When raising a wireless security patch, you should use the most appropriate approach to meet customer needs, focusing the audit to the infrastructure requirements.
Types of analysis
Each approach has its advantages and disadvantages, and each one gives a different perspective from the point of view of security. Therefore, depending on customer needs, there are several approaches to testing. This approaches can be:
|Type of analysis||Details of each type of analysis|
|Black box||This analysis starts from a complete lack of knowledge by the auditor, of the networks, devices and security mechanisms deployed. It is the right approach to get an overview of the security status of the organization, especially if it is the first work of its kind, and to simulate an attack by a third party.|
|White box||In a white box analysis, the scope of the review (ESSIDs, BSSIDs,..) has been clearly identified, as well as the deployed security mechanisms. It is the right approach when you want to evaluate the security of specific devices or to analyze the evolution in security after applying technical changes.|
|Gray box||The gray box analysis is a mixed approach between the two previous approaches. Its main goal is to reduce the time required for the process of gathering information or to guide the security analyst on how to approach the analysis tests.|
It is important to clarify whether the audit of a Wi-Fi infrastructure is restricted in scope. The restrictions of tests can also come defined by several areas:
|Restrictions||Description of the established restrictions|
|Geographic area||The scope can be defined for those networks and devices located in a specific geographical area, such as an office. In this scenario it is very important to ensure that the devices to be analyzed (clients, access points, ..) actually belong to the organization and must verify their physical location before starting the tests.|
|ESSID||One or more Wi-Fi network are identified based on their name. Special attention should be paid when the scope is defined using generic SSID network names, especially when there is confluence of third party networks.|
|BSSID||The identification of the MAC address of devices and networks to test, allows to focus tests on client devices disregarding the other network noise.|
|Bruteforce tests||It must be defined if within the tests the auditor is allowed to perform mass user and password verification testing against authentication mechanisms (radius, captive portal,.) and under what conditions, to avoid blocking user accounts or perform a collateral denial of service.|
|Denial of service attacks||Identification of what tests are allowed in this area and what devices should be excluded to avoid affecting service.|
|Time window||It may be necessary that the tests are made within a specific time frame, such as office hours, or it can be done after working hours to avoid impact to daily operations.|
|Active analysis||A wireless security revision is considered active revision when the auditor is authorized to interact with the devices included in the scope. A passive analysis focuses on identifying and inventorying devices, generate wireless coverage maps and identify the location of the devices.|
|Analysis of the perimeter||It may be necessary to consider the perform of analysis tests and attacks from outside the perimeter of the organization.|
|Visibility of the tests||You can set the tests to be conducted so as to pass unnoticed by the staff of the company. In this scenario, the use of embedded devices, phones or tablets may be advisable to avoid using bulky devices.|
Considerations at the beginning of the audit
Before starting an analysis of a wireless security, it is necessary to have an accreditation or work order signed by the company that you are going to do the job. This document must identify clearly and concisely the following:
- Name of the company (client).
- Contact phone.
- A person or company doing the analysis.
- Duration time.
- Time window.
In certain scenarios, such as security reviews in office buildings, shopping centers or in security areas where sensitive organizations are located (government agencies, airports, ..), it may be necessary to request permission from third parties before making the analysis.