Search
Close this search box.

Tech Tips

Topics

Resources

Subscribe to Tech Tips

Detect Rogue Devices and Unauthorized Network Changes Fast

When it comes to your edge network, what you don’t know can most certainly hurt you. In this case, “hurt” refers specifically to potential exposure of your critical infrastructure, intellectual property, and sensitive PII data to hackers. Once a rogue device—such as an AP—is connected or an unauthorized network configuration change is made bad actors may have an open door to your entire network.

What are Rogue Devices and Unauthorized Network Changes?

A rogue is any device that’s connected without permission to access or use the network. The assumption should be that such devices are malicious, either intentionally placed on the network by a bad actor (e.g., an AP that can be used to circumvent existing security measures), or something connected by someone not aware of the possible negative security implications—we’ll discuss this case more below.

The sheer number and rapid growth of endpoints, frequently headless IoT/OT/ICS or other unmanaged devices further exasperates the problem, making fully quantifying everything on the network and ensuring they are not operating in an illicit manner ever more challenging.

Yet another area of concern is unauthorized network changes—either to infrastructure or endpoints. The list here is long, examples include:

  • Unauthorized Software Installation – malicious malware or ransomware; alternately unapproved applications that hasn’t been vetted can introduce vulnerabilities or interfere with existing security measures.
  • Configuration Changes – firewall rules modifications to firewall rules can create holes that allow unauthorized access; network updates such as changes to IP addresses, DNS settings, or routing can redirect traffic to malicious sites or intercept communications.
  • Privilege Escalation – Granting administrative privileges to unauthorized users or applications can allow extensive system changes and data access.
  • Operating System Changes – unauthorized installation of patches, or the lack thereof, can introduce vulnerabilities or leave known issues unaddressed.
  • Network Protocols and Services – allowing/activating insecure protocols Telnet or FTP, which transmit data unencrypted, can expose sensitive information; running services not intended for use on the network can create new attack vectors.

The escalating threat of rogue devices is (at least) partially driven by the enormous growth in IoT and non-IoT connections. According to Statista1, “The total installed base of Internet of Things (IoT) connected devices worldwide is projected to amount to 30.9 billion units by 2025, a sharp jump from the 13.8 billion units that are expected in 2021.” The report goes on to highlight “…In comparison, non-IoT connections include smartphones, laptops, and computers, with connections of these types of devices set to amount to just over 10 billion units by 2025…”

Finally, there can be changes at the “physical” (RF) layer of devices, in particular APs that may have negative security implications (and degrade user performance). Such as:

  • Excessive AP Channel Changes – today’s smart APs are designed to optimize performance by occasionally changing the channels on which they operate. However, frequent, and ongoing activity here could suggest interference. Perhaps it is simply adjacent networks causing the issue (typically harmless). However, it could be intentional interference meant to impact network services. Alternatively, it might be a symptom of a possible wireless attack whereby a bad actor is attempting a man-in-the-middle attack, forcing clients off the legitimate AP, and advertising a rogue AP with identical SSID.
  • Modifications to Wireless Security Type – Changes here, especially to types such as WPA2 or even open that are not appropriate for most organizations can point to suspicious activities.
  • Rogue (Benign) Devices —Endpoints added with no malicious intent but that can open the environment to hackers. Examples here include individuals who attach a home WiFi router to “improve” their office wireless coverage. Another example is someone bringing a home printer to make printing documents more convenient. In these and numerous like cases the unauthorized devices are NOT designed or at least not properly configured for use in an organization’s network, resulting in possible exposure of IT resources.

This is not an all-inclusive list but is meant to convey the myriads of ways rogue devices or unsanctioned network configuration or endpoint changes can increase the attack surface and result in security headaches.

How do you Protect Against Rogue Devices?

There are many ways organizations can protect against rogue devices, though the various techniques described in this blog have weaknesses that can be circumvented. In addition, many of these methods, because of limited resources, may be out of reach of some organizations resulting in visibility gaps and compromised cybersecurity defenses.

Link-Live, in conjunction with discovery data gathered from CyberScope® edge network vulnerability scanner, is specifically designed to simplify the process of detecting rogue devices and network changes without burdensome and costly agents. By automating the procedure of uploading network discovery data to the secure cloud-based Link-Live solution (private, on-premises versions also available), IT teams responsible for perimeter security can quickly find deviations to their edge network. The workflow is a breeze (for an example, see this video):

  • Step 1 – Configure the CyberScope automated discovery monitoring upload (user defined, with frequency up to every day)
  • Step 2 – Generate a baseline and then begin collecting ongoing snapshots, easily viewed in Link-Live time-line graph. Select a day in question and drill into details.
  • Step 3 – Navigate to the Link-Live Discovery Table where a wealth of information is displayed including new, missing, transitory as well changes are intuitively displayed in a color-coded manner. Sorting, filtering, and free-string searches make finding suspicious devices simple.
  • Steps 4 – Though beyond the scope of this blog, Link-Live using Nmap command and scripts data from CyberScope Discovery can also alert IT teams to possible vulnerabilities tied to clients and network infrastructure such as incorrect versions of OS and insecure open ports—among many other concerns. Here is a blog that discusses these capabilities.
  • Step 5 – Discovery monitoring data can also be viewed using intuitive analysis dashboards. Check out this video for more details.

Link-Live and CyberScope offers a unique “inside-the-edge” view that can strengthen existing security solutions or, if budgets are limited aid smaller organizations into delivering comprehensive views into security posture of the perimeter.

In Summary

Rogue devices and unauthorized changes to the network are a prime source of vulnerabilities and a common way bad actors gain access to and move laterally within a network. Rapid detection is critical before they can be exploited, and IT resources compromised. With limited resources, and visibility gaps at the edge network, organizations of all sizes can benefit from the unique situational awareness offered by Link-Live and CyberScope.

  1. Statista, Internet of Things (IoT) and non-IoT active device connections worldwide from 2010 to 2025, Lionel Sujay Vailshery, Sep 6, 2022 ↩︎
Author Bio –
Product Manager – Wired

As a Product Manager at NetAlly, Brad Reinboldt is responsible for wired and cybersecurity solutions. He has more than 30 years’ of experience in the computing, networking, and storage sectors in various development and technical management roles. He holds a master’s degree in electrical engineering as well as an MBA in management.

AirCheck® G3 Pro

WiFi 6 Wireless Tester

The AirCheck G3 Pro is a cost-effective hardware-enabled wireless analysis and site survey solution for WiFi 6/6E and Bluetooth/BLE networks.

CyberScope®

Edge Network Vulnerability Scanner

CyberScope empowers you to quickly discover, identify, and test edge infrastructure and IoT, OT, and ICS devices, wired (Ethernet/Fiber) and WiFi networks, then assess cybersecurity posture against policies, generate reports and perform ongoing monitoring—all without deploying agents.

EtherScope® nXG

Ethernet Network Tester & WiFi Diagnostics Tool

EtherScope nXG is a powerful network tester & WiFi 6 diagnostics tool that helps engineers and technicians to quickly deploy, maintain, monitor, analyze and secure WiFi, Bluetooth/BLE and Ethernet access networks.

Link-Live™

Platform for Team Collaboration, Reporting, and Analytics

Link-Live offers powerful, interactive discovery and WiFi dashboards with integrated workflows that includes flexible drilldowns for rapid problem resolution and efficient investigations.

Link-Live™ Cyber

Platform for SecOps Team Collaboration, Reporting, and Analytics

Link-Live is specifically designed to integrate tightly with CyberScope® and CyberScope® Air, leveraging the rich data and analysis they deliver. With it, cybersecurity teams can easily collaborate, analyze, and report on the security status of the network edge.