Deepak Gupta AirTight Networks
description
Transcript of Deepak Gupta AirTight Networks
![Page 1: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/1.jpg)
Insert presenter logo here on slide master. See hidden slide 2 for directions
Deepak GuptaAirTight Networks
Wireless Vulnerabilities in the Wild:View From the Trenches
Acknowledgement: Based on work presented by K N Gopinath at RSA 2011
![Page 2: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/2.jpg)
Agenda
2
Why care about Wireless Vulnerabilities? (Motivation)
What’s new in this talk and what are its implications?
Wireless Vulnerability Analysis (Measurements)
Threat/Vulnerability Mitigation
![Page 3: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/3.jpg)
Era of Wireless Consumerization
![Page 4: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/4.jpg)
Real Life Breaches due to Insecure Use of Wi-Fi
Marshalls store hacked via wireless
Hackers accessed TJX network & multiple servers for 18+ months
45.7 million payment credit accounts compromised
Estimated liabilities > 4.5B USD
![Page 5: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/5.jpg)
5
Are today’s enterprises secure enough to prevent the recurrence of such attacks?
![Page 6: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/6.jpg)
Enter War Driving
6
0
10
20
30
40
50
60
70
80
NY London ParisRSA '07
RSA '08
WP
A/W
PA
2 A
P (
%)
NY London Paris
Not all APs are WPA/WPA2.
How many of these are actually
connected to my network?
![Page 7: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/7.jpg)
War Driving Insufficient for Enterprise Threat Classification
Our Study
Authorized
External
Rogue
![Page 8: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/8.jpg)
Sensor Based Statistical Sampling Data collected over last two years
8
Total Number of Count
Sites/Locations 2,155
Organizations 156
Sensors 4501
Total Access Points 268,383
Enterprise Clients 427,308
Threat Instances Analyzed
82,681
![Page 9: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/9.jpg)
Enterprises Deal With Lot of Non-Enterprise Devices
268,383 APs
80,515 187,868
Authorized
External/
Unmanaged
70% APs do NOT belong to the
studied Organizations!
Similarly, About 87% Clients are Unmanaged/External!
![Page 10: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/10.jpg)
Rogue APs
AP mis-configurations
Soft/Client Based APs
Wireless Threat SpaceAP Based Threats
AP
![Page 11: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/11.jpg)
Adhoc Network
Wireless Threat SpaceClient based threats
Client extrusions
Connections to neighbors,
evil twins
Adhoc networks
Client bridging
Banned devices
![Page 12: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/12.jpg)
T3 (T-Cube) Parameters
Threat PresenceTh
reat
Du
rati
on
Threat F
requency
Presence of an instance of a threat (%)
Likelihood of presence of a threat instance
Window of opportunity for an attacker
![Page 13: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/13.jpg)
Real-life data & Accurate picture of Threats
How does this information help you?
Get an idea of Wi-Fi threat scenario in enterprises that may be like yours
Which wireless threats you should worry about first?
Plan your enterprise mitigation strategy
![Page 14: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/14.jpg)
14
Threat PresenceThreat DurationThreat Duration
Threat FrequencyThreat Frequency
Simple (Yes/No) metric based on the presence of an instance of
a threat (%)
![Page 15: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/15.jpg)
Results From Our Survey Randomly Chosen set of IT Security Professionals
Rogue AP Misconf. AP Adhoc Client Extrusion Other
% R
es
po
ns
e
![Page 16: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/16.jpg)
Overall Threat Scenario
Adhoc
Banned Devices DoS
Rogue APs
Client Extrusions
Misconf. APs
Client Bridging
Soft APs
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Threats
Occ
urre
nce
(%
Org
aniz
atio
ns)
Results Based on Our Data
Key Observations
-Prominent Threats-Client extrusions -Rogue APs-AP mis-configurations-Adhoc clients
Key Implications
-Organization data is potentially at risk via Wi-Fi
![Page 17: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/17.jpg)
Let’s Dive Deeper into Nature of Threats
Rogue APs
Client Extrusions
Adhoc Clients
![Page 18: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/18.jpg)
Enterprise Wireless Consumerization: Rogue APs1521 Rogue APs seen in our study
163 Different type of Consumer Grade OUIs seen
![Page 19: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/19.jpg)
WPA(2)/PSK, 29%
Unknown, 1%Open, 49%
WEP, 21%
Rogue AP Details
Non-Default, 89%
Default SSIDs, 9%
Unknown/Blank, 2%
About 1 in 10 Rogue APs have Default SSIDs About Half of Rogue APs Wide Open
![Page 20: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/20.jpg)
Rogue AP Details
An open Rogue AP is
Virtually THIS!
![Page 21: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/21.jpg)
Client Consumerization: Client Extrusion
Client (Smartphones &
laptops both) probes for
these SSIDs.
![Page 22: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/22.jpg)
Topic of Hot Discussion Today!
![Page 23: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/23.jpg)
23
![Page 24: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/24.jpg)
Client Probing For Vulnerable SSIDs Retail/SMB Organizations
118,981 Clients
12,002 106,979
Authorized Unmanaged
21,777 (20.4%)636 (5.3%)
Power of Accurate threat classification.
5.3% Vs 20.4%
![Page 25: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/25.jpg)
“Known” Vulnerable SSIDs Probed For103 distinct SSIDs recorded
Certain (8%) Authorized Clients Probing for 5 or more SSIDs
![Page 26: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/26.jpg)
Adhoc Authorized Clients!565 distinct Adhoc SSIDs found, About half of them Vulnerable
15% of these are default SSIDs. 26,443 (7%) clients in adhoc mode.
![Page 27: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/27.jpg)
VIDEO DEMO: Smartpot MITM Attack
So What?Illustrative Exploit via Client Extrusion
Smartphone as an Attacker
App1: Mobile Hotspot
App2: SSLStrip Attack Tool
![Page 28: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/28.jpg)
VIDEO DEMO: Smartpot MITM Attack
28
![Page 29: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/29.jpg)
29
Threat PresenceThreat DurationThreat Duration
Threat FrequencyThreat Frequency
How long (time interval) a threat is active before removal?
![Page 30: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/30.jpg)
AP Threats live “longer” than Client Threats 15% client threats & 30 % AP threats live for > hr
0% 10% 20% 30% 40% 50% 60% 70%
10 Min
30 Min
1 Hr
6 Hr
12 Hr
12 Hr+
Th
reat
Du
rati
on
% Threat Instances with Given Threat Duration
Histogram indicating that AP threats live longer
AP Misconf.
Rogue AP
Client Extrusion
Adhoc networks
Some AP based threats are active for a day or more!
Data from SMB/Retail (PCI) Segment
![Page 31: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/31.jpg)
31
Threat PresenceThreat DurationThreat Duration
Threat FrequencyThreat Frequency
Threat instances per Sensor per month
![Page 32: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/32.jpg)
1
8
13
0
2
4
6
8
10
12
14
Rogue AP Misconfigured AP Client Extrusion
Threat Frequency
Large Enterprise Segment: Threats Per Month Per Sensor (Approx. 10,000 sq feet area)
Bigger your organization,
higher the likelihood of finding the
threats
Threat Category
Th
reat
Fre
qu
ency
![Page 33: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/33.jpg)
Key Takeaways Summarized
Wireless threats due to unmanaged devices are present Enterprise wireless environment influenced by consumerization
Certain threats more common than others Client extrusions Rogue AP AP Mis-configurations Adhoc clients
Common threats affect large enterprise and SMB organizations Wireless threats persist regardless of sophistication of wired
network security
![Page 34: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/34.jpg)
34
Threat Mitigation
![Page 35: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/35.jpg)
Let’s Ban Wi-Fi!
![Page 36: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/36.jpg)
Use WPA2 For Your Authorized WLAN!
But, WPA2 does not protect against threats due to unmanaged devices
![Page 37: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/37.jpg)
Threat Mitigation
Intrusions (AP Based Threats)
Wire side controls as a first line of defense (e.g., 802.1X port control)
Wireless IPS to automatically detect & block intrusions
Extrusions (Client Based Threats)
Educate users: clean up profiles, Use VPNs & connect to secure Wi-Fi
Deploy end point agents to automatically block connections to insecure Wi-Fi
Wireless IPS to automatically detect & block extrusions in enterprise perimeter
Regular wireless scans to understand your security posture- Cloud based solutions are available to automate wireless scans
Defense-In-Depth Mitigation
![Page 38: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/38.jpg)
Apply Slide: Recommended Best Practices
Self Assessment Test Scan your network to find out how vulnerable you are Good chance that you will find a Rogue AP, higher chance
that you will find client extrusion
Follow best practices Educate your users to connect to secure Wi-Fi Use VPN for remote connections Clean up the Connection profiles of Wi-Fi clients
periodically Deploy end point agents to automate some of the above
Adopt a “defense in depth” security approach Employ wire side defenses against Rogue APs (first line of
defense) Regularly scan your wireless perimeter If risk assessment is high and/or you store super sensitive
data Threat containment via wireless IPS should be considered
![Page 39: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/39.jpg)
Apply Slide: Recommended Best Practices
Go Wi-Fi, But, The Safe Way!
![Page 41: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/41.jpg)
A1: Location/Site Wise Distribution
Key Observations
Prominent threats aredistributed acrossmultiple sites.
Key Implications
You need an ability to monitor the entire organization, not just 1 or 2sites
Location Wise Distribution
Rogue APs
AdhocSoft APs
Banned Devices
Client Extrusions
Client Bridging DoS
Misconf. APs
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Threats
Occ
urr
ence
(%
Lo
cati
on
s)
![Page 42: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/42.jpg)
A2: Enterprise Vs PCI (SMB/Retail)
Enterprise
Rogue APs
DoS
Client Extrusions
Adhoc
Misconf. APs
Banned DevicesClient
Bridging
Soft APs
0
20
40
60
80
100
120
Threats
Occ
ure
nce
(%
Org
aniz
atio
ns)
PCI (SMB/Retail)
Rogue APs
Misconf. APs
Soft APs
Adhoc
Banned DevicesClient
Bridging
Client Extrusions
DoS
0
20
40
60
80
100
120
Threats
Occ
ure
nce
(%
Org
aniz
atio
ns)
Key Observations
Similar pattern with respectto prominent threats
Some difference w.r.t other threatsIncreased adhoc connections in PCI
![Page 43: Deepak Gupta AirTight Networks](https://reader036.fdocuments.us/reader036/viewer/2022062314/5681471f550346895db453a6/html5/thumbnails/43.jpg)
A3: North America, Asia (Overall Threat Occurrence)North America
Adhoc
DoS
Soft APs
Banned Devices
Client Bridging
Misconf. APsRogue
APs
Client Extrusions
0
20
40
60
80
100
120
Threats
Oc
cu
ren
ce
(%
Org
an
iza
tio
ns
)
Asia
AdhocDoS
Soft APsBanned
Devices
Client Bridging
Misconf. APs
Rogue APs
Client Extrusions
0
20
40
60
80
100
120
Threats
Occ
ure
nce
(%
Org
aniz
atio
ns)