Presentation Slides (pptx)

homuskratNetworking and Communications

Nov 20, 2013 (3 years and 9 months ago)

77 views

Slide Heading

Security Auditing

Wireless Networks

Ted J. Eull

viaForensics

October 12, 2011

Introductions

viaForensics


Digital security via forensics. Leader in mobile forensics and
security assessment


Apply methods used for computer crime investigation and incident
response
proactively
to enhance security.


Based in Oak Park, IL (Chicago suburb)


Ted Eull, VP Technology Services


10+ years in IT consulting, corporate and security


Background in Web app development


GWAPT,
CRISC pending


Not a wireless pen test specialist (sorry)

Agenda

or contents

slide

Slide Heading

Why
? Reasons to security audit your wireless devices and network

What
? Identifying your wireless network components

How
? Wireless audit & technical security assessment process

Who and When
? Internal/External, frequency of assessment

Recommendations and Resources

Why: Reasons to audit

CobiT

Linking Business
Goals to IT Goals


Many reasons to
leverage

wireless


Key reasons to
security audit




Why: Reasons to audit


Regulations, regulations


Both industry and government


PCI / Payment Card Industry


GLBA / Gramm

Leach

Bliley Act


Federal Financial Institutions Examination Council / FFIEC


Health Information Portability and Accountability Act /
HIPAA


Federal Energy Regulatory Commission
/ FERC


Sarbanes
-
Oxley / SOX


Why: Duh.


Protect your business / organization


Sensitive and proprietary information


Clients and business partner data


Reputation


The reasons behind the regulations

Why: Wireless Issues

From the FFIEC IT Examination Handbook

http://ithandbook.ffiec.gov/it
-
booklets/information
-
security/security
-
controls
-
implementation/access
-
control
-
/network
-
access
-
.aspx


Wireless Issues

Wireless
networks are difficult to secure

because they do not have a well
-
defined
perimeter or well
-
defined access points.


Unlike wired networks, unauthorized monitoring
and denial of service attacks can be performed without a physical wire
connection.


Additionally, unauthorized devices can potentially connect to the network,
perform man
-
in
-
the
-
middle attacks, or connect to other wireless devices.


To mitigate those
risks, wireless networks rely on extensive use of encryption to authenticate users and
devices and to shield
communications.









More




Why: Wireless Issues

Wireless Issues (continued)


If
a financial institution uses a wireless network, it should carefully evaluate the risk and
implement appropriate additional controls.

Examples
of additional controls may include one
or more of the following:



Treating wireless networks as untrusted networks, allowing access through protective
devices similar to those used to shield the internal network from the Internet
environment;


Using end
-
to
-
end encryption in addition to the encryption provided by the wireless
connection;


Using strong authentication and configuration controls at the access point and on all
clients;


Using an application server and dumb terminals;


Shielding the area in which the wireless LAN operates to protect against stray emissions
and signal interference; and


Monitoring and responding to unauthorized wireless access points and clients.


Why: The threats



Data Interception


Can be intercepted at distance with directional antennas
(Wi
-
Fi
sniper rifles clocked at > 10 miles)


WEP can be cracked in seconds


TKIP vulnerable to a keystream recovery attack which can allow
injection of certain frames, this can enable ARP poisoning and DoS
for example.
AES
is better
.


WPA/WPA2 vulnerable to dictionary attacks, rainbow tables and
brute forcing.


Many large
organizations
adopt a standard
802.11x
configuration
using EAP
-
TLS with user certificates and a RADIUS server for
authentication. Although considered very secure, be aware that it
can still expose username and domain in the clear when
authenticating.


Why: The threats



Denial of Service


Signal/frequency
jamming


Cheap portable
devices from
China


Deauth Attack


Management
frames are sent in the clear for 802.11a/b/g/n which
includes deauth frames. 802.11w protects management frames which
prevents deauth attacks but only adopted by a few
vendors


A
small laptop or handheld device can send out deauth requests
continually which drops clients. Can even be targeted at a certain
vendor (e.g. all Apple devices
)


WIDS should detect this


Channel
Reservation


Attacker
can send out repeated frames with a maximum wait duration
and silence the channel,
for equipment
that follows
802.11 spec

Why: The threats



Rogue Access Points


Unauthorized
APs plugged into the
internal LAN
.


Can
be detected by some enterprise APs which scan
for nearby rogue APs, and also by scanning the internal
LAN for the management interface of popular wireless
routers.


Can be detected by regular site surveys using
Wi
-
Fi
scanning equipment and directional antennas.


Spectrum
analyzer
capability is useful to catch highly
covert installations and devices tuned off
-
band so as to
avoid detection from standard equipment.


Why: The threats



Misconfigured APs


With the vast number of configuration options it requires a great deal of
planning, testing, on
-
going maintenance and training to operate a large Wi
-
Fi installation.

Ad Hoc and Software APs


Can allow for an attacker to connect directly to a corporate laptop inside a
building and route traffic onto the corporate LAN, bypassing network
security
.

Client Driver Attacks


Exploiting bugs in
Wi
-
Fi
drivers of clients to remotely execute code on a
victim's device without even needing a
Wi
-
Fi
network.


Defense
is to keep client drivers patched, but still exposed to zero days

Why: The threats



Misbehaving Clients and Evil Twin APs


Clients forming
unauthorized
connections accidentally or
intentionally


If corporate SSID is hidden, it will cause the client device to
continually probe for it wherever it goes, leaking information and
providing the ability for devices to be tracked.


If a client has previously connected to a hidden open network, or
an open network with a common name such as Starbucks,
McDonalds, then an attacker can easily trick the client into
connecting to their AP from where a MITM attack can occur.


If a user is allowed to connect to any
Wi
-
Fi
networks then they
could be enticed to connect to an attacker's AP with the promise of
free
Wi
-
Fi
or because it looks like an official corporate one
.

Why: In short




Because it is a scary cyber world out there


To determine whether wireless technologies are
properly managed and secured, in accordance
with overall enterprise IT governance

What: Wireless components


WLAN


IEEE 802.11 Spec


aka Wi
-
Fi


b/a/g/n


Router/access point


Wireless clients


Typical range has nearly doubled in 10 years


Anything else?



What: More than WLAN



What: More than WLAN

Identify all use of wireless to evaluate potential risk


Cellular (3G, LTE)


Bluetooth


Radio
-
frequency
identification / RFID


Near field Communication / NFC


Zigbee


Not all may require security assessment, but each should be
understood and evaluated



What? More than WLAN

When identifying wireless in the enterprise, think
outside the WLAN


Warehouse (RFID)


PC & Mobile accessories (Bluetooth)


“Smart Meters” (Wi
-
Fi, Zigbee)


And most of all…


What? More than WLAN

Mobile devices and more mobile devices

By
2013, mobile phones will overtake PCs as the most
common Web access device
worldwide [Gartner].


Often consumer devices (iOS, Android)


Cellular + Wi
-
Fi


Inexpensive


Flexible


Fast evolving


Easy to secure


Just kidding

How: Audit Process


You decided auditing wireless is a good idea


Risk Assessment


Identify technology in use


Threat Profiling: start bottom
-
up. i.e. Consider all
threats to the tech in use


STRIDE threats:
Spoofing Identity, Tampering with data,
Repudiation (insufficient logging), Information Disclosure, Denial
of Service, Elevation of Privileges


Try to construct realistic scenarios


Find pre
-
constructed scenarios


Have business stakeholders involved



How: Audit Process


Evaluate Risk


Consider industry and company
-
specific regulatory,
policy and risk factors


Use DREAD or other rating system


Damage
+
Reproducibility
+
Exploitability
+
Affected Users +
Discoverability


Consider potential cost of “worst case scenario”


Evaluate security countermeasures and controls in
place which can mitigate threats



How: Technical Process


Perform Security Assessment: Scope


Scope Appropriate for Risk


Vulnerability assessment vs. penetration testing


Test active production systems


Plan to trigger detection / countermeasures


How: Technical Process


Perform Security Assessment: Review


Design review of
Wi
-
Fi infrastructure


Authentication


D
efense
in
depth


Physical AP
placement,
security


Signal Coverage


Configuration review of
Wi
-
Fi
infrastructure to make
sure it is configured
correctly


Firmware versions


Review mobile device controls and security

How: Technical Process


Perform Security Assessment: Scan


Site
survey with directional antenna and some good
scanning software to identify rogue APs. Use
a
spectrum
analyzer to
pick up covert or malfunctioning
wireless
devices.


Test WIDS/WIPS if present
by undertaking
malicious
activity such as deauth attacks and Evil Twin APs


Scans for
client
devices, such as:


Pineapple
Karma attack to see who connects


Sniffing
authentication to corporate
Wi
-
Fi


S
canning
for vulnerable client
Wi
-
Fi
drivers
(can crash
devices)


How: Technical Process


Wi
-
Fi Pineapple and Jasager


Jasager = “The Yes Man”


Portable Wi
-
Fi router built for initiating MITM
position


Web interface for attacker, showing currently
connected
clients with their MAC address, IP
address (if assigned) and the SSID they
associated with


Run scripts on IP assignment


Full logging for later review


Extensible, with additional modules


Easy to set up phishing attacks


About $100 from http
://
hakshop.com
/

How: Technical Process


Perform Security Assessment: Mobile Devices


Forensic analysis of mobile devices that access
network and store data


Assess data
exposure


Test efficacy of security controls (e.g. passcode,
remote wipe)


Examples of issues uncovered:


Network username/password easily recoverable


Corporate email in user backups


Passcode enforcement and remote wipe failure


Keychain dump (iOS)


How: Technical Process


Mobile Risk Study from viaForensics


Focused on iOS & Android


Key issues, recommendations


Risk scenarios, risk map


Corporate policy recommendations


Comparison to BlackBerry


Lab tests of MS Exchange ActiveSync policy implementation


Technical review of encryption, passcode protection, malware
vulnerability, etc.


High
-
level overview of Mobile Device Management (MDM)
software


Available this month (online purchase/download)


Who: Internal or External


Some level of internal assessment capability
should be maintained


Leverage external specialized expertise for more
complete vulnerability assessment or pen test


Experienced testers should perform more than
automated scans


Security certifications good, wireless
-
specific even
better (e.g. GAWN)

When: And how often


Depends on enterprise audit program


At least annual basic assessment


Identify technologies, infrastructure, devices


Check configurations, logging


Level set with overall security policies


Regular mobile device audits


Frequency of vulnerability scans, pen tests depends on
corporate risk evaluation


Ongoing security through active monitoring, such as
WIDS/WIPS

Recommendations

WEP

Recommendations


Assume

all wireless traffic can be intercepted


Isolate wireless from corporate LAN


If Wi
-
Fi on LAN is necessary, use strong authentication,
isolated VLAN and NAC


Use IDS/IPS for continuous monitoring


Test security systems such as WIDS


Implement reliable VPN for mobile workers, use GPO to
require VPN when off LAN


Assess

how
mobile devices are being
used and where
data is
going


Policy and
training

for users on wireless security




Resources


ISACA


What every IT auditor should know about wireless telecommunication
(2006)
http://
www.isaca.org/Journal/Past
-
Issues/2006/Volume
-
4/Pages/What
-
Every
-
IT
-
Auditor
-
Should
-
Know
-
About
-
Wireless
-
Telecommunication1.aspx


Mobile Computing Security Audit/Assurance Program (2010)
http
://www.isaca.org/Knowledge
-
Center/Research/ResearchDeliverables/Pages/Mobile
-
Computing
-
Security
-
Audit
-
Assurance
-
Program.aspx


viaForensics Mobile Risk Study


http://viaforensics.com/mobile
-
risk
-
study

Resources


RFID tools (rfidiot, proxclone reader/cloner)


http://hackaday.com/2007/03/25/rfidiot
-
rfid
-
io
-
tools/


http://proxclone.com/reader_cloner.html


Other tools


Aircrack
http://www.aircrack
-
ng.org/


Kismac / KisMAC
http://www.kismetwireless.net/


Wireshark
http://www.wireshark.org/


Ettercap
http://ettercap.sourceforge.net/


Pineapple
http://hakshop.com/products/wifi
-
pineapple


Questions?

Closing comments (if any)