Audit flunks DHS wireless security
- By Wilson P. Dizard III
- Jul 02, 2004
The Homeland Security Department's failure to impose security controls on sensitive wireless data exposes it to potential eavesdropping and misuse, the department's inspector general said late last week.
DHS agreed to tighten its wireless security in accord with the IG's recommendations. As part of the government's intelligence community, many DHS agencies handle sensitive and classified information at various levels affecting counterterrorism and law enforcement.
The IG's auditors carried out physical surveys that found many security gaps and wireless back doors that could expose networks to eavesdropping or denial-of-service attacks. In some cases, DHS employees were unaware that specific devices were enabled for Bluetooth wireless access.
In others, employees did not create virtual 'demilitarized zones' to separate wireless from wired networks and were not aware that such DMZs are needed for security.
The auditors analyzed DHS systems using IEEE 802.11b, Bluetooth and wireless messaging connectivity. They said the department hasn't provided guidance to its component agencies or established adequate controls over its wireless program. According to the IG:
- Wireless policy is incomplete
- DHS lacks a sound baseline for wireless security procedures
- The National Wireless Management Office isn't exercising its responsibility for the department's wireless technologies
- The department had not certified or accredited any of the wireless systems the analysts reviewed, although its policies require certification.
For example, examination of Research In Motion Ltd.'s BlackBerry service at the Border and Transportation Directorate's Immigration and Customs Enforcement agency revealed numerous vulnerabilities:
- Weak security settings
- No password protection for individual BlackBerrys
- Weak, user-created passwords lacking numbers and special characters
- Weak encryption
- Risky peer-to-peer feature not disabled
- Virus exposure through the devices' browsers.
'As a result of these wireless network exposures, DHS cannot ensure that the sensitive information processed by its wireless systems is effectively protected from unauthorized accesses and potential misuse,' the auditors said.
DHS in a written response agreed with most of the findings and recommendations.
The IG urged that the department tighten its wireless security by adopting a standard wireless configuration and strengthening oversight by the wireless management office.