Skip to main content
← All controls
AC-18(1) / SI-4(14) NIST SP 800-53 Rev 5

Rogue AP detection enabled

Demonstrate that the organization has deployed and enabled automated rogue access point detection capabilities that continuously monitor wireless spectrum, maintain an authoritative inventory of legitimate APs, and generate alerts when unauthorized wireless infrastructure is identified.

Description

What this control does

Rogue Access Point (AP) detection is a wireless security control that continuously monitors the radio frequency spectrum to identify unauthorized wireless access points operating within or near the organization's facilities. The system compares detected APs against an inventory of known, authorized wireless infrastructure using MAC addresses, SSIDs, signal strength, and other identifying characteristics. Detection mechanisms typically include wireless intrusion detection/prevention systems (WIDS/WIPS), controller-based scanning, or dedicated spectrum sensors that alert security teams when rogue devices are discovered, enabling prompt investigation and remediation before attackers can use them for man-in-the-middle attacks or unauthorized network access.

Control objective

What auditing this proves

Demonstrate that the organization has deployed and enabled automated rogue access point detection capabilities that continuously monitor wireless spectrum, maintain an authoritative inventory of legitimate APs, and generate alerts when unauthorized wireless infrastructure is identified.

Associated risks

Risks this control addresses

  • Attackers deploy rogue access points with legitimate-appearing SSIDs to capture employee credentials through evil twin attacks
  • Employees install unauthorized consumer-grade wireless routers that bypass network security controls and create unmonitored entry points
  • Attackers position rogue APs in proximity to conduct man-in-the-middle attacks intercepting authentication tokens and sensitive data transmissions
  • Malicious insiders establish covert wireless bridges to exfiltrate data outside monitored network perimeters
  • Third-party contractors or visitors introduce personal hotspots that interfere with authorized wireless services or create shadow IT risks
  • Compromised IoT devices with enabled AP functionality create persistent backdoors into the corporate network
  • Undetected rogue APs remain operational for extended periods, allowing adversaries to establish persistence and conduct long-term reconnaissance

Testing procedure

How an auditor verifies this control

  1. Obtain and review the organization's wireless infrastructure inventory documenting all authorized access points, including MAC addresses, SSIDs, locations, and authorized channels.
  2. Identify the rogue AP detection technology in use (WIDS/WIPS appliances, wireless controller features, cloud-based monitoring) and document the deployment architecture including sensor locations and coverage areas.
  3. Examine wireless controller or WIDS/WIPS system configuration to verify that rogue AP detection features are enabled and scanning intervals are configured appropriately (typically continuous or every 1-5 minutes).
  4. Review detection policies and classification rules to confirm that the system distinguishes between authorized APs, neighboring APs (outside organizational control but non-threatening), and rogue APs (unauthorized devices on premises or connecting to the wired network).
  5. Request alert logs from the past 90 days showing rogue AP detections, including timestamps, device identifiers, signal strength, and classification outcomes.
  6. Select a sample of rogue AP alerts and review corresponding incident tickets or investigation records to verify that security teams responded, investigated root causes, and documented remediation actions.
  7. If feasible and approved, coordinate with technical staff to simulate a rogue AP event using a test device, then verify that the detection system generates an alert within the expected timeframe and triggers the defined response workflow.
  8. Interview wireless network administrators to confirm ongoing processes for updating the authorized AP inventory when infrastructure changes occur and for tuning detection thresholds to minimize false positives.
Evidence required Configuration exports from wireless controllers or WIDS/WIPS platforms showing enabled rogue AP detection features, scanning parameters, and alert thresholds; screenshots of the authorized AP inventory with MAC address whitelists; alert logs demonstrating detection events over the review period with timestamps and device details; incident tickets or case records showing investigation and remediation of detected rogue APs; network diagrams indicating sensor placement and wireless coverage zones.
Pass criteria Rogue AP detection is actively enabled across all wireless infrastructure, authorized AP inventory is current and integrated with detection systems, alert logs demonstrate continuous monitoring activity, and sampled rogue AP detections have corresponding investigation records showing timely security response.

Where this control is tested

Audit programs including this control

Wi-Fi Security Audit

Office Wi-Fi quick audit — segmentation, encryption, guest network and rogue AP detection.

6 controls · v1.0