TOP Mission SPH-H01: Wireless Security Assessment
Assessing and hardening wireless network security including rogue AP detection, encryption standards, and guest network isolation.
Continue your mission
Assessing and hardening wireless network security including rogue AP detection, encryption standards, and guest network isolation.
# TOP Mission SPH-H01: Wireless Security Assessment
Wireless networks represent one of the most consistently mismanaged attack surfaces in enterprise environments. Unlike wired infrastructure, wireless signals extend beyond physical perimeters, creating exposure that is invisible to the naked eye but measurable and exploitable by any attacker within range. Mission SPH-H01 exists to close that gap through structured assessment of wireless infrastructure: identifying rogue access points, auditing encryption standards, verifying guest network isolation, and confirming that organizational wireless policy maps to deployed reality. This mission is part of CDA's Theater of Operations Playbook (TOP), which organizes security work into executable, repeatable missions with defined objectives, measurable outcomes, and direct alignment to the Planetary Defense Model (PDM).
---
A wireless security assessment is a structured technical evaluation of an organization's Wi-Fi infrastructure and associated controls. It covers the full lifecycle of wireless exposure: deployed access points and their configuration, the protocols and encryption standards in use, network segmentation between corporate and guest zones, authentication mechanisms, and the presence of unauthorized or rogue devices broadcasting within or near the organization's physical space.
This mission is distinct from a general network vulnerability scan. It is not a penetration test, though findings from this mission frequently inform penetration testing scope. It is not a compliance audit, though its outputs directly support compliance frameworks including PCI DSS, HIPAA, and SOC 2. It is not a one-time event. Wireless environments change continuously as new devices connect, access points are reconfigured, and shadow IT introduces unauthorized infrastructure.
Scope boundaries matter here. This mission covers: corporate SSID configurations and encryption settings, guest network isolation and segmentation verification, rogue AP detection within the organization's RF environment, wireless client authentication methods (PSK versus 802.1X), and WLAN controller or access point firmware currency. It does not cover cellular or Bluetooth unless those are explicitly defined in the mission charter.
Subtypes within this mission include passive RF surveys (listening without transmitting), active enumeration (probing discovered networks with controlled tooling), and policy-versus-reality gap analysis (comparing documented wireless policy to what is actually deployed). Organizations at different maturity levels may begin with the passive survey and expand scope in subsequent cycles.
---
Phase 1: Inventory and Discovery
The assessment begins with building a complete inventory of wireless infrastructure. This means collecting data from the WLAN controller or cloud management platform (Cisco Meraki, Aruba Central, Ubiquiti UniFi, or equivalent) and cross-referencing it against a physical site survey. Every access point should be accounted for. MAC addresses, SSIDs, operating channels, transmit power, and firmware versions are all recorded at this stage.
Simultaneously, passive RF scanning is conducted using tools such as Kismet or a commercial wireless assessment platform. The scanner captures beacon frames broadcast by every access point within range, including devices not registered in the organization's inventory. This step frequently surfaces rogue access points, misconfigured equipment, and neighboring networks that may share channel space or, in some cases, intentionally mimic organizational SSIDs (evil twin attacks).
Phase 2: Encryption and Protocol Audit
With the full RF picture captured, each SSID is evaluated for encryption standard. WEP (Wired Equivalent Privacy) has been cryptographically broken for over two decades and must be flagged as a critical finding if present. WPA (Wi-Fi Protected Access, first generation) is similarly inadequate. WPA2 with AES-CCMP encryption is the acceptable minimum for most environments, with WPA3 now required in high-security contexts or where the device ecosystem supports it.
TKIP (Temporal Key Integrity Protocol), often paired with early WPA2 deployments, introduces known vulnerabilities and should be disabled in favor of AES-only configurations. Mixed-mode configurations that allow both TKIP and AES create downgrade attack opportunities and are a common misconfiguration finding in this mission.
For enterprise networks, the authentication method is examined. Pre-shared key (PSK) authentication is appropriate for small environments but introduces credential management problems at scale. Every person who knows the PSK can decrypt traffic from other PSK-authenticated clients on the same network. 802.1X authentication with a RADIUS backend eliminates this problem by issuing per-session encryption keys. The assessment verifies whether 802.1X is configured, whether the RADIUS server certificate is properly validated by clients (preventing RADIUS impersonation attacks), and whether clients are configured to reject untrusted certificates.
Phase 3: Segmentation Verification
Guest networks require particular scrutiny. A guest SSID that appears isolated at the access point level may still have Layer 2 adjacency to corporate systems if VLAN tagging is misconfigured or if the wired uplink does not enforce VLAN separation at the switch port. This phase uses both passive observation and controlled probing to verify that a device connected to the guest SSID cannot reach internal RFC 1918 address space, access management interfaces, or communicate with corporate SSID clients.
A concrete scenario: during a SPH-H01 mission engagement at a regional healthcare organization, the guest SSID was confirmed as a separate VLAN in the WLAN controller configuration. However, the uplink switch port was configured as an access port rather than a trunk, causing all guest traffic to be carried on the default VLAN alongside clinical workstations. A device on the guest network could reach nurse station computers directly. The misconfiguration had existed for 14 months without detection because no structured wireless assessment had been conducted since the access points were installed.
Phase 4: Rogue AP Detection and Response
Any SSID captured during passive scanning that does not appear in the authorized inventory is treated as a rogue device until proven otherwise. Sources include: unauthorized access points installed by employees for convenience, access points from neighboring tenants in shared office buildings, or intentionally malicious devices. Each candidate rogue is investigated through MAC address lookup, physical location triangulation (using signal strength from multiple scanning positions), and interview with facilities and IT staff.
Confirmed rogues are removed or blocked at the network layer. The root cause is documented: was this an employee convenience install, a forgotten device from a prior configuration, or something more concerning?
Phase 5: Reporting and Remediation Planning
All findings are organized by severity: critical (broken encryption, active rogue APs), high (PSK on large networks, no certificate validation), medium (WPA2 mixed mode, aging firmware), and informational (channel overlap, suboptimal transmit power). Each finding includes a specific remediation action, not a general recommendation.
---
Wireless misconfigurations are a reliable entry point for attackers. The 2020 Marriott International breach investigation, which ultimately traced to compromised credentials, highlighted how lateral movement through poorly segmented networks compounds initial access. While that breach originated through a franchise network acquisition, the underlying principle applies directly to wireless environments: a single misconfigured segment with insufficient isolation can provide an attacker who gained initial access through a low-privilege path (a guest network, an IoT device, a personal laptop) with a route to critical systems.
The 2019 Capital One breach, executed by a former cloud service provider employee, involved exploitation of a misconfigured firewall. Wireless environments carry analogous risk: configuration mistakes that look benign in isolation create exploitable conditions when combined with attacker capabilities. An organization that deploys WPA2-PSK across 200 access points and never rotates the passphrase has effectively issued a permanent credential to every contractor, visitor, and former employee who ever connected.
A common misconception is that wireless risk is primarily about outsiders war-driving in parking lots. That threat exists but is not the dominant concern. The more frequent and damaging scenarios involve insiders, supply chain personnel, or contractors who already have physical presence and use wireless access to move laterally or exfiltrate data in ways that bypass perimeter controls. A guest network that reaches internal file servers does not require an external attacker to be a problem.
Organizations that skip this mission often do so because wireless "works fine" and no incident has occurred. This reasoning confuses absence of detected incidents with absence of risk. Rogue access points can operate for months without triggering alerts. Weak encryption is exploitable without generating any log entries. The assessment exists precisely because passive exposure does not announce itself.
---
CDA approaches Mission SPH-H01 through the SPH domain of the Planetary Defense Model, which covers the organization's security posture as a hardened, continuously maintained structure. SPH represents the shield layer: the configurations, controls, and hygiene practices that determine how much attack surface an adversary actually encounters. Wireless infrastructure sits squarely within SPH because it is both perimeter-adjacent and posture-dependent. A strong perimeter with a misconfigured guest SSID is not a strong perimeter.
CDA's execution of this mission is governed by the Autonomous Posture Command (APC) methodology, operating under the principle: "Your posture adapts. Your hygiene never sleeps." In practice, this means the wireless assessment is not treated as an annual checkbox. CDA implements continuous rogue AP detection as a persistent control, integrated with the SIEM, so that new unauthorized SSIDs generate alerts within minutes rather than being discovered during a scheduled review cycle months later.
What CDA does differently is close the gap between policy documentation and deployed reality. Many organizations have wireless security policies. Few have verified that their deployed infrastructure matches those policies. CDA's SPH-H01 execution includes explicit policy-versus-reality mapping: every control stated in policy is tested against what is actually running. If policy says WPA3, the assessment confirms WPA3 is enforced, not just available. If policy says guest isolation, the assessment confirms isolation holds at Layer 2 and Layer 3, not just at the SSID configuration level.
CDA also applies SPH-H01 findings directly to adjacent missions. Rogue AP findings feed into the threat intelligence pipeline. Segmentation failures are cross-referenced with the organization's incident response playbooks. Firmware currency gaps are tracked in the vulnerability management cycle. No finding from this mission is treated in isolation. Each one connects to a broader posture picture that APC continuously maintains and updates.
---
---
---
CDA Theater missions that address topics covered in this article.
Building the business case for cybersecurity investment in Healthcare organizations.
Preparing for cybersecurity compliance audits specific to Education sector.
Operational runbook for dns security configuration procedures.
Written by CDA Wiki Team
Found an issue? Help improve this article.