The clock is ticking! June 30, 2010 is the deadline for companies required to comply with the Payment Card Industry Data Security Standard (PCI DSS) to eliminate any use of Wired Equivalent Privacy (WEP) on their networks. This outdated standard uses insecure cryptography and hackers have clearly demonstrated the ability to penetrate WEP networks in a matter of seconds. With the release of PCI DSS 1.2 in late 2008, the PCI Security Standards Council set forth three new requirements for organizations using wireless networks:
- Use strong encryption and authentication for all wireless networks.
- Do not deploy any new WEP networks.
- Decommission any existing WEP networks by June 30, 2010.
Have you met these requirements yet? If not, time is running out to convert your network to the more secure Wi-Fi Protected Access (WPA) encryption standard. In this tip, we'll detail how to change from WEP to WPA in order to meet PCI DSS compliance requirements.
What's the fuss?
The push to WPA is definitely more than a bureaucratic move: It's a critical security priority that should be fixed already, even for companies not required to comply with PCI DSS. I won't belabor a point I've made time and time again, but it's irresponsible to use WEP encryption in this day and age. Tools like AirCrack make breaking WEP security child's play for any knowledgeable attacker. The only thing you're providing your organization by running WEP is a false sense of security.
Moving from WEP to WPA
In the early days of WPA, hardware compatibility was the biggest barrier to converting networks from WEP to WPA. Older wireless hardware (both access points and wireless adapters) simply couldn't support the newer standard. However, this excuse no longer holds water; the WPA standard has been on the market for more than six years and any older equipment that doesn't support WPA should soon reach the end of its serviceable life anyway. It's time to bite the bullet and replace WEP-only equipment with newer gear.
When upgrading the network, remember that there are two pieces to the equation: the wireless access points used throughout the physical campus and the wireless adapters in client systems. The access points will likely need to be removed from service and disposed of, but Wi-Fi-reliant client devices don't have to be. Extend the life of laptops and other devices with built-in wireless adapters by purchasing USB wireless adapters for around $50 at any electronics retailer or less through a wholesaler.
Are you sure you're covered?
For those thinking: "We upgraded the corporate wireless network years ago when these problems were first discovered; there's nothing for us to worry about," think again. Many times organizations that undergo wireless security surveys are shocked to discover both WEP-encrypted and unencrypted networks running within their buildings. It's far too easy for any employee to purchase a wireless router, plug it into the corporate network and stand up a "temporary" wireless network. And for busy IT departments, it's much easier to simply disable those pesky security features than to properly secure the network.
PCI DSS anticipates this scenario and requires that organizations not only run WPA on networks, but also that they regularly check for "rogue" wireless networks in buildings. PCI DSS requirement 11.1 states:
"Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use"
There are two options to satisfy this requirement. Small physical plants can likely cope with using a wireless analyzer to scan the network periodically for rogue and/or non-WPA wireless networks, then simply take them offline as they're discovered. I'd strongly recommend exceeding the requirement here by doing these scans on at least a monthly basis (if not more often). After all, nobody really wants to go three months without noticing a rogue network.
For organizations with a large physical footprint, wireless surveys are probably not a practical or effective use of IT staff. Leverage an existing wireless infrastructure to act as a sensor in a rogue wireless detection system by using a wireless IDS/IPS. If budgets are tight, scrape together an adequate solution using open source tools like Kismet or, for those with some spending power, consider packaged commercial solutions such as the ones available from AirMagnet or AirTight Networks.
For companies thinking about delaying the upgrade to WPA, I would strongly recommend thinking twice. Merchant banks do not look kindly on such an arrangement in the event of a security incident, especially because the first warning of this transition came almost two years ago. It's in everyone's best interest to immediately upgrade all wireless equipment. If you're worried about the impact of a sudden transition on your card-processing equipment, consider running both WEP and WPA networks simultaneously for a few weeks and transition devices to the WPA network one at a time.
Securing wireless networks should be a crucial part of any enterprise security program. For companies still running WEP, now is the time to both upgrade any existing networks to the secure WPA standard and deploy a wireless intrusion infrastructure that will highlight any new unprotected networks that appear in a wireless environment. These steps will not only lead down the path of PCI compliance, but will also ensure a more secure IT environment.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.