According to recent analysis by AirTight Networks, there is a very high incidence of wireless vulnerabilities among organizations that are subject to the Payment Card Industry Data Security Standard (PCI DSS), highlighting the need for wireless scanning as outlined in the PCI DSS Wireless Guideline issued in July 2009.
In its analysis of 200-plus cardholder data environments (CDEs), AirTight found many locations with open WiFi access points using vendor default settings, which violates PCI DSS wireless Guideline 2.1.1. These open access points also have the potential to provide a backdoor between an untrusted network and the cardholder data environment (violates requirement 1.2.3) and lack strong encryption (violates requirement 4.1.1).
Other significant findings from the data include: 24 percent of enterprises had rogue access points in their environments; one in three enterprises continue to deploy unsecured access points (at times misconfigured), often still using Wired Equivalent Privacy (WEP) on authorized access points; and 68 percent of enterprises were exposed to vulnerable clients such as wireless POS, smartphones, and laptops.
Clearly, the consumerization of WiFi devices and the vulnerability of client devices continues to be the top wireless threat, yet this is something that enterprises often overlook in their security assessment. In AirTight’s sample, only 24 percent of enterprises were completely clean in this assessment.
Go Beyond the Checkmark
The PCI DSS definition of unauthorized WiFi is too narrow. The requirement has been scoped inaccurately for true wireless security, now that any WiFi-enabled device can allow rogue WiFi connections to your network.
The PCI DSS standard mentions four methods for scanning your environment to meet compliance, but it is important to consider the limitations of each. Will the methods help you truly protect your data, or merely get you a checkmark upon examination?
The first method is visual inspection. This was an odd addition to the standard this year because it provides no practical value in securing your network. Unauthorized WiFi connections cannot be seen by the naked eye. Because every WiFi device can be a potential rogue access point, the only way manual inspection works is if you physically inspect every port on every device in your network. Indeed, the PCI DSS intended visual inspection to address the needs of a small merchant, not a large distributed infrastructure.
The second method is handheld scanning. This manual approach of achieving PCI wireless compliance is slow and tedious, and can be error-prone compared to an automated approach. Handheld analyzers are carried around the merchant’s site to collect data, which is then interpreted manually or fed to an engine to dig out relevant data. Using mobile analyzers on a quarterly basis will provide a report that shows WiFi devices present during the 30 minutes the auditor was on site, but offers no data security. This is one step above visual inspection because it can at least see the wireless connections in your airspace, but the expense associated with sending people to remote locations to provide this service can be prohibitively expensive.
The third method, Network Access Control (NAC), can certainly provide some value, but is very expensive, especially at the device level. It has not been widely adopted and, therefore, would require the purchase of expensive equipment and licenses. Once a device is authorized on the network, NAC cannot prevent those resources from establishing unauthorized WiFi connections to rogue or external WiFi.
Finally, a Wireless Intrusion Prevention System, the fourth method recommended by PCI DSS, is an automated solution that consists of wireless sensors deployed at a merchant’s site. The sensors continuously sniff the surrounding airspace for available wireless information and send it to a central server over the network. The central server, in turn, has an engine to correlate and mine the obtained information to dig out relevant data required for PCI compliance and, more importantly, security policy enforcement. It is especially useful for geographically distributed organizations, because manual wireless scanning does not scale and can prove costly.
Eight Things to Consider When Choosing a Scanning Solution
Reporting capabilities. Does the solution provide a clear and detailed PCI compliance report for any given site and across multiple sites? A comprehensive report also helps to speed the audit process, as all the required information will be readily available in report.
Configuration and management. Many retail chains often lack dedicated IT support at remote sites, which means the PCI wireless solution should be easy to configure and maintain, even without trained IT staff. Also, from a management point of view, the solution should accurately detect wireless threats because false alarms—false positives or, more importantly, false negatives—can add unnecessary work. The solution should ideally be automated and require minimal human intervention for day-to-day operation.
Scalability. A scalable tool can be easily deployed at multiple sites and be easily extended to new sites. If you plan to deploy WiFi for CDE operations in the future, consider a solution that can scale to a version suitable for wireless requirements applicable to the case where WiFi is deployed as part of the CDE.
Cover the common vulnerabilities and threats. A compliance solution should cover all of the most common wireless vulnerabilities, such as Rogue AP, HoneyPot AP, Misconfigured AP, Misassociations, Unauthorized Associations, and so on, as well as all variations of that threat. The solution should be easily upgradeable to cover newly discovered vulnerabilities and threats.
Robust device classification. PCI wireless solutions that have comprehensive classification engines require fewer inputs about the device inventory. Classification policies should automatically classify various devices scanned over the air into specific categories, such as Rogue Devices or External Devices, thus providing complete visibility of wireless devices using the air space.
Automatic prevention. Response to a wireless security incident is one of the requirements in the PCI DSS, and having sound automatic prevention enables merchants to quickly and easily respond to detected threats and prevent damage.
Location tracking. Location tracking of capabilities helps identify the location of wireless devices, facilitates removal, and tracks inventory of wireless devices.
Cost and SaaS options. Prices of the tools vary greatly. An on-demand or cloud-based solution is typically lower in cost and can be purchased with an operating expenditures budget. This approach can be helpful for merchants looking for cost-effective solutions or shops that don’t have dedicated IT support.