3.1.16 has a weight of -5 points
(Access Control Family) 16/22
Authorize wireless access prior to allowing such connections
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) for ABC Company
I. Introduction
This System Security Plan outlines the policies, procedures, and technical controls implemented at ABC Company to ensure secure wireless networking. The plan aligns with recognized standards such as FIPS 140-2, ensuring that the wireless infrastructure of the organization complies with regulatory requirements and security best practices.
II. Wireless Network Security
-
Encryption Standards:
- WPA2/WPA3 Implementation: All wireless networks within ABC Company are secured using WPA2 or WPA3 encryption protocols. This ensures secure transmission of data and prevents unauthorized access.
- FIPS 140-2 Compliance: The encryption methods utilized meet the Federal Information Processing Standards (FIPS) 140-2, ensuring robust cryptographic security.
-
Access Control:
- Password Requirement: Strong passwords are enforced within the secure network. Password management policies detail the complexity and rotation requirements.
- No Open Wireless Networks: ABC Company does not operate any open or unprotected wireless networks, ensuring that all connections require proper authentication and authorization.
- Unauthorized Access Prevention: Measures are implemented to detect and prevent unauthorized devices from connecting to the network.
-
Monitoring and Audit:
- Continuous monitoring and periodic auditing ensure that security controls are functioning correctly and that any suspicious activities are promptly detected and addressed.
Example of Plan of Action and Milestones ( POA & M):
Plan of Actions & Milestones (POA&M) for ABC Company’s Wireless Network Security
I. Introduction
This POA&M outlines the actions required to ensure the secure implementation and maintenance of wireless networking at ABC Company, aligned with the controls specified in the System Security Plan (SSP).
II. Actions & Milestones
-
Implement WPA3 Encryption across All Wireless Networks
- Status: In Progress
- Milestone Dates: Start: MM/DD/YYYY, Completion: MM/DD/YYYY
- Resources: Network Security Team
- Dependencies: Acquisition of compatible hardware/software
- Remarks: Transition from WPA2 to WPA3 to enhance encryption standards
-
Enhance Password Security
- Status: Planned
- Milestone Dates: Start: MM/DD/YYYY, Completion: MM/DD/YYYY
- Resources: IT Support, Security Team
- Dependencies: Development of new password policies
- Remarks: Ensure password complexity and rotation requirements
-
Eliminate Unauthorized Access
- Status: In Progress
- Milestone Dates: Start: MM/DD/YYYY, Completion: MM/DD/YYYY
- Resources: Security Team, Network Administrators
- Dependencies: Implementation of network monitoring tools
- Remarks: Prevent unauthorized devices from accessing the network
-
Conduct Security Awareness Training
- Status: Ongoing
- Milestone Dates: Quarterly
- Resources: HR, Security Training Vendor
- Dependencies: Development of training material
- Remarks: Regular training on WPA2/WPA3, FIPS 140-2, and related regulations
-
Regular Security Auditing and Monitoring
- Status: Ongoing
- Milestone Dates: Bi-annually
- Resources: Internal Audit Team, Third-Party Auditors
- Dependencies: Implementation of audit tools and procedures
- Remarks: Continuous monitoring and periodic audits to ensure compliance
WPA2 VS WPA3:
WPA2 vs WPA3 Alignment with NIST SP 800-171:
WPA3 introduces a significant enhancement in encryption by focusing on individualized encryption for each device on the network. Unlike WPA2, which encrypts the network as a whole using a shared key, WPA3 employs Simultaneous Authentication of Equals (SAE) to create a unique encryption key for each device. This means that even if one device’s encryption is compromised, the rest of the network remains secure, as each device has its unique encryption parameters. In contrast, WPA2’s encryption method treats the network as a single entity, sharing the same encryption key among all devices. If that shared key were to be compromised in a WPA2 network, an attacker could potentially access all devices on the network. This fundamental shift from network-wide encryption to device-specific encryption represents a significant advancement in security, making WPA3 more resilient against potential breaches.
- Secure Transmission: WPA2 provides secure transmission, aligning with the requirements of NIST SP 800-171 for protecting Controlled Unclassified Information (CUI).
- Potential Vulnerabilities: Some vulnerabilities, like the KRACK attack, have been discovered in WPA2, potentially causing non-compliance with NIST’s robust security controls.
WPA3: A Step Forward in Wireless Security
WPA3, introduced in 2018, is designed to overcome the shortcomings of WPA2, providing more robust security features:
- Enhanced Encryption: WPA3 employs stronger encryption methods, including Simultaneous Authentication of Equals (SAE), enhancing security.
- Forward Secrecy: Even if a password is compromised, WPA3’s forward secrecy ensures that historical data remains secure.
- Easier Connection to Devices: WPA3 supports Wi-Fi Easy Connect, making it easier to connect devices without a display.
Alignment with NIST SP 800-171:
- Stronger Security Controls: WPA3’s improved security features align more closely with the rigorous controls set by NIST SP 800-171.
- Compliance with FIPS: WPA3’s encryption standards are often in compliance with Federal Information Processing Standards (FIPS), an essential consideration for adherence to NIST guidelines.
Which One to Choose?
Organizations striving to comply with NIST SP 800-171 should consider the following:
- Current Infrastructure: Older devices may not support WPA3, so a gradual transition may be necessary.
- Compliance Needs: WPA3’s stronger security controls align more closely with NIST SP 800-171, providing an additional layer of assurance.
- Risk Assessment: A thorough risk assessment considering the specific needs and regulatory environment will guide the appropriate choice between WPA2 and WPA3.
Conclusion
WPA2 and WPA3 both offer robust wireless security but with notable differences. Organizations looking to align with NIST SP 800-171 must carefully consider their specific needs, risk profile, and compliance requirements when selecting between these two standards. The move towards WPA3 represents a step forward in wireless security and may provide an enhanced alignment with the stringent controls required by NIST.
Determine Your Wi-Fi Security Protocol on Windows:
Determine the Wi-Fi Security Protocol on macOS:
Determine the Wi-Fi Security Protocol on macOS:
- Hold down the “Option” (⌥) key on your keyboard.
- While keeping the “Option” key pressed, click the Wi-Fi symbol located in the toolbar at the top of your screen.
- A detailed menu will appear, displaying information about your network connection, including the specific Wi-Fi security type being used.
These quick steps will provide you with the information you need regarding the security protocol of your Wi-Fi connection on a macOS system.
RELEVANT INFORMATION:
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols which provide credential protection and mutual authentication. [SP 800-97] provides guidance on secure wireless networks.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.