Requirement text: AC.5.024: Identify and mitigate risk associated with unidentified wireless access
points connected to the network.
DISCUSSION FROM SOURCE: CMMC
Unidentified and unauthorized wireless access points can be connected to a network by
authorized users trying to extend the network or by malicious users. They may allow
unauthorized users direct access to an organization’s network. In either case they represent
a cybersecurity vulnerability. Organizations must mitigate this vulnerability.
CMMC CLARIFICATION
This practice can be implemented in a variety of ways. One approach would be to use a
Wireless Intrusion Detection System (WIDS), a network device that monitors the radio
spectrum for the presence of unauthorized access points. Other approaches are those used
to detect and/or block any rogue network device. On the physical security side, unused RJ45
jacks in a facility can be turned off, however, this does not account for repurposing an
authorized jack. A more robust solution is to identify authorized devices and create access
controls limiting connections to those devices. Each device that is allowed to connect has a
profile to include expected physical location that is maintained by the system administrators.
This, in turn, facilitates the creation of a device white list which can be used with a port
monitoring tool to control connections. Another approach would be the utilization of device
detection software that the system administrator uses to establish a device baseline which
is periodically compared to new scans using the same software to identify changes,
specifically unauthorized additions when compared to the scan result of authorized
connected devices.
Example 1
You are a security engineer and the organization has implemented a WIDS. The WIDS detects
signals from an unauthorized access point and sends an alert. You investigate and verify the
unauthorized access point exists on the network. You work with the network team to block
all traffic on the network (both into and out of the access point) until the device can be
located and removed.
Example 2
You are a network engineer at your organization. You have noticed that there is a new device
on the network that has not been profiled. You use the information from your network
diagrams and your tools to identify the office where the port terminates. Using this
information, you look in your database and learn that it is normally a printer that plugs into
that port. Your network tools do not show the printer on the network. You disable the
network port and visit the office. When you arrive, you find that a network printer has been
unplugged and an unapproved access point has been plugged into it’s port. The employee in
the office says that they needed better wireless access in the office so they brought in the
access point from home and plugged it in. You explain that this is against company policy,
unplug their access point, and plug the printer back into the port. Returning to your desk,
you follow the security incident process for reporting the policy violation before reactivating
the network port.
References
• CMMC
• CIS Controls v7.1 15.3
• NIST CSF v1.1 PR.DS-5, DE.AE-1, DE.CM-7
• NIST SP 800-53 Rev 4 SI-4(14)