Scenario $5$: Unknown Wireless Access Point

On a Monday morning, the organization$$s help desk receives calls from three users on the same floor

of a building who state that they are having problems with their wireless access. A network

administrator who is asked to assist in resolving the problem brings a laptop with wireless access to

the users$$ floor. As he views his wireless networking configuration, he notices that there is a new access

point listed as being available. He checks with his teammates and determines that this access point

was not deployed by his team, so that it is most likely a rogue access point that was established without

permission.

The following are additional questions for this scenario:

$5\mathrm{.}1.$ What should be the first major step in handling this incident $($e$.$g$.,$ physically finding the rogue

access point, logically attaching to the access point$)?$

Response: $($e$.$g$.,$ Physically locating the device, Network Access Control $($NAC$)$ logs will be reviewed.

Change logs for enable$/$disable ports will be reviewed to identify rogue location$)$

$5\mathrm{.}2.$ What is the fastest way to locate the access point? What is the most covert way to locate the

access point?

Response: $($Scan network for rogue devices$)$

$5\mathrm{.}3.$ How would the handling of this incident differ if the access point had been deployed by an external

party $($e$.$g$.,$ contractor$)$ temporarily working at the organization$$s office?

Response: $($e$.$g$.,$ Contact contract owner and vendor$($s$).$ Review approval documents for installation of

wireless device, Review SOW from contractor., Identify gaps in vendor management process$)$

$5\mathrm{.}4.$ How would the handling of this incident differ if an intrusion detection analyst reported signs of

suspicious activity involving some of the workstations on the same floor of the building?

Response: $($e$.$g$.,$ Scope of incident response will be expanded to include scanning of workstations on

the same floor as well as servers$/$application accessible from the workstations$)$

$5\mathrm{.}5.$ How would the handling of this incident differ if the access point had been removed while the

team was still attempting to physically locate it$?$

Response: $($e$.$g$.,$ Forensic evidence $($logs will be reviewed$/$preserved to identify point of entry$)$