Upload
teresa-caldwell
View
221
Download
2
Tags:
Embed Size (px)
Citation preview
Insert presenter logo here on slide master. See hidden slide 2 for directions
Deepak GuptaAirTight Networks
Wireless Vulnerabilities in the Wild:View From the Trenches
Acknowledgement: Based on work presented by K N Gopinath at RSA 2011
Agenda
2
Why care about Wireless Vulnerabilities? (Motivation)
What’s new in this talk and what are its implications?
Wireless Vulnerability Analysis (Measurements)
Threat/Vulnerability Mitigation
Real Life Breaches due to Insecure Use of Wi-Fi
Marshalls store hacked via wireless
Hackers accessed TJX network & multiple servers for 18+ months
45.7 million payment credit accounts compromised
Estimated liabilities > 4.5B USD
Enter War Driving
6
0
10
20
30
40
50
60
70
80
NY London ParisRSA '07
RSA '08
WP
A/W
PA
2 A
P (
%)
NY London Paris
Not all APs are WPA/WPA2.
How many of these are actually
connected to my network?
Sensor Based Statistical Sampling Data collected over last two years
8
Total Number of Count
Sites/Locations 2,155
Organizations 156
Sensors 4501
Total Access Points 268,383
Enterprise Clients 427,308
Threat Instances Analyzed
82,681
Enterprises Deal With Lot of Non-Enterprise Devices
268,383 APs
80,515 187,868
Authorized
External/
Unmanaged
70% APs do NOT belong to the
studied Organizations!
Similarly, About 87% Clients are Unmanaged/External!
Adhoc Network
Wireless Threat SpaceClient based threats
Client extrusions
Connections to neighbors,
evil twins
Adhoc networks
Client bridging
Banned devices
T3 (T-Cube) Parameters
Threat PresenceTh
reat
Du
rati
on
Threat F
requency
Presence of an instance of a threat (%)
Likelihood of presence of a threat instance
Window of opportunity for an attacker
Real-life data & Accurate picture of Threats
How does this information help you?
Get an idea of Wi-Fi threat scenario in enterprises that may be like yours
Which wireless threats you should worry about first?
Plan your enterprise mitigation strategy
14
Threat PresenceThreat DurationThreat Duration
Threat FrequencyThreat Frequency
Simple (Yes/No) metric based on the presence of an instance of
a threat (%)
Results From Our Survey Randomly Chosen set of IT Security Professionals
Rogue AP Misconf. AP Adhoc Client Extrusion Other
% R
es
po
ns
e
Overall Threat Scenario
Adhoc
Banned Devices DoS
Rogue APs
Client Extrusions
Misconf. APs
Client Bridging
Soft APs
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Threats
Occ
urre
nce
(%
Org
aniz
atio
ns)
Results Based on Our Data
Key Observations
-Prominent Threats-Client extrusions -Rogue APs-AP mis-configurations-Adhoc clients
Key Implications
-Organization data is potentially at risk via Wi-Fi
Enterprise Wireless Consumerization: Rogue APs1521 Rogue APs seen in our study
163 Different type of Consumer Grade OUIs seen
WPA(2)/PSK, 29%
Unknown, 1%Open, 49%
WEP, 21%
Rogue AP Details
Non-Default, 89%
Default SSIDs, 9%
Unknown/Blank, 2%
About 1 in 10 Rogue APs have Default SSIDs About Half of Rogue APs Wide Open
Client Consumerization: Client Extrusion
Client (Smartphones &
laptops both) probes for
these SSIDs.
Client Probing For Vulnerable SSIDs Retail/SMB Organizations
118,981 Clients
12,002 106,979
Authorized Unmanaged
21,777 (20.4%)636 (5.3%)
Power of Accurate threat classification.
5.3% Vs 20.4%
“Known” Vulnerable SSIDs Probed For103 distinct SSIDs recorded
Certain (8%) Authorized Clients Probing for 5 or more SSIDs
Adhoc Authorized Clients!565 distinct Adhoc SSIDs found, About half of them Vulnerable
15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode.
VIDEO DEMO: Smartpot MITM Attack
So What?Illustrative Exploit via Client Extrusion
Smartphone as an Attacker
App1: Mobile Hotspot
App2: SSLStrip Attack Tool
29
Threat PresenceThreat DurationThreat Duration
Threat FrequencyThreat Frequency
How long (time interval) a threat is active before removal?
AP Threats live “longer” than Client Threats 15% client threats & 30 % AP threats live for > hr
0% 10% 20% 30% 40% 50% 60% 70%
10 Min
30 Min
1 Hr
6 Hr
12 Hr
12 Hr+
Th
reat
Du
rati
on
% Threat Instances with Given Threat Duration
Histogram indicating that AP threats live longer
AP Misconf.
Rogue AP
Client Extrusion
Adhoc networks
Some AP based threats are active for a day or more!
Data from SMB/Retail (PCI) Segment
31
Threat PresenceThreat DurationThreat Duration
Threat FrequencyThreat Frequency
Threat instances per Sensor per month
1
8
13
0
2
4
6
8
10
12
14
Rogue AP Misconfigured AP Client Extrusion
Threat Frequency
Large Enterprise Segment: Threats Per Month Per Sensor (Approx. 10,000 sq feet area)
Bigger your organization,
higher the likelihood of finding the
threats
Threat Category
Th
reat
Fre
qu
ency
Key Takeaways Summarized
Wireless threats due to unmanaged devices are present Enterprise wireless environment influenced by consumerization
Certain threats more common than others Client extrusions Rogue AP AP Mis-configurations Adhoc clients
Common threats affect large enterprise and SMB organizations Wireless threats persist regardless of sophistication of wired
network security
Use WPA2 For Your Authorized WLAN!
But, WPA2 does not protect against threats due to unmanaged devices
Threat Mitigation
Intrusions (AP Based Threats)
Wire side controls as a first line of defense (e.g., 802.1X port control)
Wireless IPS to automatically detect & block intrusions
Extrusions (Client Based Threats)
Educate users: clean up profiles, Use VPNs & connect to secure Wi-Fi
Deploy end point agents to automatically block connections to insecure Wi-Fi
Wireless IPS to automatically detect & block extrusions in enterprise perimeter
Regular wireless scans to understand your security posture- Cloud based solutions are available to automate wireless scans
Defense-In-Depth Mitigation
Apply Slide: Recommended Best Practices
Self Assessment Test Scan your network to find out how vulnerable you are Good chance that you will find a Rogue AP, higher chance
that you will find client extrusion
Follow best practices Educate your users to connect to secure Wi-Fi Use VPN for remote connections Clean up the Connection profiles of Wi-Fi clients
periodically Deploy end point agents to automate some of the above
Adopt a “defense in depth” security approach Employ wire side defenses against Rogue APs (first line of
defense) Regularly scan your wireless perimeter If risk assessment is high and/or you store super sensitive
data Threat containment via wireless IPS should be considered
A1: Location/Site Wise Distribution
Key Observations
Prominent threats aredistributed acrossmultiple sites.
Key Implications
You need an ability to monitor the entire organization, not just 1 or 2sites
Location Wise Distribution
Rogue APs
AdhocSoft APs
Banned Devices
Client Extrusions
Client Bridging DoS
Misconf. APs
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Threats
Occ
urr
ence
(%
Lo
cati
on
s)
A2: Enterprise Vs PCI (SMB/Retail)
Enterprise
Rogue APs
DoS
Client Extrusions
Adhoc
Misconf. APs
Banned DevicesClient
Bridging
Soft APs
0
20
40
60
80
100
120
Threats
Occ
ure
nce
(%
Org
aniz
atio
ns)
PCI (SMB/Retail)
Rogue APs
Misconf. APs
Soft APs
Adhoc
Banned DevicesClient
Bridging
Client Extrusions
DoS
0
20
40
60
80
100
120
Threats
Occ
ure
nce
(%
Org
aniz
atio
ns)
Key Observations
Similar pattern with respectto prominent threats
Some difference w.r.t other threatsIncreased adhoc connections in PCI
A3: North America, Asia (Overall Threat Occurrence)North America
Adhoc
DoS
Soft APs
Banned Devices
Client Bridging
Misconf. APsRogue
APs
Client Extrusions
0
20
40
60
80
100
120
Threats
Oc
cu
ren
ce
(%
Org
an
iza
tio
ns
)
Asia
AdhocDoS
Soft APsBanned
Devices
Client Bridging
Misconf. APs
Rogue APs
Client Extrusions
0
20
40
60
80
100
120
Threats
Occ
ure
nce
(%
Org
aniz
atio
ns)