Networks are digital worlds, but they are also cables, ports, servers, and endpoints. As a consequence, not all cyber attacks exist in cyberspace alone. These too can have a real-world component — and rogue access points are one example of that.
Looking to understand how to protect against rogue access points? This article will review what a rogue access point is, explain the difference between a rogue access point and an evil twin, and provide a complete set of current best practices for prevention.
Wondering where the concept of Zero Trust fits in with all of this? It may not be the singular fix you've heard advertised. Watch our on-demand webinar to learn more:
Jump to a section…
What Are Rogue Access Points?
A rogue access point — or rogue AP — is a wireless access point plugged into an organization’s network that the security team does not know exists. While rogue access points can be used as part of a coordinated attack, employees unaware of proper cybersecurity protocol often install them. Most of the time, a rogue access point is a personal router that an employee connected to the network for work purposes, but they could look like anything from a wireless card jutting out of a server to a small device attached to a company firewall.
Whether installed maliciously or not, rogue access points add to the attack surface. They do not have the same security features as the rest of the network, are not monitored by the security team, and grant easy access to the greater network. If taken advantage of by cybercriminals, rogue access points can lead to enormous organizational damage.
One particularly effective method for preventing rogue access points is adopting a comprehensive Zero Trust strategy. Zero Trust is not a solution for any one security risk, but rather a collection of company-wide procedures and attitudes that minimize risk vectors. For a deeper understanding of the topic, watch our webinar, Zero Trust: The Most Overused, Misused & Abused Cybersecurity Phrase Today.
Rogue Access Points vs. Evil Twin
While they are conceptually similar, rogue access points and evil twins have very different threat profiles. A rogue access point is physically plugged into the network and grants users access to the secured network. An evil twin can also be within the network’s physical parameters, but it is not part of the network. Unlike rogue access points, evil twins don’t inflict damage by directly compromising a network’s security. Instead, they lure unsuspecting users to connect to the access point and go about their business, on what they thought was the corporate network, leaking sensitive information directly to an attacker.
How to Protect Against Rogue Access Points
There are several layers to comprehensive rogue access point prevention: physically securing your network, isolating endpoints, utilizing security software, and educating employees. Let’s start our review of how to prevent rogue access points by exploring the vital role physical security measures have to play.
Physically secure your network: Cybersecurity is not just deskwork. To neutralize the threat of rogue access points, your team needs to put on their detective hats. Do regular sweeps of the physical space, keeping a close eye out for unfamiliar devices or suspicious equipment. Apply particular attention to low-tech zones like warehouses or loading areas as they are easy to overlook — and consequently more vulnerable.
You also need to identify, tag, and secure all your network equipment. Attach clear labels on everything from cables to ports so you can readily know if anything is amiss during a sweep. To ensure only authorized personnel can physically access equipment, keep as much of it as you can under lock and key.
Prevent endpoints from connecting directly to the Rogue AP: In addition to checking the network for unauthorized APs these two steps, there are solutions to prevent your endpoints from connecting to rogue access points that can significantly increase your organization’s security profile. Oftentimes, it’s too easy for employees to connect to Rogue Access Points - they look the same as the real network and are not detectable by the human eye at first glance.
So how can we protect endpoints from connecting to these networks without interfering with an employee’s workflow? Hardware-based microsegmentation isolates endpoints onto their own protected micro-segments, strengthening defenses against lateral movement and increasing granular control over the network. Rapidly gaining traction in the industry, this novel approach to the network security aspect of Zero Trust is now available through the Byos μGateway. Ready to learn more? Reach out.
Use network-wide intrusion detection and prevention systems (IDS/IPS): IDS and IPS technologies can also help protect the network from malicious rogue access points. In particular, wireless intrusion prevention systems can be used to identify the presence of unregistered access points plugged into your network. These systems can scan the area to discover all active network connections. During this process, IDS/IPS perform the following analysis:
- Determine the validity of the access points in the area: If an access point is an authorized network component, then it should show up on the list of managed access points overseen by an organization’s security team. The system compares every access point’s MAC address to the set of approved MAC addresses on the official list to make this determination.
- Determine the connection status of the access point: To understand an access point’s relationship to the network, an intrusion detection system performs a delicate balance. From routers to encrypted wireless links, the system needs to comprehensively and quickly scan the network’s devices without overlooking anything. For Intrusion Prevention Systems, when traffic originating from malicious access points is flagged, the IPS will proactively block the connections. The challenge here is it may be too late as the infection coming from the rogue AP may have already spread laterally through the network.
Educate your employees and create a security policy: Because many rogue access points are installed by legitimate employemies for benign reasons, educating your staff on the risks can mitigate the likelihood of this threat. As we have mentioned before, the continual education of the entire staff on cyber threats and security etiquette applies a powerful multiplier to the effectiveness of your security team.
In addition to general best practices, it is good to put specific policies in place to ensure employee compliance. This policy has a couple of components:
- Create a no-exceptions policy forbidding the installation of any wireless access point independent of the participation of the security team. Employees can still set up a network connection; they just need to work with your department to ensure that it has all the required security coverage when they do.
- Establish a time-boxed amnesty program that encourages staff to tell you about unauthorized access points they already installed. Use language carefully here. You do not need to browbeat your employees or make them feel incompetent for creating this security risk. Instead, let them know that everyone makes these errors, and it is no problem as long as they let you know. As for the length of the period, one month should be sufficient time for your staff to report back.
Finally, make sure to consistently re-educate your staff on cybersecurity generally and the organization’s rogue access point policy in particular. Like many things, repetition is a key to creating a cyber-literate workforce.
Next Steps in Rogue Access Point Prevention
This article has reviewed several examples of how to protect against rogue access points, from staff education to intrusion detection and prevention systems. Although not always the work of malicious actors, rogue access points do always represent a significant threat to the security of your network. To ensure you minimize the risk of such security holes, it is often a good idea to have a comprehensive approach to rogue access point prevention.
Above all else, hardware-enforced microsegmentation is integral to preventing endpoints from connecting to rogue access points before the attackers have a chance to get a foothold. . Combining physical and cybersecurity measures, the Byos μGateway is a microsegmentation solution that makes your endpoints invisible to attackers. Ready to learn more? Get started here.