Please Read (Hidden Slide)

Please Read (Hidden Slide)

Wireless Vulnerabilities in the Wild: View From the Trenches Deepak Gupta AirTight Networks Acknowledgement: Based on work presented by K N Gopinath at RSA 2011 Insert presenter logo here on slide master. See hidden slide 2 for directions Agenda Why care about Wireless Vulnerabilities? (Motivation) Whats new in this talk and what are its implications? Wireless Vulnerability Analysis (Measurements)

Threat/Vulnerability Mitigation 2 Era of Wireless Consumerization Real Life Breaches due to Insecure Use of Wi-Fi Marshalls store hacked via wireless Hackers accessed TJX network & multiple servers for 18+ months 45.7 million payment credit accounts compromised Estimated liabilities >

4.5B USD Are todays enterprises secure enough to prevent the recurrence of such attacks? 5 Enter War Driving How many of these are actually connected to my network? Not all APs are WPA/WPA2. WPA/WPA2 AP (%)

80 70 60 50 40 30 20 10 0 NY NY London London 6 Paris Paris

RSA '07 RSA '08 War Driving Insufficient for Enterprise Threat Classification Authorized Our Study External Rogue Sensor Based Statistical Sampling Data collected over last two years Total Number of

Count Sites/Locations 2,155 Organizations 156 Sensors 4501 Total Access Points 268,383

Enterprise Clients 427,308 Threat Instances Analyzed 82,681 8 Enterprises Deal With Lot of Non-Enterprise Devices 268,383 APs External/

70% APs do NOT belong to the studied Organizations! Authorized Unmanaged 80,515 187,868 Similarly, About 87% Clients are Unmanaged/External! Wireless Threat Space AP Based Threats Rogue APs AP

AP misconfigurations Soft/Client Based APs Wireless Threat Space Client based threats Adhoc Network Client extrusions Connections to neighbors, evil twins Adhoc networks Client bridging Banned devices Window of opportunity for an attacker

t a re h T Threat Duration T3 (T-Cube) Parameters en u eq r F Presence of an instance of a threat (%)

Threat Presence cy Likelihood of presence of a threat instance Real-life data & Accurate picture of Threats How does this information help you? Get an idea of Wi-Fi threat scenario in enterprises that may be like yours Which wireless threats you should worry about first? Plan your enterprise mitigation strategy Simple (Yes/No) metric based on the presence of an instance of a threat (%)

Threat Presence Threat Duration Threat Frequency 14 Results From Our Survey % Response Randomly Chosen set of IT Security Professionals Rogue AP Misconf. AP Adhoc

Client Extrusion Other Results Based on Our Data Key Observations 100% Occurrence (% Organizations) 90% 80% 70% 60% 50% 40%

30% 20% 10% Overall Threat Scenario Client Extrusions Misconf. APs -Prominent Threats -Client extrusions -Rogue APs -AP mis-configurations -Adhoc clients Rogue APs

Adhoc Soft Banned APs Devices DoS Client Bridging Key Implications 0% Threats -Organization data is potentially at risk via Wi-Fi Lets Dive Deeper into Nature of Threats Rogue APs

Client Extrusions Adhoc Clients Enterprise Wireless Consumerization: Rogue APs 1521 Rogue APs seen in our study 163 Different type of Consumer Grade OUIs seen Rogue AP Details About 1 in 10 Rogue APs have Default SSIDs Unknown/ Blank, 2% About Half of Rogue APs Wide Open Open, 49% Default SSIDs, 9%

WPA(2)/PSK, 29% Unknown, 1% Non-Default, 89% WEP, 21% Rogue AP Details An open Rogue AP is Virtually THIS! Client Consumerization: Client Extrusion

Client (Smartphones & laptops both) probes for these SSIDs. Topic of Hot Discussion Today! 23 Client Probing For Vulnerable SSIDs Retail/SMB Organizations 118,981 Clients Authorized Unmanaged 12,002

636 (5.3%) 106,979 21,777 (20.4%) Power of Accurate threat classification. 5.3% Vs 20.4% Known Vulnerable SSIDs Probed For 103 distinct SSIDs recorded Certain (8%) Authorized Clients Probing for 5 or more SSIDs Adhoc Authorized Clients!

565 distinct Adhoc SSIDs found, About half of them Vulnerable 15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode. So What? Illustrative Exploit via Client Extrusion Smartphone as an Attacker App1: Mobile Hotspot App2: SSLStrip Attack Tool VIDEO DEMO: Smartpot MITM Attack VIDEO DEMO: Smartpot MITM Attack 28 How long (time interval)

a threat is active before removal? Threat Presence Threat Duration Threat Frequency 29 AP Threats live longer than Client Threats 15% client threats & 30 % AP threats live for > hr Histogram indicating that AP threats live longer Some AP based threats are active for a day or more!

Threat Duration 12 Hr+ 12 Hr 6 Hr 1 Hr Rogue AP 30 Min AP Misconf. 10 Min Client Extrusion 0%

10% 20% 30% 40% 50% 60% 70% Adhoc networks % Threat Instances with Given Threat Duration

Data from SMB/Retail (PCI) Segment Threat instances per Sensor per month Threat Presence Threat Duration Threat Frequency 31 Threat Frequency Threat Frequency Large Enterprise Segment: Threats Per Month Per Sensor (Approx. 10,000 sq feet area) 13

14 12 8 10 8 6 4 1 2 0 Rogue AP Misconfigured AP Client Extrusion

Threat Category Bigger your organization, higher the likelihood of finding the threats Key Takeaways Summarized Wireless threats due to unmanaged devices are present Enterprise wireless environment influenced by consumerization Certain threats more common than others

Client extrusions Rogue AP AP Mis-configurations Adhoc clients Common threats affect large enterprise and SMB organizations Wireless threats persist regardless of sophistication of wired network security Threat Mitigation 34 Lets Ban Wi-Fi! Use WPA2 For Your Authorized WLAN!

But, WPA2 does not protect against threats due to unmanaged devices Threat Mitigation Regular wireless scans to understand your security posture - Cloud based solutions are available to automate wireless scans Defense-In-Depth Mitigation Intrusions (AP Based Threats) Extrusions (Client Based Threats) Wire side controls as a first line of defense (e.g., 802.1X port control)

Educate users: clean up profiles, Use VPNs & connect to secure Wi-Fi Wireless IPS to automatically detect & block intrusions Deploy end point agents to automatically block connections to insecure Wi-Fi Wireless IPS to automatically detect & block extrusions in enterprise perimeter

Apply Slide: Recommended Best Practices Self Assessment Test Scan your network to find out how vulnerable you are Good chance that you will find a Rogue AP, higher chance that you will find client extrusion Follow best practices Educate your users to connect to secure Wi-Fi Use VPN for remote connections Clean up the Connection profiles of Wi-Fi clients periodically Deploy end point agents to automate some of the above

Adopt a defense in depth security approach Employ wire side defenses against Rogue APs (first line of defense) Regularly scan your wireless perimeter If risk assessment is high and/or you store super sensitive data Threat containment via wireless IPS should be considered Apply Slide: Recommended Best Practices Go Wi-Fi, But, The Safe Way! Questions? Thank You [email protected] 40

A1: Location/Site Wise Distribution Location Wise Distribution Key Observations Occurrence (% Locations) 50% 45% 40% Client Extrusions Prominent threats are distributed across

multiple sites. 35% 30% 25% 20% 15% 10% 5% 0% Rogue APs Misconf. APs Banned Client

Devices Bridging Threats Soft APs Adhoc DoS Key Implications You need an ability to monitor the entire organization, not just 1 or 2 sites A2: Enterprise Vs PCI (SMB/Retail) Enterprise

120 Client Extrusions Occurence (% Organizations) 100 80 Key Observations Rogue APs Misconf. APs 60 40 Banned

Soft Client Devices APs Bridging 20 DoS Adhoc Some difference w.r.t other threats Increased adhoc connections in PCI 0 Threats PCI (SMB/Retail)

Occurence (% Organizations) 120 100 Client Extrusions 80 Misconf. APs 60 Adhoc Rogue APs 40

20 Banned Client Devices Soft APs Bridging 0 Threats Similar pattern with respect to prominent threats DoS A3: North America, Asia (Overall Threat Occurrence) North America 120

Occurence (% Organizations) 100 80 Client Extrusions Rogue APs Misconf. APs 60 40 Banned

Client Devices Bridging 20 DoS Soft APs Adhoc 0 Threats Asia 120

Occurence (% Organizations) 100 80 60 40 20 Client Rogue Extrusions APs Misconf. APs Client Bridging Banned

Devices 0 Threats Soft APs Adhoc DoS

Recently Viewed Presentations

  • State of Kansas 2019 Audit Kick -Off

    State of Kansas 2019 Audit Kick -Off

    Applied retroactively through restatement of financial statements. GASB 84, Fiduciary Activities (2020) Outlines specific criteria for definition of a fiduciary activity. Fiduciary Fund vs. Special Revenue Fund
  • Engineering Economics in Canada - Electrical engineering

    Engineering Economics in Canada - Electrical engineering

    Engineering Economics in Canada ... To implement the CCA system, assets are grouped into CCA asset classes Each CCA asset class has a designated CCA Rate assigned Sample CCA Classes and Rates CCA CCA Class Rate Description 1,3,6 4 -...
  • Network Access Technologies: - University of Cambridge

    Network Access Technologies: - University of Cambridge

    University of Cambridge and Founder of XenSource Inc. Computer Laboratory Outline Virtualization overview Xen Today : 2.0 Overview Architecture Performance Live VM Relocation Xen 3.0 Roadmap (Q2 2005) Virtualization Overview Single OS image: Ensim, Vservers, CKRM Group user processes into...
  • Canine Nutrition: - labbies.com

    Canine Nutrition: - labbies.com

    Canine Nutrition: A Practical Approach Relatively speaking, most dogs today eat a more nutritional diet than their owners do Nutritional Requirements of the Dog Though a carnivore, the dog utilizes a wide variety of foodstuffs efficiently and can meet nutritional...
  • Introduction to Distributed Algorithms

    Introduction to Distributed Algorithms

    How to represent a distributed algorithm? The notions of . atomicity, non-determinism, and fairness. are important issues in distributed algorithms, so we will need some notations and examples to clarify them.
  • Perimeter Protection - SMU

    Perimeter Protection - SMU

    Firewalls Firewalls Most widely sold solution for Internet security Solution in a box appeal Not a substitute for proper configuration management Firewall needs to be configured properly for intended protection Types of Firewalls IP packet level Packet filtering TCP session...
  • Introduction to Weka - Columbia University

    Introduction to Weka - Columbia University

    NaiveBayes JRip J48 SMO Find References by selecting a classifier Use Cross-Validation! Analyzing Results Important tools for Homework 2 Accuracy "Correctly classified instances" F-measure Confusion matrix Save model Visualization Running weka from the Command Line Running an N-fold cross ...
  • Chapter 11-Section 2- American Power Tips the Balance

    Chapter 11-Section 2- American Power Tips the Balance

    22 million people die during WWI. Civilian deaths . accounted for nearly half of that number. Military deaths are estimated to between nine and eleven million. Twenty million soldiers are wounded . but survive. Ten million refugees are forced to...