Lesson 10: Installing and Configuring Wireless and Physical Access Security & Lesson 11: Deploying Secure Host, Mobile, and Embedded Systems Flashcards
Wireless networking
uses electromagnetic radio waves to carry data signals over the air. Wireless transmission methods are also referred to as “unguided media.” From a security perspective, the problem with wireless is that signals are usually relatively simple to eavesdrop. The way some wireless standards were originally implemented also opened numerous security vulnerabilities, most of which have been addressed in recent years.
Wireless networks can be configured in one of two modes:
- Ad hoc—the wireless adapter allows connections to and from other devices (a peer-to-peer WLAN). In 802.11 documentation, this is referred to as an independent basic service set (IBSS).
- Infrastructure—the adapter is configured to connect through an access point (AP) to other wireless and wired devices. In 802.11 documentation, this is referred to as a basic service set (BSS). The MAC address of the AP is used as the basic service set identifier (BSSID). More than one BSS can be grouped in an extended service set (ESS).
WLAN wireless devices
All wireless devices operating on a WLAN must be configured with the same network name, referred to as the service set identifier (SSID). When multiple access points are grouped into an extended service set, this is more properly called the extended SSID (ESSID). This just means that all the APs are configured with the same SSID.
enterprise network
An enterprise network might require the use of tens or hundreds of access points, wireless bridges, and antennas. If access points are individually managed, this can lead to configuration errors on specific access points and can make it difficult to gain an overall view of the wireless deployment, including which clients are connected to which access points and which clients or access points are handling the most traffic.
Rather than configure each device individually, enterprise wireless solutions, such as those manufactured by Cisco®, Ruckus™, or Ubiquiti, allow for centralized management and monitoring of the access points on the network. This may be achieved through use of a dedicated hardware device (a wireless controller), which typically implements the required functionality through additional firmware in a network switch.
fat AP
An access point whose firmware contains enough processing logic to be able to function autonomously and handle clients without the use of a wireless controller is known as a fat AP, while one that requires a wireless controller in order to function is known as a thin AP.
lightweight access point protocol (LWAPP)
Cisco wireless controllers usually communicate with the access points using the lightweight access point protocol (LWAPP). LWAPP allows an AP configured to work in lightweight mode to download an appropriate SSID, standards mode, channel, and security configuration.
control and provisioning of wireless access points (CAPWAP)
Alternatives to LWAPP include the derivative control and provisioning of wireless access points (CAPWAP) protocol or a proprietary protocol.
VLAN pooling
As well as autoconfiguring the appliances, a wireless controller can aggregate client traffic and provide a central switching and routing point between the WLAN and wired LAN. It can also assign clients to separate VLANs. Automated VLAN pooling ensures that the total number of stations per VLAN is kept within specified limits, reducing excessive broadcast traffic. Another function of a hardware controller is to supply power to wired access points, using Power over Ethernet (PoE).
Wi-Fi products work in either the 2.4 GHz band or the 5 GHz band, or both. While band selection does not have a direct effect on the confidentiality or integrity of the network, it can affect availability and performance:
- 802.11a—legacy products working in the 5 GHz band only.
- 802.11bg—legacy products working in the 2.4 GHz band only.
- 802.11n—products can be either dual band (supporting both 2.4 GHz and 5 GHz operation) or 2.4 GHz only. Most access points are dual band but many early 802.11n client adapters were single band only.
- 802.11ac—5 GHz only. Most access points supporting 802.11ac are dual band but use the 2.4 GHz band for legacy clients (802.11bgn) only. Note that better performance will be obtained by disabling support for legacy standards (especially 802.11b).
rubber ducky antennas
Most wireless devices have simple omnidirectional vertical rod-type antennas, which can receive and send a signal in all directions. The plastic-coated variants often used on access points are referred to as rubber ducky antennas. To extend the signal range, you can use a directional antenna focused at a particular point. Examples of directional antennas include the Yagi (a bar with fins) and parabolic (dish or grid) antennas. These are useful for point-to-point connections (a wireless bridge). A directional antenna may also be useful to an eavesdropper, allowing them to snoop on a network from a greater distance than might be expected. The increase in signal strength obtained by focusing the signal is referred to as the gain and is measured in dBi (decibel isotropic).
access point and antenna placement
When considering access point and antenna placement, a device supporting the Wi-Fi standard should have a maximum indoor range of up to about 30m (100 feet), though the weaker the signal, the lower the data transfer rate. Radio signals pass through solid objects, such as ordinary brick or drywall walls, but can be weakened or blocked by particularly dense or thick material and metal. Interference from a variety of electromagnetic interference sources can also affect signal reception and strength. Other radio-based devices can also cause interference as can devices as various as fluorescent lighting, microwave ovens, cordless phones, and (in an industrial environment) power motors and heavy machinery. Bluetooth® uses the same frequency range as 2.4 GHz Wi-Fi but a different modulation technique, so interference is possible but not common.
Coverage
means that the WLAN delivers acceptable data rates to the supported number of devices in all the physical locations expected. To maximize coverage and minimize interference, position the AP as high as possible and set the channels of other nearby APs to different settings. At least 25 MHz spacing should be allowed between channels to operate without co-channel interference (CCI). In practice, therefore, in the 2.4 GHz band no more than three nearby 802.11b/g access points can have non-overlapping channels. This could be implemented, for example, by selecting channel 1 for AP1, channel 6 for AP2, and channel 11 for AP3.
channel bonding
802.11n/ac can obtain more bandwidth with the option to use two adjacent 20 MHz channels as a single 40 MHz channel (channel bonding). Channel bonding is only a practical option in the 5 GHz band, where there are 23 non-overlapping 20 MHz channels and 11 40 MHz channels. When using the 5 GHz band for 802.11a or 802.11n/ac, the best option is usually to allow the AP to auto-detect the best channel.
site survey
A site survey is the process of selecting the optimum positions for access points and antennas by analyzing the building infrastructure and testing signal strength at different locations. From a security perspective, an additional step would be to use the plan of WLAN zones to identify areas where there is leakage of signals.
shielding
Depending on the level of security required, you may then want to install shielding at strategic locations to contain the WLAN zones. For example, you might install shielding on external walls to prevent signals from escaping the building. Of course, this will block incoming signals too (including cell phone calls).
Signal strength
the amount of power used by the radio in an access point or station. Simply increasing power output is not always reliable. As you increase power, you also increase the chance of the signal bouncing, causing more interference, especially if there are multiple APs. Also, the client radio power levels should match those of the AP or they may be able to receive signals but not transmit back.
received signal strength indicator (RSSI)
shows the strength of the signal from the transmitter. RSSI is a relative indicator, usually expressed as a percentage of a nominal “perfect” signal. RSSI can be calculated differently as it is implemented by the chipset vendor. Survey tools measure signal strength in dBm, which is the ratio of the measured signal to one milliwatt. When measuring signal strength, dBm will be a negative value with values closer to zero representing better performance. A value around -65 dBm represents a good signal while anything over -80 dBm is likely to suffer packet loss or be dropped. The received signal strength must also exceed the noise level by a decent margin. Noise is also measured in dBm but here values closer to zero are less welcome as they represent higher noise levels. For example, if a signal is -65 dBm and noise is -90 dBm, the Signal to Noise Ratio (SNR) is 25 dB; if noise is -80 dBm, the SNR is 15 dB and the connection will be much, much worse.
war driving
Power levels are best set to auto-negotiate. You should also be aware of legal restrictions on power output—these vary from country to country. You may want to turn the power output on an AP down and ensure strategic AP device placement to prevent war driving. The main problem with this approach is that it requires careful configuration to ensure that there is acceptable coverage for legitimate users. You also expose yourself slightly to “evil twin” attacks, as users may expect to find the network at a given location and assume that the rogue AP is legitimate.
MAC filtering
As with a switch, MAC filtering means specifying which MAC addresses are allowed to connect to the AP. This can be done by specifying a list of valid MAC addresses, but this “static” method is difficult to keep up to date and is relatively error-prone. It is also easy for a wireless sniffer to discover valid MAC addresses and spoof them. Enterprise-class APs allow you to specify a limit to the number of permitted addresses and automatically learn a set number of valid MAC addresses.
A more practical option is to put a firewall/IDS behind the AP in order to filter traffic passing between the wired LAN and WLAN.
data emanation
As unguided media, wireless networks are subject to data emanation or signal “leakage.” A WLAN is a broadcast medium, like hub-based Ethernet.
packet sniffing
Consider how much simpler packet sniffing is on hub-based compared to switched Ethernet. Similarly, on a WLAN, there is no simple way to “limit” the signal within defined boundaries. It will propagate to the extent of the antenna’s broadcast range, unless blocked by some sort of shielding or natural barrier. Data emanation means that packet sniffing a WLAN is easy if you can get within range.
Because it is so easy to eavesdrop on communications, for Wi-Fi networks to offer confidentiality and integrity, hosts must authenticate to join the network and the transmissions must be encrypted.
Wired Equivalent Privacy (WEP)
the original encryption scheme and still supported on old and new devices. However, the encryption system, based on the RC4 cipher, is flawed and WEP should no longer be used, if at all possible. Under WEP version 1, you can select from different key sizes (64-bit or 128-bit). WEP version 2 enforces use of the 128-bit key and even allows a 256-bit key, but is still not considered secure. The main problem with WEP is the 24-bit initialization vector (IV).
The initialization vector (IV) is supposed to change the key stream each time it is used. Problems with the WEP encryption scheme are as follows:
- The IV is not sufficiently large, meaning it will be reused within the same keystream under load. This makes the encryption subject to statistical analysis to discover the encryption key and decrypt the confidential data.
- The IV is often not generated using a sufficiently random algorithm; again, assisting brute force or statistical analysis attacks.
- Packets use a checksum to verify integrity, but this is also easy to compute. This allows the attacker to “bit flip” the ciphertext and observe a corresponding bit in the plaintext.
The flaws in WEP allow attackers using WEP cracking tools, such as Aircrack-NG (https://aircrack-ng.org) or AirSnort (https://airsnort.soft112.com), to decrypt and eavesdrop traffic. These tools work by obtaining many examples of IVs. To crack WEP, a type of replay attack is used to make the access point generate lots of packets, usually by replaying ARP packets at it, and cycle through IV values quickly.
WEP is not safe to use. If devices only support WEP, the best alternative is to enhance the connection security with another security application, such as L2TP/IPSec.
first version of Wi-Fi Protected Access (WPA)
The first version of Wi-Fi Protected Access (WPA) was designed to fix the security problems with WEP. Version 1 of WPA still uses the RC4 cipher but adds a mechanism called the Temporal Key Integrity Protocol (TKIP) to make it stronger. TKIP fixes the checksum problem in WEP (Message Integrity Check), uses a larger IV (48-bit) to ensure a unique keystream, transmits it as an encrypted hash rather than in plaintext, and adds a sequence counter to resist replay attacks.
WPA2
fully compliant with the 802.11i WLAN security standard. The main difference to the original iteration of WPA is the use of Advanced Encryption Standard (AES) for encryption. AES is stronger than RC4/TKIP. AES is deployed within the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. The only reason not to use WPA2 is if it is not supported by adapters, APs, or operating systems on the network. In many cases, devices will be compatible with a firmware or driver upgrade.
WPA and WPA2 are both much more secure than WEP, though a serious vulnerability was discovered in 2017 (https://www.krackattacks.com) so you should continue to ensure that device firmware is patched against exploits such as this. Also, when used in pre-shared key mode, an attacker can obtain the encrypted key by associating with the access point and then subject the key to brute force or dictionary-based password attacks. These may succeed if a weak password was used to generate the key. When enterprise authentication is deployed, there are no known attacks that would enable an attacker to recover the key.
Pre-Shared Key (PSK)
means using a passphrase to generate the key that is used to encrypt communications. It is also referred to as group authentication because a group of users share the same secret. A PSK is generated from a passphrase, which is like a long password. In WPA-PSK, the user enters a passphrase of between 8 and 63 ASCII characters. This is converted to a 256-bit HMAC (expressed as a 64-character hex value) using the PBKDF2 key stretching algorithm.
The main problem is that distribution of the key or passphrase cannot be secured properly, and users may choose unsecure phrases. It also fails to provide accounting, as all users share the same key. The advantage is that it is simple to set up. Conversely, changing the key periodically, as would be good security practice, is difficult.
PSK is the only type of authentication available for WEP and is suitable for SOHO networks and workgroups using WPA.
Extensible Authentication Protocol (EAP) authentication
WPA can also implement 802.1X, which uses Extensible Authentication Protocol (EAP) authentication. The AP passes authentication information to a RADIUS server on the wired network for validation. The authentication information could be a username and password or could employ smart cards or tokens. This allows WLAN authentication to be integrated with the wired LAN authentication scheme. This type of authentication is suitable for enterprise networks.
open authentication
Selecting open authentication means that the client is not required to authenticate. This mode would be used on a public AP (or “hotspot”). This also means that data sent over the link is unencrypted. Open authentication may be combined with a secondary authentication mechanism managed via a browser. When the client associates with the open hotspot and launches the browser, the client is redirected to a captive portal or splash page. This will allow the client to authenticate to the hotspot provider’s network (over HTTPS, so the login is secure). The portal may also be designed to enforce terms and conditions and/or take payment to access the Wi-Fi service.
Virtual Private Network (VPN)
When using open wireless, users must ensure they send confidential web data only over HTTPS connections and only use email, VoIP, IM, and file transfer services with SSL/TLS enabled. Another option is for the user to join a Virtual Private Network (VPN). The user would associate with the open hotspot then start the VPN connection. This creates an encrypted “tunnel” between the user’s computer and the VPN server. This allows the user to browse the web or connect to email services without anyone eavesdropping on the open Wi-Fi network being able to intercept those communications. The VPN could be provided by the user’s company or they could use a third-party VPN service provider. Of course, if using a third-party, the user needs to be able to trust them implicitly. The VPN must use certificate-based tunneling to set up the “inner” authentication method.
Wi-Fi Protected Setup (WPS)
As setting up an access point securely is relatively complex for residential consumers, vendors have developed a system to automate the process called Wi-Fi Protected Setup (WPS). To use WPS, both the access point and wireless station (client device) must be WPS-capable. Typically, the devices will have a pushbutton. Activating this on the access point and the adapter simultaneously will associate the devices using a PIN, then associate the adapter with the access point using WPA2. The system generates a random SSID and PSK. If the devices do not support the push-button method, the PIN (printed on the AP) can be entered manually.
Unfortunately, WPS is vulnerable to a brute force attack. While the PIN is eight characters, one digit is a checksum and the rest is verified as two separate PINs of four and three characters. These separate PINs are many orders of magnitude simpler to brute force, typically requiring just hours to crack. On some models, disabling WPS through the admin interface does not actually disable the protocol, or there is no option to disable it. Some APs can lock out an intruder if a brute force attack is detected, but in some cases the attack can just be resumed when the lockout period expires. To counter this, the lockout period can be increased. However, this can leave APs vulnerable to a Denial of Service attack. When provisioning an AP, it is essential to verify what steps the vendor has taken to make their WPS implementation secure and the firmware level required to assure security.
Extensible Authentication Protocol (EAP)
The Extensible Authentication Protocol (EAP) is designed to support different types of authentication within the same overall topology of devices. It defines a framework for negotiating authentication mechanisms rather than the details of the mechanisms themselves. Widely adopted now, vendors can write extensions to the protocol to support third-party security devices. EAP implementations can include smart cards, one-time passwords, biometric scanning, or simpler username and password combinations.
The EAP framework involves three components:
- Supplicant—this is the client requesting authentication.
- Authenticator—this is the device that receives the authentication request (such as a remote access server or wireless access point). The authenticator establishes a channel for the supplicant and authentication server to exchange credentials using the EAP over LAN (EAPoL) protocol. It blocks any other traffic.
- Authentication Server—the server that performs the authentication (typically an AAA server).
EAP-TLS
currently considered the strongest type of authentication and is very widely supported. An encrypted Transport Layer Security (TLS) tunnel is established between the supplicant and authentication server using public key certificates on the authentication server and supplicant. As both supplicant and server are configured with certificates, this provides mutual authentication. The supplicant will typically provide a certificate using a smart card or a certificate could be installed on the client PC, possibly in a Trusted Platform Module (TPM).
Protected Extensible Authentication Protocol (PEAP)
In Protected Extensible Authentication Protocol (PEAP), as with EAP-TLS, an encrypted tunnel is established between the supplicant and authentication server, but PEAP only requires a server-side public key certificate. The supplicant does not require a certificate. With the server authenticated to the supplicant, user authentication can then take place through the secure tunnel with protection against sniffing, password-guessing/dictionary, and Man-in-the-Middle attacks.
There are two versions of PEAP, each specifying a different user authentication method (also referred to as the “inner” method):
- PEAPv0 (EAP-MSCHAPv2)—uses MS-CHAPv2 for authentication. This is by far the most popular implementation.
- PEAPv1 (EAP-GTC)—Cisco’s implementation.
PEAP is supported by Microsoft® as an alternative to EAP-TLS. It is simpler and cheaper to deploy than EAP-TLS because you only need a certificate for the authentication server.
EAP-Tunneled TLS (EAP-TTLS)
similar to PEAP. It uses a server-side certificate to establish a protected tunnel through which the user’s authentication credentials can be transmitted to the authentication server. The main distinction from PEAP is that EAP-TTLS can use any inner authentication protocol (PAP or CHAP, for instance), while PEAP must use EAP-MSCHAP or EAP-GTC.
Lightweight EAP (LEAP)
developed by Cisco in 2000 to try to resolve weaknesses in Wired Equivalent Privacy (WEP) and represents a very early implementation of EAP. When a client connects to an access point (the authenticator), it enables EAPoL and the client authenticates to the server and the server to the client. The server and client then calculate a transport encryption session key, which the server sends to the access point. This key is used to encrypt the rest of the session. LEAP relies on MS-CHAP to transmit authentication credentials. This means that LEAP is vulnerable to password cracking, as demonstrated by the ASLEAP cracking tool
Flexible Authentication via Secure Tunneling (EAP-FAST)
Cisco’s replacement for LEAP. EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack.
Flexible Authentication via Secure Tunneling (EAP-FAST)
Cisco’s replacement for LEAP. EAP-FAST is similar to PEAP, but instead of using a certificate to set up the tunnel, it uses a Protected Access Credential (PAC), which is generated for each user from the authentication server’s master key. The problem with EAP-FAST is in distributing (provisioning) the PAC securely to each user requiring access. The PAC can either be distributed via an out-of-band method or via a server with a digital certificate (but in the latter case, EAP-FAST does not offer much advantage over using PEAP). Alternatively, the PAC can be delivered via anonymous Diffie-Hellman key exchange. The problem here is that there is nothing to authenticate the access point to the user. A rogue access point could obtain enough of the user credential to perform an ASLEAP password cracking attack.
EAP-MD5
This is simply a secure hash of a user password. This method cannot provide mutual authentication (that is, the authenticator cannot authenticate itself to the supplicant). Therefore, this method is not suitable for use over unsecure networks, as it is vulnerable to Man-in-the-Middle, session hijacking, and password cracking attacks.
RADIUS federation
Most implementations of EAP use a RADIUS server to validate the authentication credentials for each user (supplicant). RADIUS federation means that multiple organizations allow access to one another’s users by joining their RADIUS servers into a RADIUS hierarchy or mesh. For example, when Bob from widget.com needs to log on to grommet.com’s network, the RADIUS server at grommet.com recognizes that Bob is not a local user but has been granted access rights and routes the request to widget.com’s RADIUS server.
One example of RADIUS federation is the eduroam network (https://www.eduroam.org), which allows students of universities from several different countries to log on to the networks of any of the participating institutions using the credentials stored by their “home” university.
As well as knowing the protocols and settings to configure a single access point securely, in a complex site you may need to consider additional issues to provide secure wireless access and resist wireless Denial of Service attacks. As with other security troubleshooting, there are two general kinds of issues with access point configuration; those where legitimate users cannot connect and those when unauthorized users are able to connect. In the first case, make the following checks:
- Ensure that wireless access points are implementing WPA/WPA2 with a strong passphrase or enterprise authentication.
- Check that clients are configured with the correct passphrase or that access points can communicate with RADIUS servers and that they are operational and functioning as expected.
- Ensure that no other wireless signals are interfering with the access point’s transmission.
rogue AP
If scans or network logs show that unauthorized devices are connecting, determine whether the problem is an access point with misconfigured or weak security or whether there is some sort of rogue AP. A rogue AP is one that has been installed on the network without authorization, whether with malicious intent or not. It is vital to periodically survey the site to detect rogue APs. A malicious user can set up such an access point with something as basic as a smartphone with tethering capabilities, and a non-malicious user could enable such an access point by accident. If connected to a LAN without security, an unauthorized AP creates a very welcoming backdoor through which to attack the network. A rogue AP could also be used to capture user logon attempts, allow Man-in-the-Middle attacks, and allow access to private information.
evil twin or wiphishing
A rogue AP masquerading as a legitimate one is called an evil twin or sometimes wiphishing. An evil twin might just have a similar name (SSID) to the legitimate one, or the attacker might use some DoS technique to overcome the legitimate AP. This attack will not succeed if authentication security is enabled on the AP, unless the attacker also knows the details of the authentication method. However, the evil twin might be able to harvest authentication information from users entering their credentials by mistake.
One solution is to use EAP-TLS security so that the authentication server and clients perform mutual authentication. There are also various scanners and monitoring systems that can detect rogue APs, including AirMagnet (https://www.enterprise.netscout.com/products/airmagnet-survey), inSSIDer (https://www.metageek.com/products/inssider), Kismet (https://www.kismetwireless.net), and Xirrus Wi-Fi Inspector (https://www.xirrus.com). Another option is a wireless intrusion detection system (WIDS) or wireless intrusion prevention system (WIPS). As well as rogue access points, WIPS can detect and prevent attacks against WLAN security, such as MAC spoofing and DoS.
deauthentication
The use of a rogue AP may be coupled with a deauthentication attack. This sends a stream of spoofed deauth frames to cause a client to deauthenticate from an AP. This might allow the attacker to interpose the rogue AP or to sniff information about the authentication process (such as a non-broadcast ESSID).
disassociation
A similar attack hits the target with disassociation packets, rather than fully deauthenticating the station. A disassociated station is not completely disconnected, but neither can it communicate on the network until it reassociates. Both attacks may also be used to perform a Denial of Service (DoS) attack against the wireless infrastructure. These attacks work against both WEP and WPA. The attacks can be mitigated if the wireless infrastructure supports Management Frame Protection (MFP/ 802.11w). Both the AP and clients must be configured to support MFP.
Wi-Fi jamming attack
A wireless network can be disrupted by interference from other radio sources. These are often unintentional, but it is also possible for an attacker to purposefully jam an access point. This might be done simply to disrupt services or to position an evil twin AP on the network with the hope of stealing data. A Wi-Fi jamming attack can be performed by setting up an AP with a stronger signal. Wi-Fi jamming devices are also widely available, though they are often illegal to use and sometimes to sell. Such devices can be very small, but the attacker still needs to gain fairly close physical proximity to the wireless network.
spectrum analyzer
The only ways to defeat a jamming attack are either to locate the offending radio source and disable it, or to boost the signal from the legitimate equipment. AP’s for home and small business use are not often configurable, but the more advanced wireless access points, such as Cisco’s Aironet series, support configurable power level controls. The source of interference can be detected using a spectrum analyzer. Unlike a Wi-Fi analyzer, a spectrum analyzer must use a special radio receiver (Wi-Fi adapters filter out anything that isn’t a Wi-Fi signal). They are usually supplied as handheld units with a directional antenna, so that the exact location of the interference can be pinpointed.
Personal Area Networks (PANs)
Wireless technologies are also important in establishing so-called Personal Area Networks (PANs). A PAN usually provides connectivity between a host and peripheral devices but can also be used for data sharing between hosts.
Bluetooth
a short-range (up to about 10m) radio link, working at a nominal rate of up to about 3 Mbps (for v2.0 + EDR)
Bluetooth devices have a few known security issues, summarized here:
- Device discovery—a device can be put into discoverable mode meaning that it will connect to any other Bluetooth devices nearby. Unfortunately, even a device in non-discoverable mode is quite easy to detect.
- Authentication and authorization—devices authenticate (“pair”) using a simple passkey configured on both devices. This should always be changed to some secure phrase and never left as the default. Also, check the device’s pairing list regularly to confirm that the devices listed are valid.
- Malware—there are proof-of-concept Bluetooth worms and application exploits, most notably the BlueBorne exploit (http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf), which can compromise any active and unpatched system regardless of whether discovery is enabled and without requiring any user intervention. There are also vulnerabilities in the authentication schemes of many devices. Keep devices updated with the latest firmware.
bluejacking
Unless some sort of authentication is configured, a discoverable device is vulnerable to bluejacking, a sort of spam where someone sends you an unsolicited text (or picture/ video) message or vCard (contact details). This can also be a vector for malware, as demonstrated by the Obad Android Trojan malware (https://securelist.com/the-most-sophisticated-android-trojan/35929/).
Bluesnarfing
Bluesnarfing refers to using an exploit in Bluetooth to steal information from someone else’s phone. The exploit (now patched) allows attackers to circumvent the authentication mechanism. Even without an exploit, a short (4 digit) PIN code is vulnerable to brute force password guessing.
Radio Frequency ID (RFID)
a means of encoding information into passive tags, which can be easily attached to devices, structures, clothing, or almost anything else. When a reader is within range of the tag (typically either up to 10cm or up to 1m), it produces an electromagnetic wave that powers up the tag and allows the reader to collect information from it or to change the values encoded in the tag. There are also battery-powered active tags that can be read at much greater distances (hundreds of meters). One type of RFID attack is skimming, which is where an attacker uses a fraudulent RFID reader to read the signals from a contactless bank card. Any reader can access any data stored on any RFID tag, so sensitive information must be protected using cryptography. It is also possible (in theory) to design RFID tags to inject malicious code to try to exploit a vulnerability in a reader.
Near Field Communications (NFC)
a very short-range radio link based on RFID. NFC works at up to 4cm at data rates of 106, 212, and 424 Kbps. NFC sensors and functionality are now commonly incorporated into smartphones. NFC is mostly used for contactless payment readers. It can also be used to configure other types of connections (pairing Bluetooth devices for instance) and for exchanging information, such as contact cards. An NFC transaction is sometimes known as a bump, named after an early mobile sharing app, later redeveloped as Android Beam, to use NFC.
As well as powered sensors, an NFC function can be programmed into an unpowered chip that can be delivered as a sticker (an NFC tag). When the phone’s sensor is brought close to the tag, the radio field activates it and triggers some action that has been pre-programmed into the phone.
As a relatively new technology, there are few proven attacks or exploits relating to NFC. It is possible to envisage how such attacks may develop, however. NFC does not provide encryption, so eavesdropping and Man-in-the-Middle attacks are possible if the attacker can find some way of intercepting the communication and the software services are not encrypting the data. Vulnerabilities and exploits are also likely to be found in the software services that use NFC. It is also possible to jam NFC signals, creating a Denial of Service attack.
Some software, such as Google’s Beam, allows NFC transfers to occur without user intervention. It is possible that there may be some way to exploit this by crafting tags to direct the device browser to a malicious web page where the attacker could try to exploit any vulnerabilities in the browser.
Follow these guidelines when securing wireless traffic:
- Select access points and supplementary directional antennas that adequately meet your bandwidth and signal range requirements.
- Select the appropriate frequency band and configure the signal strength to meet your needs.
- Consider using thin APs in a controller-based architecture to centralize wireless network operations.
- Conduct a site survey to determine the best possible ways to position your wireless infrastructure with respect to confidentiality, integrity, and availability.
- Configure your Wi-Fi networks with WPA2 encryption and an appropriate authentication method:
- Consider using WPA2-Enterprise in a large corporate environment to take advantage of 802.1X/ RADIUS authentication.
- Use a long passphrase to generate a more secure PSK.
- Avoid using the PIN feature of WPS.
- Implement a captive portal requiring login credentials to protect against unauthorized users accessing your Wi-Fi hotspot.
- Patch and update firmware on all types of wireless systems (Wi-Fi, Bluetooth, RFID, and NFC) regularly and monitor security bulletins for news of emerging attack vectors.
physical access controls
Physical security controls, or physical access controls, are security measures that restrict, detect, and monitor access to specific physical areas or assets. They can control access to a building, to equipment, or to specific areas, such as server rooms, finance or legal areas, data centers, network cable runs, or any other area that has hardware or information that is considered to have important value and sensitivity. Determining where to use physical access controls requires a cost–benefit analysis and must consider any regulations or other compliance requirements for the specific types of data that are being safeguarded.
Physical access controls depend on the same access control fundamentals as network or operating system security:
- Authentication—create access lists and identification mechanisms to allow approved persons through the barriers.
- Authorization—create barriers around a resource so that access can be controlled through defined entry and exit points.
- Accounting—keep a record of when entry/exit points are used and detect security breaches.
Physical security can be thought of in terms of zones. Each zone should be separated by its own barrier(s). Entry and exit points through the barriers need to be controlled by one or more security mechanisms. Progression through each zone should be progressively more restricted.
In existing premises, there will not be much scope to influence site layout. However, given constraints of cost and existing infrastructure, try to plan the site using the following principles:
- Locate secure zones, such as equipment rooms, as deep within the building as possible, avoiding external walls, doors, and windows.
- Position public access areas so that guests do not pass near secure zones. Security mechanisms in public areas should be high visibility, to increase deterrence. Use signs and warnings to enforce the idea that security is tightly controlled. Beyond basic no trespassing signs, some homes and offices also display signs from the security companies whose services they are currently using. These may convince intruders to stay away. Conversely, entry points to secure zones should be discreet. Do not allow an intruder the opportunity to inspect security mechanisms protecting such zones (or even to know where they are).
- Try to minimize traffic having to pass between zones. The flow of people should be “in and out” rather than “across and between.”
- Make high traffic public areas high visibility, so that covert use of gateways, network access ports, and computer equipment is hindered, and surveillance is simplified.
- In secure zones, do not position display screens or input devices facing toward pathways or windows. Alternatively, use one-way glass so that no one can look in through windows.
barricade
A barricade is something that prevents access. As with any security system, no barricade is completely effective; a wall may be climbed or a lock may be picked, for instance. The purpose of barricades is to channel people through defined entry and exit points. Each entry point should have an authentication mechanism so that only authorized persons are allowed through. Effective surveillance mechanisms ensure that attempts to penetrate a barricade by other means are detected.
fencing
The exterior of a building may be protected by fencing. Security fencing needs to be transparent (so that guards can see any attempt to penetrate it), robust (so that it is difficult to cut), and secure against climbing (which is generally achieved by making it tall and possibly by using razor wire). Fencing is generally effective, but the drawback is that it gives a building an intimidating appearance. Buildings that are used by companies to welcome customers or the public may use more discreet security methods.
Security lighting
Security lighting is enormously important in contributing to the perception that a building is safe and secure at night. Well-designed lighting helps to make people feel safe, especially in public areas or enclosed spaces, such as parking garages. Security lighting also acts as a deterrent by making intrusion more difficult and surveillance (whether by camera or guard) easier. The lighting design needs to account for overall light levels (illuminance), the lighting of particular surfaces or areas (allowing cameras to perform facial recognition, for instance), and avoiding areas of shadow and glare.
gateway
One of the oldest types of security is a wall with a door in it (or a fence with a gate). In order to secure such a gateway, it must be fitted with a lock (or door access system). A secure gateway will normally be self-closing and self-locking, rather than depending on the user to close and lock it.
Lock types can be categorized as follows:
- Conventional—a conventional lock prevents the door handle from being operated without the use of a key. More expensive types offer greater resistance against lock picking.
- Deadbolt—this is a bolt on the frame of the door, separate to the handle mechanism.
- Electronic—rather than a key, the lock is operated by entering a PIN on an electronic keypad. This type of lock is also referred to as cipher, combination, or keyless.
- Token-based—a smart lock may be opened using a magnetic swipe card or feature a proximity reader to detect the presence of a wireless key fob or one-time password generator (physical tokens) or smart card.
- Biometric—a lock may be integrated with a biometric scanner.
- Multifactor—a lock may combine different methods (for example, smart card with PIN).
Locks using a physical key are only as secure as the key management process used to protect the keys. The more physical copies of each key that are made, the less secure the gateway becomes. It is important to track who is holding a key at any one time and to ensure that a key cannot be removed from the site (to prevent a copy being made). Locks using smart cards will require the management of the cryptographic keys issued to the lock mechanism and the smart cards.
turnstile
Apart from being vulnerable to lock picking, the main problem with a simple door or gate as an entry mechanism is that it cannot accurately record who has entered or left an area. Multiple people may pass through the gateway at the same time; a user may hold a door open for the next person; an unauthorized user may “tailgate” behind an authorized user. This risk may be mitigated by installing a turnstile (a type of gateway that only allows one person through at a time).
mantrap
The other option is to add some sort of surveillance on the gateway. Where security is critical and cost is no object, a mantrap could be employed. A mantrap is where one gateway leads to an enclosed space protected by another barrier.
As well as authorized gateways (such as gates and doors), consider the security of entry points that could be misused, such as emergency exits, windows, hatches, grilles, and so on. These may be fitted with bars, locks, or alarms to prevent intrusion. Also consider pathways above and below, such as false ceilings and ducting. There are three main types of alarm:
- Circuit—a circuit-based alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut. A closed-circuit alarm is more secure because an open circuit alarm can be defeated by cutting the circuit.
- Motion detection—a motion-based alarm is linked to a detector triggered by any movement within an area (defined by the sensitivity and range of the detector), such as a room. The sensors in these detectors are either microwave radio reflection (similar to radar) or Passive Infrared (PIR), which detect moving heat sources.
- Duress—this type of alarm is triggered manually by staff if they come under threat. There are many ways of implementing this type of alarm, including wireless pendants, concealed sensors or triggers, and DECT handsets or smartphones. Some electronic entry locks can also be programmed with a duress code that is different from the ordinary access code. This will open the gateway but also alert security personnel that the lock has been operated under duress.
Circuit-based alarms are typically suited for use at the perimeter and on windows and doors. These may register when a gateway is opened without using the lock mechanism properly or when a gateway is held open for longer than a defined period. Motion detectors are useful for controlling access to spaces that are not normally used. Duress alarms are useful for exposed staff in public areas. An alarm might simply sound an alert or it may be linked to a monitoring system. Many alarms are linked directly to local law enforcement or to third-party security companies. A silent alarm alerts security personnel rather than sounding an audible alarm.
Surveillance
typically a second layer of security designed to improve the resilience of perimeter gateways. Surveillance may be focused on perimeter areas or within security zones themselves. Human security guards, armed or unarmed, can be placed in front of and around a location to protect it. They can monitor critical checkpoints and verify identification, allow or disallow access, and log physical entry events. They also provide a visual deterrent and can apply their own knowledge and intuition to potential security breaches. The visible presence of guards is a very effective intrusion detection and deterrence mechanism, but is correspondingly expensive. It also may not be possible to place security guards within certain zones because they cannot be granted an appropriate security clearance. Training and screening of security guards is imperative.
CCTV (closed circuit television)
a cheaper means of providing surveillance than maintaining separate guards at each gateway or zone, though still not cheap to set up if the infrastructure is not already in place on the premises. It is also quite an effective deterrent. The other big advantage is that movement and access can be recorded. The main drawback compared to the presence of security guards is that response times are longer, and security may be compromised if not enough staff are in place to monitor the camera feeds.
The cameras in a CCTV network are typically connected to a multiplexer using coaxial cabling. The multiplexer can then display images from the cameras on one or more screens, allow the operator to control camera functions, and record the images to tape or hard drive. Newer camera systems may be linked in an IP network, using regular data cabling.
access list
An access list held at each secure gateway records who is allowed to enter. An electronic lock may be able to log access attempts or a security guard can manually log movement. At the lowest end, a sign-in and sign-out sheet can be used to record authorized access. Visitor logging requirements will vary depending on the organization, but should include at least name and company being represented, date, time of entry, and time of departure, reason for visiting, and contact within the organization.
ID badge
A photographic ID badge showing name and (perhaps) access details is one of the cornerstones of building security. Anyone moving through secure areas of a building should be wearing an ID badge; anyone without an ID badge should be challenged. Color-coding could be used to make it obvious to which zones a badge is granted access.
challenge
The cheapest form of surveillance is to leverage ordinary employees to provide it. Security policies should explain staff responsibilities and define reporting mechanisms. One of the most important parts of surveillance is the challenge policy. This sets out what type of response is appropriate in given situations and helps to defeat social engineering attacks. This must be communicated to and understood by staff.
Challenges represent a whole range of different contact situations. For example:
- Challenging visitors who do not have ID badges or are moving about unaccompanied.
- Insisting that proper authentication is completed at gateways, even if this means inconveniencing staff members (no matter their seniority).
- Intruders and/or security guards may be armed. The safety of staff and compliance with local laws has to be balanced against the imperative to protect the company’s other resources.
It is much easier for employees to use secure behavior in these situations if they know that their actions are conforming to a standard of behavior that has been agreed upon and is expected of them.
secure cabinets/enclosures
As well as access to the site, physical security can be used for network appliances and cabling. The most vulnerable point of the network infrastructure will be the communications room. This should be subject to the most stringent access and surveillance controls that can be afforded. Another layer of security can be provided by installing equipment within secure cabinets/enclosures. These can be supplied with key-operated or electronic locks.
Some data centers may contain racks with equipment owned by different companies (colocation). These racks can be installed inside cages so that technicians can only physically access the racks housing their own company’s servers and appliances.
If installing equipment within a cabinet is not an option, it is also possible to obtain cable hardware locks for use with portable devices such as laptops.
Portable devices and media (backup tapes or USB media storing encryption keys, for instance) may be stored in a safe. Safes can feature key-operated or combination locks but are more likely to come with electronic locking mechanisms. Safes can be rated to a particular cash value for the contents against various international grading schemes.
There are also fire safes that give a certain level of protection against exposure to smoke and flame and to water penetration (from fire extinguishing efforts).
A privacy filter or screen filter prevents anyone but the user from reading the screen (shoulder surfing). Modern TFTs are designed to be viewed from wide angles. This is fine for home entertainment use but raises the risk that someone would be able to observe confidential information shown on a user’s monitor. A privacy filter restricts the viewing angle to the person directly in front of the screen.
As well as the switches, routers, and servers housed in equipment cabinets, thought needs to be given to cabling. A physically secure cabled network is referred to as a protected distribution system (PDS). There are two principal risks:
- An intruder could attach eavesdropping equipment to the cable (a tap).
- An intruder could cut the cable (Denial of Service).
A hardened PDS is one where all cabling is routed through sealed metal conduit and subject to periodic visual inspection. Lower grade options are to use different materials for the conduit (plastic, for instance). Another option is to install an alarm system within the cable conduit, so that intrusions can be detected automatically.
