port associated with a common service, such as Secure Shell (TCP 22), HTTP (TCP 80), or SMB (TCP 445). Such tools are configured merely to listen and then respond when they see a connection request, without providing any useful function or service on the sampled machine, minimizing the exposure to this machine during the test. With this benign listener in place, the automated scanning functionality can be verified to ensure that it discovers the change with the new port listening in the environment.
Critical Control 14: Wireless Device Control
How do attackers exploit the lack of this control?
One of the largest data thefts in history was initiated by an attacker sitting in a car in a parking lot and breaking through the organization’s security perimeter by connecting wirelessly to an access point inside the organization. Other wireless devices accompanying travelling officials are being infected every day through remote exploitation during air travel or in a cyber café. Such exploited systems are then being used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points discovered on their network, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient attack vector.
How can this control be implemented, automated, and its effectiveness measured?
QW: Ensure that each wireless device that is connected to the network matches an authorized configuration and security profile. Deny access to those wireless devices that do not.
QW: Ensure that all wireless access points are manageable using enterprise management tools. Access points designed for home use often lack such enterprise management capabilities, and should therefore not be used.
Vis/Attrib: Use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromise. In addition to WIDS, all wireless traffic should be monitored by a wireline IDS as traffic passes into the wireline network.