Penetration testing is a cyclical process, involving a methodical approach to vulnerability identification and exploitation. Penetration testing involves focussing on weaknesses and attempting to leverage them to gain additional access where appropriate. Where such access is obtained, or a vulnerability reveals additional information about the target, the process begins again.
The path of a wireless penetration test will vary depending on the nature of the targets and the vulnerabilities that are identified, however, there are some common areas of application security upon which all tests will focus:
Protection against unauthorised access
Sopra Steria Penetration Testing Consultants will attempt to gain ‘unauthorised’ access to the target wireless networks. Consultants will assess the authentication mechanisms in place (for example whether the network use a static pre-shared key or requires presentation of a valid certificate) and attempt to either bypass them or leverage any weak configuration discovered. Where pre-shared keys are used, our Consultants will assess their complexity, and seek to understand what processes are in place for managing/changing them. Captive portals, such as those typically used to provide authentication in hotels or on organisations’ ‘Guest’ networks, will be assessed to ascertain whether they adequately protect the networks from unauthorised access.
Network isolation and protection
Sopra Steria Penetration Testing Consultants will look for the presence of other networks connected to, or accessible from the in-scope wireless network. This stage helps to ensure, for example, that ‘Guest’ and BYOD networks are not connected directly to business critical networks or those which might contain or process sensitive data. It also allows our Consultants to identify the corporate networks’ exposure in the event that an unauthorised client is connected to corporate wireless networks.
This is an essential test if an organisation maintains PCI-DSS accreditation to ensure that wireless networks do not facilitate access to the Cardholder Data Environment (CDE).
Client isolation and protection
Sopra Steria Penetration Testing Consultants will review the measures in place to segregate wireless clients once they are connected to the network, and to protect clients from attacks launched against them by other connected clients. This is particularly important in ‘Guest’ or BYOD networks where the clients themselves may not be subject to the same strict security controls and patching regimes as corporate end-user devices.
Unauthorised (‘rogue’) wireless access points
Sopra Steria Penetration Testing Consultants will review the wireless access points which are broadcasting within the organisation’s location during the time of the assessment. The list of access points will be reviewed with the customer to identify any which are either a) simply unauthorised within the location (for example a personal access point on a mobile device, or an unauthorised incoming Internet connection being broadcast wirelessly), or b) which are unauthorised and are pretending to be a legitimate corporately deployed wireless access point.
Where necessary, our Consultants will attempt to triangulate the position of any identified wireless point in coordination with the customer’s technical team.
Sopra Steria Penetration Testing Consultants will also deploy their own rogue access point during the course of the test and check that corporate assets, which are often pre-configured to automatically connect to corporately deployed wireless networks, cannot be forced to connect to the rogue access point in preference to the authorised ones.
Testing for the presence of any rogue access points is a crucial part of any PCI-DSS assessment; unauthorised access points connected to a Cardholder Date Environment network could be used to provide insecure and unauthorised access to PCI data.
Optional site survey
Sopra Steria Penetration Testing Consultants can conduct a wireless survey of the customer’s premises to determine to what extent the signal broadcast by wireless access points extends beyond the physical boundaries of the location.
Optional end user device assessment
Our Consultants will take a ‘standard’ end user device, such as a laptop, which is in use by the business and assess the security of its presentation on the wireless network. Using techniques typically employed during a network penetration test, our Consultants will test the end user device remotely across the wireless network to identify any vulnerabilities that could be leveraged by an attacker sharing the same network as the device. This will allow the business to have confidence that the devices are secure from attacks directed against them whilst connected to public wireless networks, such as those found in hotels and coffee shops.