CIS Control 15: Wireless Access Control

The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.

Why is this CIS Control Critical?

Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations’ security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying travelers are infected on a regular basis through remote exploitation while on public wireless networks found in airports and cafes. Such exploited systems are then used as backdoors when they are reconnected to the network of a target organization. Other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

• 15.1: Maintain an Inventory of Authorized Wireless Access Points
• 15.2: Detect Wireless Access Points Connected to the Wired Network
• 15.3: Use a Wireless Intrusion Detection System
• 15.4: Disable Wireless Access on Devices if Not Required
• 15.5: Limit Wireless Access on Client Devices
• 15.6: Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
• 15.7: Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
• 15.8: Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
• 15.9: Disable Wireless Peripheral Access to Devices
• 15.10: Create Separate Wireless Network for Personal and Untrusted Devices