Today, I will be going over Control 15 from version 7 of the top 20 CIS Controls – Wireless Access Control. I will go through the ten requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 15
- Reduce your attack surface. So much of control 15 is about limiting your usage of wireless technologies. Where you are using wireless, utilize best practices with encryption to prevent attacks on wireless data.
- Search out for more tools. Using a vulnerability scanner or wireless intrusion detection system for detecting rogue access points is overkill for these tools. If you already have them at your disposal, then reuse them without having to spend more money. If you don’t have them and you need to address control 15 immediately, there are plenty of other tools that can do the same job at a fraction of the price.
Requirement Listing for Control 15
1. Maintain an Inventory of Authorized Wireless Access Points
Description: Maintain an inventory of authorized wireless access points connected to the wired network.
Notes: Creating a baseline is the starting point in securing any part of the enterprise network. Even if this is done in an Excel spreadsheet, getting data down on paper to reference later should be done.
2. Detect Wireless Access Points Connected to the Wired Network
Description: Configure network vulnerability scanning tools to detect and alert on unauthorized wireless access points connected to the wired network.
Notes: This may also be the starting point for requirement one, as well. In fact, this may even be part of Control 1 as you are deploying tools to detect devices on the network. However, don’t think that you are limited to just network vulnerability scanning tools to find wireless access points. There are plenty of other tools out there as well that can do the same job.
3. Use a Wireless Intrusion Detection System
Description: Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points.
Notes: A WIDS can be used for so much more than detecting access points. If you have the budget to deploy WIDS, utilize it for more than a network scanning tool. Public networks are a great candidate for WIDS, which monitor protocol-level attacks, for a typical IDS would be blind to this type of attack.
4. Disable Wireless Access on Devices if it is Not Required
Description: Configure wireless access on devices that do not have a business purpose for wireless access.
Notes: Reduce your attack surface. This goes with the same thought process of disabling ports and services that are not critical for that specific machine. Most servers and desktops have no need for a wireless connection. A potential data exfiltration tactic you may need to worry about is a mobile hotspot plugged into a computer to send data through a cell phone carrier rather than the enterprise network.
5. Limit Wireless Access on Client Devices
Description: Configure wireless access on client machines that do not have an essential wireless business purpose to allow access only to authorized wireless networks and to restrict access to other wireless networks.
Notes: This one can be tougher to control, as devices such as laptops and cell phones are mobile in nature. If employees are traveling for business, limiting their wireless networks to just the business is going to limit their productivity. I see this as being a requirement only for wireless devices that do not leave the physical premises.
6. Disable Peer-to-peer Wireless Network Capabilities on Wireless Clients
Description: Disable peer-to-peer (adhoc) wireless network capabilities on wireless clients.
Notes: Consumer-grade devices may need this functionality, but very few enterprise devices will. Typically, this is not used by a remote attacker; this would be classified as an insider threat. Again, as with the previous requirement, this if for those who are trying to exfiltrate data on non-business networks.
7. Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
Description: Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Notes: Encrypt early, encrypt often. AES is the de-facto standard for wireless communications. While naming specific protocols or tools can be frowned upon in a standard, I don’t see AES being overtaken by something else before another version of CIS comes out.
8. Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication
Description: Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol – Transport Layer Security (EAP/TLS) that requires mutual, multi-factor authentication.
Notes: See the notes for requirement 7. Unless a client device is required for business purposes to not have the highest-grade security, then use the strongest tools and technologies to your advantage.
9. Disable Wireless Peripheral Access to Devices
Description: Disable wireless peripheral access of devices (such as Bluetooth and NFC) unless such access is required for a business purpose.
Notes: See requirement 5. However, this is more focused towards closer range technologies rather than WiFi. There are some risks associated with running Bluetooth and NFC, so if you don’t need it, turn it off.
10. Create Separate Wireless Network for Personal and Untrusted Devices
Description: Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.
Notes: I see this one as probably one of the more critical requirements for this control. Guest networks have no business communicating with the corporate network. I have yet to see a business case where they would even need to be allowed in and audited, as is recommended by the requirement here. I would put guests on a completely different network that has no pathway into the corporate network, especially if the guest network is open to customers in a public setting.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.