Wireless networks still vulnerable to intruders
GAO finds serious weaknesses in government implementations
Eight years after the National Institute of Standards and Technology famously pronounced that wireless access points are “the logical equivalent of an Ethernet port in the parking lot,” wireless networking has become embedded in government agencies but gaps remain in its security, a study by the Government Accountability Office has concluded.
Agencies know the technologies and policies needed to secure their wireless connections, but they are not consistently applying and enforcing them, GAO found.
4 threats to wireless security
How malicious insiders can hack your Wi-Fi -- easily
The report recommends that the Office of Management and Budget, which has primary oversight responsibility for civilian cybersecurity, include metrics for wireless security in the Federal Information Security Management Act reporting process.
“Existing governmentwide guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices,” GAO concluded. “Until agencies take steps to better implement these leading practices and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack.”
NIST, which is charged with providing standards, specifications and guidance for complying with FISMA, plans to develop additional guidelines for wireless security.
The study covered a variety of wireless technologies, including the Wi-Fi, IEEE 802.11 family of standards for wireless local-area networks (WLANs); Bluetooth, used for personal area networking; and cellular data connectivity. A number of emerging technologies, such as WiMax and Long Term Evolution fourth-generation technology, also need to be considered in security policies, GAO said.
Wireless networks are vulnerable to most of the same threats to which wired networks are subject, as well as to threats specifically targeting wireless connections. In some ways, wireless connections are easier to attack.
“For WLANs, attackers only need to be in range of wireless transmissions and do not have to gain physical access to the network or remotely compromise systems on the network,” the GAO report states. “WLANs also have to protect against the deployment of unauthorized wireless devices, such as access points, that are configured to appear as part of an agency’s wireless network infrastructure.”
Wi-Fi security has evolved since approval of the initial 802.11 standard in 1997. Wired Equivalent Privacy (WEP) was added, and then replaced when flaws were found. Eventually, Wi-Fi Protected Access was adopted, and in 2004 WPA2 was introduced with interoperability with the 802.11i security standard. In 2009, the 802.11w-2009 standard was ratified, increasing security with additional encryption security features to help prevent denial-of-service attacks against WLANs.
Today, Wi-Fi is broadly used throughout government and all agencies report use of smart phones capable of accessing data over the Internet, particularly the BlackBerry. Many also are using cellular data cards for laptops as well.
“Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks,” the GAO report says.
GAO's recommended best practices for agencies in securing wireless networks include:
Comprehensive policies requiring secure encryption and establishing usage restrictions, implementation practices, and access controls;
- A risk-based approach for wireless deployment and monitoring.
- A centralized wireless management structure that is integrated with the management of the existing wired network.
- Configuration requirements for wireless networks and devices.
- Incorporation of wireless and mobile device security in training.
- Use of encryption, such as a virtual private network for remote access.
- Continuous monitoring for rogue access points and clients.
- Regular assessments to ensure wireless networks are secure.
OMB in July delegated to the Homeland Security Department responsibility for overseeing operational cybersecurity efforts in civilian agencies, but DHS does not have any wireless-security specific activities yet. NIST has released a number of publications with guidance and baseline requirements for IT configuration and security measures that focus on or include wireless devices. These include:
- NIST SP 800-48, "Guide to Securing Legacy IEEE 802.11 Wireless Networks."
- NIST SP 800-53, "Recommended Security Controls for Federal Information Systems and Organizations."
- NIST SP 800-97, "Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i."
Commerce Secretary Gary Locke informed GAO that NIST will develop additional guidance on wireless security covering:
- Technical steps to mitigate the risk posed by dual-connected laptops.
- Governmentwide secure configurations for wireless functionality on laptops and for BlackBerry smart phones.
- Appropriate ways to centralize management of wireless technologies based on business need.
- Criteria for selecting tools and the appropriate frequency of wireless security assessments, along with recommendations for continuous monitoring of wireless networks.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.