Chapter 6: Security & Risks

Description: An adversary deploys a rogue access point with the same SSID and BSSID as a legitimate enterprise AP, often with higher signal strength, to lure clients into connecting to the attacker-controlled network. Once connected, all client traffic passes through the attacker, enabling credential theft, session hijacking, and malware injection.

Mitigation: WPA3-Enterprise with mutual authentication (EAP-TLS) prevents clients from connecting to APs that cannot present a valid server certificate. WIPS continuously monitors for SSIDs matching the enterprise namespace with unauthorized BSSIDs. PMF (802.11w) prevents deauthentication flood attacks used to force clients to reconnect to the evil twin.

Description: Key Reinstallation Attacks (KRACK) exploit vulnerabilities in the WPA2 four-way handshake to force nonce reuse, enabling decryption of encrypted wireless traffic. Similar protocol-level attacks target PMKID, TKIP, and other legacy cryptographic mechanisms.

Mitigation: Mandate WPA3-Enterprise with SAE (Simultaneous Authentication of Equals) which provides forward secrecy and is immune to KRACK-class attacks. Disable all WPA2/WPA1/WEP SSIDs. Enforce firmware updates on all APs to patch known protocol vulnerabilities. Monitor for anomalous handshake patterns in WIPS.

Description: An attacker sends spoofed 802.11 deauthentication or disassociation frames to force clients to disconnect from legitimate APs. This can be used as a standalone DoS attack or as a precursor to an evil twin attack. Without PMF, management frames are unauthenticated and trivially spoofable.

Mitigation: Enable PMF (802.11w) in mandatory mode on all enterprise SSIDs. PMF cryptographically protects management frames, making deauth flood attacks ineffective. WIPS detects abnormal deauthentication frame rates and triggers alerts. Rate limiting on management frames at the AP level provides an additional layer of protection.

Description: Unmanaged personal devices connecting to the corporate SSID may introduce malware, bypass DLP controls, exfiltrate data, or serve as pivot points for lateral movement. Without NAC enforcement, any device with valid credentials can access corporate resources regardless of its security posture.

Mitigation: Implement NAC with device posture assessment before granting network access. MDM enrollment verification ensures only managed devices access the Corp VLAN. BYOD devices are redirected to a restricted BYOD VLAN with limited access. Certificate-based authentication (EAP-TLS) with MDM-issued certificates prevents non-enrolled devices from authenticating.

Description: When EAP-TTLS or PEAP is used with password-based inner authentication, an adversary operating an evil twin AP can capture the outer TLS handshake and attempt offline dictionary attacks against the captured credentials if the client does not validate the server certificate.

Mitigation: Enforce strict server certificate validation on all 802.1X supplicants — clients must verify the RADIUS server certificate against the enterprise CA. Migrate to EAP-TLS (certificate-based) to eliminate password-based attack surface. Use MDM to push correct supplicant configuration to all managed devices, preventing users from accepting invalid server certificates.

Description: IoT devices typically have limited security capabilities, infrequent firmware updates, and default credentials. A compromised IoT device on the same network segment as corporate systems can be used as a pivot point for lateral movement, reconnaissance, and further compromise.

Mitigation: Isolate all IoT devices in a dedicated VLAN with strict ACLs permitting only necessary communication with specific servers. Implement micro-segmentation to prevent IoT-to-IoT lateral movement. Use PPSK or DPPSK with per-device keys to limit the blast radius of a single device compromise. Monitor IoT device behavior with anomaly detection — flag unusual traffic patterns or new connection destinations.