NETW 05A: APPLIED WIRELESS SECURITY Functional Policy: Monitoring

1
NETW 05A APPLIED WIRELESS SECURITY Functional
Policy Monitoring Response

• By Mohammad Shanehsaz
• Spring 2005

2
Objectives

• Security management
• Explain the necessary criteria for regular
  wireless LAN security reporting and documentation
• Implement and conduct timely and consistent
  reporting procedures
• Implement maintain wireless LAN security
  checklist

3
Objectives

• Explain how to identify and prevent social
  engineering
• Educate staff and security personnel
• Implementation and enforcement of corporate
  policy regarding social engineering
• Security marketing and propaganda campaigns to
  heighten awareness

4
This lecture covers

• Physical Security
• Social Engineering
• Reporting
• Response Procedures

5
Physical Security

• Physical security begins with allowing only
  authorized personnel into and out of the
  organizations premises, by implementing security
  and educating staff about the risks prevent
• placement of Rogue access points and Ad Hoc
  networks on the wired network, and
• data flooding.
• RF jamming is more difficult to prevent, detect,
  or block, but it can be done by putting up high
  fences that block RF transmissions around
  facility, or using mesh substances in the wall

6
Physical Security

• Security policy must include documentation on
  physical security,
• procedures for authorizing visitors or
  technicians who show up to repair and upgrade
  systems,
• how rogues will be found,
• how often the area will be scanned and
• what to do when rogues are found

7
Social Engineering

• By training employees and help desk staff we can
  raise their awareness to recognize and prevent
  social engineering.
• Social engineering attacks come in many forms
  such as
• Dumpster diving - searching through the trash
• Phone calls - attackers try to locate willing and
  helpful people from whom to obtain information
  such as usernames and password
• Email and IM (instant messaging ) - a social
  engineer gathers a phone directory and
  information on the standard naming conventions
  for IM, and then masquerades as a legitimate
  employee

8
Social Engineering Prevention

• Some of the procedures support and administrative
  personnel should adhere to are
• Positively identify the person that is calling or
  requesting help
• Use established, secure channels for passing
  security information
• Report suspicious activity or phone calls
• Establish procedures that eliminate password
  exchanges
• Shred company documents before throwing them in
  the trash

9
Social Engineering Prevention

• A well-educated employee is the best defense
  against social engineering attempts, they must
  become familiar with what types of attacks may
  occur, what to look for, and how to respond to
  incident
• An organizations security policy should dictate
  proper response procedures for social engineering
  threat

10
Social Engineering Audits

• To reduce the threat of social engineering have
  defenses tested for weaknesses by penetration
  tests, including social engineering attacks
  against organizational staff, performed by
  security professionals

11
Reporting

• Reports that are generated as part of security
  monitoring procedures can provide valuable
  information on how the network is being utilized
  as well as where attacks are occurring.
• A proper reporting policy will include
  information on who is accountable for generating
  the reports and who is responsible for reading
  the reports in a timely manner
• Training should also be required for the
  reviewers
• System logs and IDS logs can be used to detect
  anomalies and attacks on a network
• Traffic baselining of data flow establishes which
  users or devices are utilizing the most WLAN
  bandwidth

12
Response Procedures

• Response procedures endeavor to detect and
  properly react to intrusions
• A security policy should define the steps to take
  after an intrusion has been recognized, to
  prevent the attack from occurring again

13
Recommended steps for response procedures

• Positive identification
• Administrator must be properly trained to
  distinguish between an attack and false positives
• Confirmed attack
• After an attack has taken place, damage must be
  assessed and confirmed, and appropriate managers
  should be notified

14
Recommended steps for response procedures

• Immediate action
• If an attack has taken place follow the
  documented security policy to implement the
  appropriate procedures for each type of attack
  scenario
• Documentation
• Document all attack findings in a standard form
  generated by the organization and add to the
  security policy
• Reporting
• Notify the appropriate authorities, Corporate
  legal counsel, police and even IT forensics
  experts

15
Resources

• CWSP certified wireless security professional,
  from McGraw-Hill