2.3.1 For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to:

• Default wireless encryption keys.
• Passwords on wireless access points.
• SNMP defaults.
• Any other security-related wireless vendor defaults.

Defined Approach Requirements

2.3.1 For wireless environments connected to the CDE or transmitting account data, all wireless vendor defaults are changed at installation or are confirmed to be secure, including but not limited to:

• Default wireless encryption keys.
• Passwords on wireless access points.
• SNMP defaults.
• Any other security-related wireless vendor defaults.

Customized Approach Objective

Wireless networks cannot be accessed using vendor default settings.

Defined Approach Testing Procedures

2.3.1 Examine policies and procedures and interview responsible personnel to verify that for wireless environments connected to the CDE or transmitting account data, wireless vendor defaults are changed at installation or are confirmed to be secure in accordance with all elements specified in this requirement.

Purpose

Malicious individuals will often use vendor default settings for wireless access points and other wireless devices, such as the default SSID (service set identifier) and default encryption keys, to assist them in gaining access to the wireless network. They will also use vendor documentation to determine other default settings, including passwords and SNMP strings, to assist them in gaining access to the wireless device itself.

Good Practice

Changing all wireless vendor defaults at installation time, including encryption keys, passwords, SNMP community strings, and any other security-related wireless vendor defaults, helps to ensure that the wireless device cannot be accessed using the default settings.

Vendor documentation will often illustrate how malicious individuals can access wireless devices if defaults are not changed.