SOURCE: AirTight Networks, Inc.

AirTight Networks, Inc.

September 21, 2010 08:00 ET

Wi-Fi Vulnerabilities Still Present in Violation of PCI DSS Wireless Guideline, AirTight Data Reveals

Data Suggests Many Retailers Still Have Work to Do on PCI DSS Wireless Requirements 1.2.3, 2.1.1, 2.2 and 4.1.1

ORLANDO, FL--(Marketwire - September 21, 2010) - According to recent analysis by AirTight® Networks, which provides wireless intrusion prevention and vulnerability scanning products and services, there appears to be a very high incidence of wireless vulnerabilities and poor wireless security practices among organizations which are subject to the PCI DSS. The wireless vulnerability scanning data, released today as the PCI SSC 2010 U.S. Community Meeting began in Orlando, was collected by AirTight, using its SpectraGuard® Online PCI wireless compliance scanning service during a six month period in over 200 cardholder data environments (CDEs) and suggests that many enterprises are still exposed to vulnerabilities that violate multiple PCI DSS wireless requirements. The wireless scanning requirements were outlined in the PCI DSS Wireless Guideline issued in July 2009.

For example, AirTight found locations with open Wi-Fi access points using vendor default settings (violates PCI DSS wireless Guideline 2.1.1). These open APs also have the potential to provide a backdoor between an un-trusted network and the cardholder data environment (violates requirement 1.2.3) and lack strong encryption (violates requirement 4.1.1).

Other significant findings from AirTight were:

  •  24 percent of enterprises had rogue access points (APs) in their environments
    • The likelihood of occurrence of Rogue APs is higher at 32%, or one in every three, because multiple occurrences were observed in some enterprises
  • One in three enterprises continue to deploy unsecured APs (at times mis-configured) often still using WEP on authorized APs
    • The likelihood of occurrence is higher -- a total 46 vulnerable APs were found, which makes it almost two vulnerable APs for every enterprise
  • 68 percent of enterprises were exposed to vulnerable clients such as wireless POS, smartphones and laptops (including clients probing for vulnerable SSIDs, in ad-hoc mode or connecting to external APs)
    • The likelihood of occurrence is much higher -- nine vulnerable Wi-Fi clients for every enterprise
    • Clearly, vulnerability of client devices continues to be the top wireless threat, yet something that enterprises often overlook in their security assessment
  • Only 24% enterprises were completely clean in this assessment

"Back in 2001, an article in The Register (UK) cited a Gartner estimate that, '20 percent of organizations already have rogue WLANs attached to their corporate networks, installed by users looking for the convenience of wireless and unwilling to wait for the sysadmins to take the lead,' What we found is that the percentage of vulnerable organizations has not changed despite the enormous growth and penetration of wireless in the enterprise and the flood of Wi-Fi enable devices entering organizations through consumer use, which indicates that the absolute numbers are much higher than 9 years ago," said Pravin Bhagwat, CTO of AirTight.

"These findings demonstrate that the enterprise still has a long way to go to understand the risks wireless vulnerabilities pose to their networks and customer's credit card data and, the impact the growth of Wi-Fi enabled devices is having on network security as these consumer devices are brought into the business environment," continued Bhagwat. "This is precisely why the PCI SSC correctly mandated regular wireless scanning of CDEs regardless of whether or not Wi-Fi is officially deployed."

This follows the same patterns of wireless vulnerabilities that AirTight found in its Airport Scanning Reports and its scans of Financial Districts Wi-Fi Security Survey.

About AirTight SpectraGuard Online and PCI Scanning Services

SpectraGuard Online is a true 'hands off' solution. The customer installs pre-configured wireless sensors (plug-and-play), responds to a few wireless setup questions and, within 72 hours, begins to receive actionable wireless vulnerability reports by email. Customer data is hosted in a SAS70 certified co-location facility designed for security and high availability.

Using SpectraGuard Online, customers:

  • Incur no capital expenditures
  • Pay only for the wireless security features needed
  • Have an affordable and predictable total cost of ownership
  • Do not need to be concerned with hardware or software obsolescence

SpectraGuard Online meets not only the needs of Level one merchants who want full WIPS capabilities but prefer to use a SaaS model with no upfront capital expense, but also smaller merchants down to level four who must meet the PCI DSS standard for wireless but need a low cost solution with no overhead costs.

AirTight offers four options of PCI scanning:

  • PCI Quarterly Scan Service: PCI report delivered monthly
  • PCI Quarterly Scan + Alerts: PCI report delivered monthly plus real-time alerts via email for PCI compliance related wireless threats
  • 24x7 Wireless Monitoring Service: 24x7 monitoring, console access (security dashboard & forensics), real-time alerts via email, and unlimited reports
  • 24x7 Wireless Remediation Service: Monitoring service plus automatic or manual prevention, RF heat maps and location tracking

These unique AirTight wireless security and scanning services allow customers to choose what the need and to easily add additional capabilities as their needs expand or their business grows.

If you would like more information on AirTight's PCI scanning solutions, please contact sales@airtightnetworks.com or +1 (877) 424 7844.

About AirTight
AirTight Networks is the global leader in wireless security and compliance solutions providing customers best-of-breed technology to automatically detect, classify, locate and block all current and emerging wireless threats. AirTight offers both the industry's leading wireless intrusion prevention system (WIPS) and the world's first wireless vulnerability management (WVM) security-as-a-service (SaaS). AirTight's award-winning solutions are used by customers globally in the financial, government, retail, manufacturing, transportation, education, health care, telecom, and technology industries. AirTight owns the seminal patents for wireless intrusion prevention technology with 16 U.S. patents and two international patents granted (UK and Australia), and more than 20 additional patents pending. AirTight Networks is a privately held company based in Mountain View, CA. For more information please visit www.airtightnetworks.com

AirTight Networks and the AirTight Networks logo are trademarks; AirTight and SpectraGuard are registered trademarks of AirTight Networks, Inc. All other trademarks are the property of their respective owners.

Contact Information