I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs), access points, and wireless client systems.
This control includes ten (10) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are two (2) IG1 control and seven (7) IG2 controls. This means that, at a minimum, we want to:
- Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
- Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.
We’ve touched on data encryption a few times thus far, and CIS CSC #15 is another control where encryption comes into play. In this case, we want to ensure that data being transmitted by a wireless network is encrypted in transit. You have less control over who can “see” the traffic, so any cleartext data is at a greater risk of unauthorized exposure.
The second control looks to isolate the corporate devices (and data) from any untrusted devices. You will have less control over the security posture of a BYOD device, such as patch statuses, endpoint security products, etc. Since you can not be sure the device is safe, a separate network will reduce the exposure of your corporate assets. This is fairly commonplace now – most businesses will have a “guest” network for use by both customers and employees with non-corporate devices.
Relevant News Stories
Relevant Tools
| Commercial | Open-Source & “Freemium” |
| Meraki (Cisco) | OpenWRT |
| RF Protect (HP Aruba) | InSSIDer |
| Nmap | |
| OpenVAS | |
| Kismet |
The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #15 page here.
The Personal Blog of Sean Goodwin 