Your technical sales support person is the most knowledgeable person in your company about WiFi. She discovers that problems with connections may be caused by two WiFi access points that have the same name. There should only be one… Here’s what should happen next:
First, your written Incident Response Plan should contain the names and contact information of who to call. The sales support person is obviously not the right person. Since you don’t have a dedicated IT person, you will probably be calling your virtual Chief Information Security Officer (vCISO). A vCISO is a cybersecurity expert who provides organizations with information security guidance and management on an as-needed basis. They will activate the Containment, Eradication, and Recovery portion of your Incident Response Plan.
Based on there being two WiFi access points, it appears that someone has set up a rogue wireless access point (WAP) and physically connected it to the network. Why? Perhaps the culprit was looking for an easier way to connect an unapproved device or, more likely, transfer data outside of the organization without being detected.
Your Incident Response Plan will probably call for these steps:
1) Immediate Containment: Identify the physical location of the rogue WAP and disconnect it from the network to prevent further unauthorized access.
2) Detailed Investigation: Review network logs to identify any unauthorized connections that may have occurred through the WAP.
3) Forensic Analysis: Analyze the access point to determine its source—whether it’s a deliberate attack or an unintended setup by an insider. It’s important to identify who could have made the connection and why. Employees? Unescorted visitors?
4) Eradication and Recovery: Remove any malicious configurations or software introduced through the WAP. Ensure the wireless environment is secured by updating configurations and applying stronger access controls.
5) Post-Incident Review: The company has a lot of work to do. Network security diagrams and policies need to be updated. Why didn’t the SIEM identify this device—or, perhaps, it did but no one looked at the alerts? Does physical security need to be revisited? Employee training plans may need to be updated or enforced. Were employees properly screened before they were hired? Are visitors escorted? Are unauthorized devices attempting to connect to the network denied by default? Wireless security policies and procedures need to be updated to prevent similar issues from happening again. Does the company even need WiFi, or can wired connections work?
These response strategies should be part of the organization’s Incident Response Plan, especially if they’re aligning with frameworks like CMMC, HIPAA, and ISO 27001.
But that is just the beginning. I help companies in situations like this. An overall information security and compliance review is desperately needed.
Categories: Uncategorized
0 Comments