Identify and mitigate risk associated with unidentified wireless access points connected to the network.
This practice can be implemented in a variety of ways. One approach would be to use a Wireless Intrusion Detection System (WIDS), a network device that monitors the radio spectrum for the presence of unauthorized access points. Other approaches are those used to detect and/or block any rogue network device. On the physical security side, unused RJ45 jacks in a facility can be turned off, however, this does not account for repurposing an authorized jack. A more robust solution is to identify authorized devices and create access controls limiting connections to those devices. Each device that is allowed to connect has a profile to include expected physical location that is maintained by the system administrators. This, in turn, facilitates the creation of a device white list which can be used with a port monitoring tool to control connections. Another approach would be the utilization of device detection software that the system administrator uses to establish a device baseline which is periodically compared to new scans using the same software to identify changes, specifically unauthorized additions when compared to the scan result of authorized connected devices. Example 1 You are a security engineer and the organization has implemented a WIDS. The WIDS detects signals from an unauthorized access point and sends an alert. You investigate and verify the unauthorized access point exists on the network. You work with the network team to block all traffic on the network (both into and out of the access point) until the device can be located and removed. Example 2 You are a network engineer at your organization. You have noticed that there is a new device on the network that has not been profiled. You use the information from your network diagrams and your tools to identify the office where the port terminates. Using this information, you look in your database and learn that it is normally a printer that plugs into that port. Your network tools do not show the printer on the network. You disable the network port and visit the office. When you arrive, you find that a network printer has been unplugged and an unapproved access point has been plugged into it’s port. The employee in the office says that they needed better wireless access in the office so they brought in the access point from home and plugged it in. You explain that this is against company policy, unplug their access point, and plug the printer back into the port. Returning to your desk, Cybersecurity
CMMC Unidentified and unauthorized wireless access points can be connected to a network by authorized users trying to extend the network or by malicious users. They may allow unauthorized users direct access to an organization’s network. In either case they represent a cybersecurity vulnerability. Organizations must mitigate this vulnerability.
CIS Controls v7.1 15.3
NIST SP 800-53 Rev 4 SI-4(14)
NIST CSF v1.1 PR.DS-5, DE.AE-1, DE.CM-7