800-88 - Guidelines for Media Sanitization
If suspected child pornography or other possibly illegal material is found during your testing. IMMEDIATELY notify your supervisor. Management will then contact FDLE and coordinate with law enforcement.
So, be sure to follow all the documentation procedures, including:
So they should be doing the data wipes in a timely manner to shorten the window where the computer could “disappear.”
Is the auditee testing for effectiveness?
What do they do if the drive doesn’t work?
Just because they can’t get it to work doesn’t mean it is permanently broken or that the data is gone.
Physical destruction is always a good fallback.
How are they disposing of their e-waste? Most is somewhat toxic and should not be going to the landfill. They should have specific recycling contracts in place or agreements to donate used computers. Is there documentation to support that the equipment went where it was supposed to and didn’t just get trashed, or go home with employees?
Are surplus computers being reloaded with an OS before they go out the door?
Are these copies licensed?
Why are they installing these copies?
Ideally (yeah right) they’ve kept all the hardware that they’ve designated as surplus and wiped during your audit period and they’ve got it well-organized in a nice clean, air-conditioned room. If so, pull a sample from the list they give you and have fun.
Worst cast (pretty likely) is that surplus goes out the door pretty quickly. This leaves you a very limited window to test from. Unfortunately you may have to have them specifically hold items for you to test, which does increase the risk that your test items are not representative of the procedures they follow under normal circumstances. WORK WITH YOUR ATL AND SUPERVISOR TO COME UP WITH THE BEST SAMPLING METHODOLOGY FOR YOUR CIRCUMSTANCES.
If they physically destroy the drives, beyond observations, there is nothing we need to do to test the effectiveness of their erasure procedure. This makes our life easy, so we like this.
If they degauss, we will need to hook up the drives to our testing apparatus, BUT, most likely, if the degauss worked, the chips that control the drive were also damaged and the drive itself is now inoperable, and it won’t function, so we won’t be able to test beyond hooking it up to see if it works. If the drive does work, proceed with testing to see if any data can be recovered. It is possible that the degauss removed the data successfully, but that the drive still functions.
A write blocker is a handy device to make sure you don’t write to the drive while accessing it. We use one by Tableau
Last multi-agency surplus audit was in 08.
During our audit, we noted instances where computer hard drives in some surplus computers were not completely erased. We found some entity-specific IT security system data on some hard drives. Such data is identified in the Florida Statutes as being confidential. In response to audit inquiry, management of the applicable entities stated that the hard drives in question were not completely erased because of either human error or issues with the erasure tools that were employed. We are not disclosing additional specific details of these matters in this report to avoid the possibility of compromising confidential entity information. However, we have notified appropriate entity management of the specific matters. Due to the confidential nature of these findings, we have requested that the selected State entities not provide a written response to this finding and, accordingly, no response to this finding is included in this report.
Details will be Confidential