Auditors: DHS flunks wireless security
- By Wilson P. Dizard III
- Jul 01, 2004
The Homeland Security Department's failure to impose security controls on its wireless data exposes sensitive information to potential eavesdropping and misuse, the department's inspector general said.
The department agreed to tighten its wireless security in accord with the IG's recommendations. As a department that is part of the government's intelligence community, many DHS agencies handle sensitive and classified information at various levels affecting counterterrorism and law enforcement functions.
The IG's auditors analyzed the department's systems and carried out physical surveys that exposed many security gaps and wireless back doors in DHS systems that could expose DHS networks to eavesdropping or denial of service attacks. In some cases, DHS employees were not aware that specific devices were enabled for Bluetooth wireless access. In others, department employees did not create virtual 'demilitarized zones' to separate wireless networks from wired networks and were not aware that such DMZs are needed to ensure security.
The auditors analyzed DHS systems using the three main wireless standards: IEEE 802.11b, Bluetooth and wireless messaging systems.
The IG report
issued late yesterday states that the department hasn't provided guidance to its component agencies or established adequate controls over its wireless program. According to the IG:Wireless policy is incomplete.DHS lacks a sound baseline for wireless security procedures.The National Wireless Management Office isn't exercising its full responsibilities in addressing the department's wireless technologies.The department had not certified or accredited any of the wireless systems the IG analysts reviewed, even though its own policies require certification.
For example, examination of Research In Motion Ltd. BlackBerry service at the Border and Transportation Directorate's Immigration and Customs Enforcement agency revealed numerous vulnerabilities: The system used weak security settings.ICE had not enabled password protection for individual BlackBerries.The system allowed users to create weak passwords that lack numbers and special characters.The agency used weak encryption.Managers had not disabled the system's risky peer-to-peer feature.The BlackBerries' Internet browsers exposed them to viruses.
'As a result of these wireless network exposures, DHS cannot ensure that the sensitive information processed by its wireless systems are effectively protected from unauthorized accesses and potential misuse,' the auditors said.
DHS issued a written response in which it agreed with most of the report's findings and recommendations, but defended the activities of the National Wireless Management Office.
The IG urged that the department take steps to tighten its wireless security, including adopting a standardized configuration for its wireless systems and strengthening wireless program oversight by the wireless management office. The report also called for DHS to certify and accredit all its wireless systems and update its security procedures.