12

In an effort to be PCI DSS compliant, I took a trustkeeper.net questionnaire. I failed the question that asks:

Is the presence of wireless access points tested for by using a wireless analyzer at least quarterly or by deploying a wireless IDS/IPS to identify all wireless devices in use? (SAQ #11.1)

My only wireless access point is outside my firewall, so even if you cracked my wireless you couldn't get inside my domain running on Windows 2000 (unless you crack that too). My firewall is a Sonicwall Pro 2040 and doesn't have IPS - I couldn't tell if it had IDS. The router is a 8 port D-link.

I looked around for a wireless analyzer, but what I found was $500, which is a little pricey for my size business. Even if I got it, I'm not sure I would understand what it tells me. Surely there are smaller/less sophisticated businesses that take credit cards and have solved this?

What are the risks if someone were to crack my wireless? (Could they read all internet traffic? Just wireless traffic? Just use my internet connection?) And what is the best/cheapest way to test my connection point quarterly? Should I buy the $500 analyzer?

Update My credit card processor says I can fulfill this requirement by walking around the building and visually searching for unauthorized wireless devices.

kalina
  • 3,354
  • 5
  • 20
  • 36
  • Reading your update, it seems that a step up from that would be something that just surveys for wireless APs. Does your phone have WiFi? Most WiFi capable phones have wireless scanner apps you can download, eg this one for Android http://www.androlib.com/android.application.com-farproc-wifi-analyzer-jFCm.aspx –  Nov 30 '10 at 11:39
  • How small is your facility that you really can look everywhere an AP would be? – Bill Weiss Jan 03 '11 at 19:39
  • 2
    @Bill, that shouldnt matter, nowadays they can be incredibly small and disguised. No way you're gonna visually spot one that somebody was trying to hide... – AviD Jan 03 '11 at 22:08
  • That was kinda my point, yeah. – Bill Weiss Jan 06 '11 at 20:13

4 Answers4

4

To answer your questions:

If someone could breach your wireless security, they may be able to sniff everything going across your wireless network. You may think this is only a small risk, however, if this traffic includes any usernames or passwords which are not further encrypted, then those might be at risk - which would weaken security further.

If they could gain access to an account on the wireless access point itself, there is potentially a wider risk of compromise of the connection into your network.

I wouldn't necessarily buy an analyser if you have an iphone, laptop or other mobile device as you can get free applications to do exactly this :-)

In terms of the question itself - it is arguable how much security a quarterly scan will give you; it really will only spot permanent wireless devices or ones that happen to be on at the time you are scanning. however, to get your PCI-DSS checkbox you had best do it anyway. As @AviD says:

PCI compliance reduces the risk of the penalties of non-compliance

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
2

The risk isn't necessarily of someone cracking your wireless. The risk is of an unauthorised wireless device being plugged in to your network. That's what you're supposed to be scanning for (I think).

  • I agree with that. But wouldn't they have to know the password to my access point to be able to plug into the network? –  May 12 '10 at 15:48
  • @dkusleika - It's more along the lines of an employee plugging in a cheap unsecured wireless access point at their desk that would give potential attackers access to your network *without* having to route through the access point that you know about at all. – Xander Jan 03 '11 at 18:45
2

An alternate tip not yet discussed: With a card that supports it, use Wireshark with the card in promiscuous mode. You should be able to hear pick up on the existence of any wifi traffic that way, including units that aren't broadcasting their SSID.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
-1

You scanning your phone to become PCI DSS compliant is not really an option. The scan needs to be done by an Approved Scan Vendor (ASV) to make you compliant. Don't spend the 500 bucks. An ASV will do that for a fraction of the cost. I do agree that this is just a snapshot each quarter and looking for vulnerabilities and any unsecured credit card data you may be storing. So, if you can track down the free app that will look for wireless intrusions you should probably do that as well. The free app alone (or the $500 app) will not qualify for PCI DSS.

Greg
  • 11
  • 1