Hi, I was looking for a bit of advice. I have just recently carried out an audit on a wireless network. One of my findings was the guest SSID (which has no passcode so you can just connect) is able to route to some of their main production networks. I raised this as high risk. I should state this was an implementation issue due to limitations of the wireless kit and lack of knowledge from the company who implemented this. The client is disputing the high grade stating "any potential security breach would require high level networking skills to firstly identify the devices and usernames and passwords to these specific devices, which is seen as highly unlikely and therefore not high risk." I have high level knowledge of wirless networks and in my opinion you should not be able to route to production networks from an unprotected wireless network. Does anyone have any opinions on this? - See more at: http://globalriskcommunity.com/#sthash.YM0mC4oM.dpuf
The comment is a drop dead People and Process red light: DANGER WILL ROBINSON.
"any potential security breach would require high level networking skills to firstly identify the devices and usernames and passwords to these specific devices, which is seen as highly unlikely and therefore not high risk." - See more at: http://globalriskcommunity.com/forum/topics/wireless-security-query...
1) Any network access beyond a network segment authorized for unrestricted guest access is dangerous simply because it violates fundamental access controls.
2) Any risk reduction based on need for user ID and password after network access must show that all such systems are flawless and without vulnerability to attack that would circumvent user ID and password Logical Access controls.
The very idea that a team imagines that Logical Access control is a compensating control for violated Network Access Control, when there is not even working Network Access Control, would make it fair to ask, is there even working Logical Access control? Do you have proof of this too?
The Highly Unlikely and therefore there is no risk must have proof. Example, it is Highly Unlikely that Target stores would allow hostile software to install on its Credit Card readers. But, that breach was 110 million identities and 61 million credit cards. (No, the bad guys did not have a valid User ID or Password.)
More to the point, It was highly unlikely that TJMax would allow rogue wireless to be installed to enable thieves to defraud their credit card network with wireless access to the parking lot. (Initially, the bad guys did not have a valid User ID or Password. But, as TJMax staff began to wrongly see them as authorized IT staff, they were wrongly given valid User ID and Passwords.)
A) Have an Attack and Pen Test done on the scope of networks that can be reached by the guest Wireless. If the test shows that no system reachable from that context can be exploited from a Black Box Testing Position without any valid User ID or Passwords, then the risk reduction is valid. If systems can be exploited. Have the fact based meeting about genuine Risk Management rather than under baked thought experiments.
For fun, I include the following likelihood analysis:
There are 3 billion Java installation on the Internet. If 1/1000 persons are potential felons, then there are 3 million potential felons with Java on the Internet. If their are 7.1 billion people in this world, then the odds than any customer, employee or internet visitor is a potential felon with Java on the Internet is 0.04%.
Let us look at the felony IT implications of 0.04% by computing the odds that no staff will have felony intent at this time:
Staff Count: Cherry Picking Odds of no felony Risk:
Consider now the number of customers per staff member a firm needs to process to make money. Is this 20 to 1, 2000 to 1?
Consider now the number of Internet systems that staff contact by Web Access during their lunch break per day?
Consider now the number of persons in the corporate parking lot that are either staff, customers, visitors, associates of the firm next-door, maintenance support, UPS, FedEx, Sparklets Water, Break Room Vending Machine support or Staples Office Supply delivery staff.
Ever notice how many Staples staff actually know their IT stuff? Ever notice how effective the UPS guy is at entering your building without a key, badge or access rights? 99.9% of them could be wonderful human beings.
For extra points:
I include links to Internet freeware that would enable the average person to identify systems and wireless networks with ease. Anyone can find YouTube videos on how to use these tools for free should they wish.
Enumerating Systems in a network: Nmap:
Identifying Wireless Networks: Kismet:
The IT organization that does not know these tools are freely available to the public is might be either naive, off its game or knowingly lying to Governance Risk and Compliance.
Danger Will Robinson.
Thank you very much for your response which is helping me explain in better words why I graded this a high risk, in particular the "for fun" reply is where I am directing my manager to ensure him I am correct (to be fair he never doubted me). So this is now back with the client, we briefly described why we believe it is graded high and that this should remain. Also explained we do not believe that advanced networking skills are required, just someone with an interest and access to Google could try attacking this network, especially considering the nature of the environment that this network is installed. Hopefully they see sense and accept the High recommendation, if not I may need to quote some of your fun analysis!
Response much appreciated. If this escalates any further I will keep this post updated with the goings on.
http://www.nowiressecurity.com/articles/things_wi-fi_hackers_hope_y... important is "Cracking the wireless encryption" paragraph...
http://unlimitedhacks.com/wifi-hacker this is a tool that requires knowledge of SSID and it resolves the password, it is currently recomended to keep passwords at least 14 characters big+small+numbers, simply strong password, more is better according to current knowledge of attackers
I have to emphasize that also when the SSID is HIDDEN it is possible to find it in network relatively quickly
USE ALL THESE links if possible from a compuiter that is very strongly secured please...
I hope it will help you, however I will still discuss to my son that is trained as ethical hacker also in this relation
Yet I have to add following:
Absolutely the best practice is not to use WIFI in corporate networks, if possible. From time to time (because people ary really lazy) it is necessary to use WIFI.
In that case we have to use accordingly network segmenting. Separate the segment of network, where WIFI are connected to sole segment and properly define route tables at the router such a way, that only those TCP/UDP connections can pass through the router, that are really necessary to use.
Also it is necessary to have implemented network monitoring and from time to time to arrange penetration testing accordingly.
You know, this is not a place where all the aspects would be mentioned, but at the beginning it might help you. Anyhow, you can freely look for me at linked-in, I am opened to new connections.
The best regards
Thank you very much for the information and knowledge. It is certainly pointing me in the direction if the client still disagrees to keep this as a high recommendation. My next step was to direct them to some links to back up what I am recommending so the likes from Don and yourself along with what I found will certainly help. After sitting in on a network penetration seminar earlier this year it really opened my eyes to how insecure networks can be. We are not changing the recommendation regardless of the feedback so it is really down to them to resolve this a lot quicker than they are planning to.
Will be sure to look you up on LinkedIn
Thanks for your time
You are most welcome.
Utilities like Metasploit have made it easy for someone with average technical ability to launch sophisticated attacks. There are so many potential vulnerabilities that a defense-in-depth strategy is crucial toward protecting these systems. Without solid Network Access Control, there is one less layer of protection available.
Simple use of a vulnerability scanner results can provide lists of known vulnerabilities. These can include a brief on the risk and occasionally proof of concept exploit code.
Since I specialize in freeware tools, Both BackTrack and Kali Linux implementations of MetaSploit are available, but on the whole, it is not closing lists of known vulnerabilities served up by a vulnerability scanner that is the greater risk and closer to the root cause of avoidable risk management.
Rather, please think of MetaSploit as a non-destructive proof of concept tool used by friend of the Business Pen-Testers. Just as I would not identify the abundance of Fire Extinguishers as proof of fire threat, but a handy solution for early management of risk and early suppression of materialized fire hazard. MetaSploit is not the fire risk, it is a handy proof of concept tool to manage unmitigated risk earlier in the defect identification and resolution process. Why wait for a raging fire of open attack by a non-friend of the business to identify materialized hazards rather than risk before it is hazard. If one does not believe the risk is real, then benignly test it.
As an actuarial matter, MetaSploit is not really used by determined attackers directly. These tend only to use MetaSploit to benignly prove out their test bed environment for attacking systems, then these build custom code in a QA environment fully capable of modeling general vulnerability or even target firm environments. Rather, MetaSploit still tends to be used by friend of the business testers and tends to have default tests built in for the direct purpose of motivating firms to avoid Known Vulnerabilities.
Proof of concept exploit is educational for IT Staff that simply cannot wrap there head around known vulnerability inventories presented by Vulnerability Scanning results. MetaSploit can help with the "Show Me" -- Missouri State of mind.
Consider that potentially, 97% of firms subject to the popularized Heart Bleed vulnerability have not patched all their vulnerable systems. MetaSploit is moving to put a benign exploit for Heart Bleed into its inventory. Not because it wants harm, but to show the true harm of the unresolved Known Vulnerability that has been identifiable and fixable for more than six months now; but somehow under appreciated in the true risk it represents.
Consider that 4.5 million healthcare records were lost due abuse of the Heart Bleed Vulnerability already, in this case due to an unpatched Juniper SSL-VPN. The notification of risk was given and time to evade the risk was possible but the medical institution did not appreciate this risk and was later harmed. Unpatched, known vulnerabilities like this are proven to be damaging but remain under addressed. Read more on the avoidable harm of unpatched, known vulnerable Heart Bleed vulnerability and the quantifiable damaged caused. http://www.healthcareitnews.com/news/breach-alert-hackers-swipe-dat...