Back

Distrust relying solely on Wired Equivalent Privacy encryption for Wireless Local Area Networks.


CONTROL ID
01647
CONTROL TYPE
Technical Security
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Wireless Local Area Network Configuration Management program., CC ID: 01646

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Has the organization enabled 128-bit Wired Equivalent Privacy encryption? (Table Row XIII.23, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Wireless networks that do not use any encryption, or are only able to use 40- bit WEP (often mistakenly labeled 64-bit) should not be used. Such protections can be compromised in real-time by unskilled attackers using inexpensive hardware and open source attack tools. Networks able to operate with 1… (§ 3-1, MasterCard Wireless LANs - Security Risks and Guidelines, December 2004)
  • Wired Equivalent Privacy is prohibited from being used as a security control. (PCI DSS Requirements § 4.1.1 Note:, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • § 4.4.1.E The use of Wired Equivalent Privacy (WEP) in the Cardholder Data Environment (CDE) is prohibited for all deployments after June 30, 2010. § 4.5.1.B When possible, 256-bit encryption is preferred. (§ 4.4.1.E, § 4.5.1.B, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Verify when WEP is used by the organization a minimum 104-bit encryption key and 24-bit initialization value is used, shared keys are rotated at least quarterly and when personnel change, it is used in combination with WPA, WPA2, VPN, or SSL/TLS, and access is restricted. (§ 6.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Is wireless networking technology encrypted using strong encryption (Wireless Fidelity Protected Access v2 or higher)? (§ G.12.4, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Additional encryption methodologies beyond WEP, such as SSL, SSH, or encrypted VPN, must be used. (§ 4.1.5, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • The agency shall enable Wired Equivalent Privacy and Wi-Fi Protected Access for wireless implementations and when Wired Equivalent Privacy and Wi-Fi Protected Access security features are used for wireless security in conjunction with the criminal justice information services required minimum encryp… (§ 5.5.7.2 ¶ 2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • WEP and TKIP should be disabled on all access points. (Table 8-4 Item 39, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)