Organizations that are located in busy areas with close proximity to other organizations and/or the public SHALL restrict the transmission power of their Wi-Fi to a level that is not accessible by entities outside the organizational facility.
Control Type: Technical
Control Function: Preventive
Description: Oftentimes, wireless networks broadcast theirService Set Identifier (SSID) to a much larger range than is needed. This is especially noticeable if your business is located in a busy, crowded area with lots of neighboring storefronts and offices. It also presents a major security risk. Since the SSID is broadcast to a wide area outside your facility, threat actors can locate and potentially compromise your wireless network without needing to breach the physical premises of your business. Wardriving is a specific reconnaissance method involving threat actors driving along streets with a large number of businesses, taking with them a laptop or other device to snoop for WiFi networks for potential targets. Warflying is another method in which threat actors use drones to scout for WiFi networks from the air, potentially gathering more targets than one would in a car. To lower the risk of wireless attacks stemming from an overextended SSID, configure Transmission Power settings on your router or wireless access point controller. This often involves testing different settings to strike the right balance. You do not want to deny wireless coverage to valid users inside your facilities. Implementing this control can be enhanced by using WiFi mapping software that displays a heat map of wireless coverage in and around your facilities.