since they do not have a well-defined perimeter or well-defined access points. It includes all wireless data communication devices like personal computers, cellular phones, PDAs, etc. connected to a bank‘s internal networks.
Detailed
Activities √ √ × × × × × DSS05 02
49 IS292.1
ii. Unlike wired networks, unauthorized monitoring and denial of service attacks can be performed without a physical wire connection. Additionally, unauthorized devices can potentially connect to the network, perform man-in-the- middle attacks, or connect to other wireless devices. To mitigate those risks, wireless networks rely on extensive use of encryption to authenticate users and devices and to shield communications. If a bank uses a wireless network, it should carefully evaluate the risk and implement appropriate additional controls. Examples of additional controls may include one or more of the
following:
• Treating wireless networks as untrusted networks, allowing access through protective devices similar to those used to shield the internal network from the Internet environment
• Using end-to-end encryption in addition to the encryption provided by the wireless connection
• Using strong authentication and configuration controls at the access points and on all clients
• Using an application server and dumb terminals
• Shielding the area in which the wireless LAN operates to protect against stray emissions and signal interference
• Monitoring and responding to unauthorized wireless access points and clients
Detailed
49 IS292.2
iii. All wireless Access Points / Base Stations connected to the corporate network must be registered and approved by Information Security function of a bank. These Access
Points / Base Stations need to subjected to periodic penetration tests and audits.
Updated inventory on all wireless Network Interface Cards used in corporate laptop or desktop computers must be available. Access points/Wireless NIC should not be
installed /enabled on a bank‘s network without the approval of information security function.
Detailed
Activities × √ × × × √ × DSS05 02
49 IS292.3
iv. Banks should ensure that each wireless device connected to the network matches an authorized configuration and security profile, with a documented owner of the connection and a defined business need. Organizations should deny access to those wireless devices that do not have such a configuration and profile.
Detailed
Activities × √ × × × √ × DSS05 04
49 IS292.4 v. Banks should ensure that all wireless access points are manageable using enterprise management tools. ActivitiesDetailed × √ × × × √ × DSS05 02
49 IS292.5
vi. Network vulnerability scanning tools should be configured to detect wireless access points connected to the wired network. Identified devices should be reconciled against a list of authorized wireless access points. Unauthorized (i.e., rogue) access points should be deactivated.
Detailed
Activities × √ × × × √ × DSS05 02 2, 6
49 IS292.6
vii. Banks should use wireless intrusion detection systems (WIDS) to identify rogue wireless devices and detect attack attempts and successful compromise. In addition to WIDS, all wireless traffic should be monitored by a wired IDS as traffic passes into the wired network.
Detailed
Activities × √ × × × √ × DSS05 02 3
49 IS292.7
viii. Where a specific business need for wireless access has been identified, banks should configure wireless access on client machines to allow access only to authorized wireless networks.
Detailed
49 IS292.8
ix. For devices that do not have an essential wireless business purpose, organizations should consider disable wireless access in the hardware configuration (BIOS or EFI), with password protections to lower the possibility that the user will override such configurations.
Detailed
Activities × √ × × × √ × DSS05 02 2
49 IS292.9
x. Banks should regularly scan for unauthorized or misconfigured wireless infrastructure devices, using techniques such as ―war driving‖ to identify access points and clients accepting peer-to-peer connections. Such unauthorized or misconfigured devices should be removed from the network, or have their configurations altered so that they comply with the security requirements of the organization.
Detailed
Activities × √ × × × √ × DSS05 02 7
50 IS292.10
xi. Banks should ensure all wireless traffic leverages at least AES encryption used with at least WPA2 protection. Banks should ensure wireless networks use authentication
protocols such as EAP/TLS or PEAP, which provide credential protection and mutual authentication.
Detailed
Activities × √ × × × √ × DSS05 02 5
50 IS292.11
xii. Banks should ensure wireless clients use strong, multi-factor authentication credentials to mitigate the risk of unauthorized access from compromised credentials.
Detailed
Activities × √ × × × √ × DSS05 04 3
50 IS292.12
xiii. Banks should disable peer-to-peer wireless network capabilities on wireless clients, unless such functionality meets a documented business need.
Detailed
Activities × √ × × × √ × DSS05 02 1
50 IS292.13
xiv. Banks should disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.
Detailed
Activities × √ × × × √ × DSS05 02 1
50 IS292.14
xv. Banks may consider configuring all wireless clients used to access other critical networks or handle organization data in a manner so that they cannot be used to connect to public wireless networks or any other networks beyond those specifically allowed by the bank.
Detailed
50 IS292.15
xvi. Some requirements relating to VPN that may be considered : • Access should be provided only if there‘s a genuine business case • All computers with wireless LAN devices must utilize a Virtual Private Network (VPN) that configured to drop all unauthenticated and unencrypted traffic
• Wireless implementations must maintain point-to-point hardware encryption of at least 128 bits
• Supporting a hardware address, like MAC address, that can be registered and tracked and supporting strong user authentication which checks against an external database such as TACACS+, RADIUS etc.
• Implementation of mutual authentication of user and
authentication server and survey needs to be done before location of access points to ensure that signals are confined within the premise as much as possible
• Communication between the workstations and access points should be encrypted using dynamic session keys
Detailed
50 IS293