Config/Hygiene: Configure wireless access on client machines to allow access only to authorized wireless networks. For devices that do not have an essential wireless business purpose, disable wireless access in the hardware configuration (BIOS or EFI), with password protections to lower the possibility that the user will override such configurations.
Config/Hygiene: Regularly scan for unauthorized or misconfigured wireless infrastructure devices, using techniques such as “war driving” to identify access points and clients accepting peer-to-peer connections. Such unauthorized or misconfigured devices should be removed from the network, or have their configurations altered so that they comply with the security requirements of the organization.
Config/Hygiene: Ensure all wireless traffic leverages at least AES encryption used with at least WPA2 protection.
Config/Hygiene: Ensure wireless networks use authentication protocols such as EAP/TLS or PEAP, which provide credential protection and mutual authentication.
Config/Hygiene: Ensure wireless clients use strong, multi-factor authentication credentials to mitigate the risk of unauthorized access from compromised credentials.
Config/Hygiene: Disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.
Config/Hygiene: Disable Bluetooth wireless access of devices, unless such access is required for a documented business need.
Advanced: Configure all wireless clients used to access agency networks or handle organization data in a manner so that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by the agency.
Procedures and tools for implementing this control:
Effective organizations run commercials wireless scanning, detection, and discovery tools as well as commercial wireless intrusions detection systems. To evaluate the effectiveness of such tools, security personnel could periodically activate an isolated wireless access point, which has no physical or wireless connectivity to a production network, from within a building monitored by a WIDS device. The team should determine whether the alerting system is triggered by the test access point, and record the amount of time such detection required.