Last year, I was working with a customer who has architected their network environment without considering security. They suffered a breach, lost a ton of intellectual property (thankfully none of it was regulated data), and were committed to moving forward with a more secure architecture. This customer has a relatively large number of wireless access points. One of their managers suggested that a quick win would be to locate and disable rogue wireless access points, citing a Security+ class he had taken years prior. But other managers wondered if this was a good use of limited resources, considering the abysmal state of overall security.
My take on this is that rogue access point detection is something that should only be done after other, higher priority items are taken care of. Are rogue access points a big deal? Sure. But are they a bigger deal than 7 character passwords, no account lockout, or access control policies that allow anyone to install any software not explicitly denied by antivirus? I think not.
As you probably would guess, I'm a big believer in the SANS top 20 critical security controls. The best thing about the SANS 20 CSCs is that they are actually ordered to help you figure out what to do first. What controls give you the best bang for your buck? No need to guess when you are using the SANS Top 20.
So where in the 20 CSCs do rogue access points fall? They fall well behind CSCs #1 and #2 (hardware and software inventory, respectively). If you don't have basic blocking and tacking down, do you really need to consider rogue access points? Wireless controls are #15 on the list of CSCs. Open wireless or WEP (gasp!) is a big deal. But if you've implemented WPA-PSK, how much should you worry about rogue APs?
Yes, rogue APs are a threat. but every one of us is carrying a rogue AP in our pocket these days (your smart phone). It's hard to track all of the access points that pop up. This particular client has office space in many different multi-tenant areas so we have to deal with other access points in the area that the client doesn't control. This makes it really hard to detect the rogues. Not impossible, mind you. Just difficult.
If you are in an area where mutil-tenancy isn't an issue, you'll still need good policies to prevent the use of wifi hotspots that all users have on their phones. With those polluting the spectrum, separating "authorized" hotspots from rogue access points can be a real challenge. At Rendition Infosec, we advise clients that hunting rogue access points is likely very low on the security spectrum. We advise that clients only undertake such an endeavor when they have achieved at least baseline success in more important security controls.
One important distinction that I'll make is that evil twin access points will always be a threat. These are access points with the same (or in some cases very similar) names to the legitimate access points in the environment. Periodic surveys of the wireless environment will help detect these. A good WIDS system can help with this as well. When discovered, evil twins should be physically located and investigated.