Information Security
Federal Agencies Need to Improve Controls over Wireless Networks Gao ID: GAO-05-383 May 17, 2005The use of wireless networks is becoming increasingly popular. Wireless networks extend the range of traditional wired networks by using radio waves to transmit data to wireless-enabled devices such as laptops. They can offer federal agencies many potential benefits but they are difficult to secure. GAO was asked to study the security of wireless networks operating within federal facilities. This report (1) describes the benefits and challenges associated with securing wireless networks, (2) identifies the controls available to assist federal agencies in securing wireless networks, (3) analyzes the wireless security controls reported by each of the 24 agencies under the Chief Financial Officers (CFO) Act of 1990, and (4) assesses the security of wireless networks at the headquarters of six federal agencies in Washington, D.C.
Wireless networks offer a wide range of benefits to federal agencies, including increased flexibility and ease of network installation. They also present significant security challenges, including protecting against attacks to wireless networks, establishing physical control over wireless-enabled devices, and preventing unauthorized deployments of wireless networks. To secure wireless devices and networks and protect federal information and information systems, it is crucial for agencies to implement controls--such as developing wireless security policies, configuring their security tools to meet policy requirements, monitoring their wireless networks, and training their staffs in wireless security. However, federal agencies have not fully implemented key controls such as policies, practices, and tools that would enable them to operate wireless networks securely. Further, our tests of the security of wireless networks at six federal agencies revealed unauthorized wireless activity and "signal leakage"--wireless signals broadcasting beyond the perimeter of the building and thereby increasing the networks' susceptibility to attack. Without implementing key controls, agencies cannot adequately secure federal wireless networks and, as a result, their information may be at increased risk of unauthorized disclosure, modification, or destruction.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-383, Information Security: Federal Agencies Need to Improve Controls over Wireless Networks
This is the accessible text file for GAO report number GAO-05-383
entitled 'Information Security: Federal Agencies Need to Improve
Controls over Wireless Networks' which was released on May 17, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Honorable Wm. Lacy Clay, House of Representatives:
May 2005:
Information Security:
Federal Agencies Need to Improve Controls over Wireless Networks:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-383]:
GAO Highlights:
Highlights of GAO-05-383, a report to the Honorable Wm. Lacy Clay,
House of Representatives:
Why GAO Did This Study:
The use of wireless networks is becoming increasingly popular. Wireless
networks extend the range of traditional wired networks by using radio
waves to transmit data to wireless-enabled devices such as laptops.
They can offer federal agencies many potential benefits but they are
difficult to secure.
GAO was asked to study the security of wireless networks operating
within federal facilities. This report (1) describes the benefits and
challenges associated with securing wireless networks, (2) identifies
the controls available to assist federal agencies in securing wireless
networks, (3) analyzes the wireless security controls reported by each
of the 24 agencies under the Chief Financial Officers (CFO) Act of
1990, and (4) assesses the security of wireless networks at the
headquarters of six federal agencies in Washington, D.C.
What GAO Found:
Wireless networks offer a wide range of benefits to federal agencies,
including increased flexibility and ease of network installation. They
also present significant security challenges, including protecting
against attacks to wireless networks, establishing physical control
over wireless-enabled devices, and preventing unauthorized deployments
of wireless networks. To secure wireless devices and networks and
protect federal information and information systems, it is crucial for
agencies to implement controls”such as developing wireless security
policies, configuring their security tools to meet policy requirements,
monitoring their wireless networks, and training their staffs in
wireless security.
However, federal agencies have not fully implemented key controls such
as policies, practices, and tools that would enable them to operate
wireless networks securely. Further, our tests of the security of
wireless networks at six federal agencies revealed unauthorized
wireless activity and ’signal leakage“”wireless signals broadcasting
beyond the perimeter of the building and thereby increasing the
networks‘ susceptibility to attack (see figure). Without implementing
key controls, agencies cannot adequately secure federal wireless
networks and, as a result, their information may be at increased risk
of unauthorized disclosure, modification, or destruction.
’Signal Leakage“ from Wireless Networks Increases Security Risks to
Federal Data:
[See PDF for image]
[End of section]
What GAO Recommends:
GAO recommends that the Director of the Office of Management and Budget
(OMB) instruct the agencies to ensure that wireless network security is
incorporated into their agencywide information security programs in
accordance with the Federal Information Security Management Act. OMB
generally agreed with the contents of this report.
www.gao.gov/cgi-bin/getrpt?GAO-05-383.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Gregory Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov, or Keith Rhodes at (202) 512-6412
or rhodesk@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Wireless Networks Provide Benefits and Present Challenges to Agencies:
Controls Can Mitigate Wireless Network Security Challenges:
Federal Agencies Lack Key Controls for Securing Wireless Networks:
Selected Agencies Did Not Implement Wireless Networks Securely:
Conclusions:
Recommendation for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Contacts and Staff Acknowledgments:
Tables Tables:
Table 1: Examples of Wireless Network Security Threats:
Table 2: Policies for Managing Wireless Network Risks:
Table 3: Examples of Wireless Security Tools That Can Be Configured to
Meet Agency Policies:
Figures:
Figure 1: Example of a Wireless Infrastructure Mode Network:
Figure 2: Example of Wireless Ad Hoc Networking:
Figure 3: Wireless Networks Detected in a Section of Downtown D.C.:
Figure 4: Example of Signal Leakage at Federal and Private Facilities:
Abbreviations:
CFO: Chief Financial Officer:
FISMA: Federal Information Security Management Act:
IEEE: Institute of Electrical and Electronics Engineers:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
Letter May 17, 2005:
The Honorable Wm. Lacy Clay:
House of Representatives:
The use of wireless networks is increasingly popular among personal,
academic, business, and government users. Wireless networks extend the
range of traditional wired networks by using radio waves to transmit
data to wireless-enabled devices such as laptops and personal digital
assistants. Spurred on by increasing bandwidth and decreasing costs of
laptops and mobile computing, wireless networks are becoming widely
available in "hotspots" in cafes, retail centers, hotels, schools,
airports, and businesses.
Wireless networks can offer federal agencies many potential benefits--
including flexibility and ease of installation. However, wireless
networks are widely known to be vulnerable to attack or compromise, and
as a result they can pose significant information security risks to
agencies. Various procedures and tools are available to secure these
networks for use within federal agencies.
In response to your request, our review had the following objectives:
(1) describe the benefits and challenges associated with securing
wireless networks, (2) identify the controls (policies, practices, and
tools) available to assist federal agencies in securing wireless
networks, (3) analyze the wireless security controls reported by each
of the 24 agencies covered by the Chief Financial Officers (CFO) Act of
1990,[Footnote 1] and (4) assess the security of wireless networks at
the headquarters of 6 federal agencies in Washington, D.C.
We performed our work in the Washington, D.C., metropolitan area from
September 2004 to March 2005, in accordance with generally accepted
government auditing standards. Appendix I provides further detail about
our objectives, scope, and methodology.
Results in Brief:
The availability of wireless networks presents federal agencies with
both opportunities and challenges. These networks offer agencies
increased flexibility and ease of installation over their traditional
wired networks. However, agencies face unique challenges securing
wireless networks--such as protecting against wireless network attacks,
establishing physical control over wireless-enabled devices, and
preventing unauthorized deployments of wireless networks.
Federal agencies can implement various controls, including policies,
practices, and tools, to secure their wireless networks. For example,
wireless network security can be enhanced by establishing comprehensive
information security policies that address wireless security,
configuring security tools to meet defined agency policy requirements,
implementing comprehensive wireless monitoring programs, and training
employees and contractors on wireless policies. Without effective
security controls for wireless networks, agency information is at risk
of unauthorized disclosure, modification, or destruction.
Despite the risks associated with wireless networks, federal agencies
have not fully implemented key controls for securing these networks.
For example, nine federal agencies reportedly have not issued policies
on wireless networks. In addition, 13 agencies reported not having
established requirements for configuring or setting up wireless
networks in a secure manner. Further, the majority of federal agencies
lack wireless network monitoring to ensure compliance with agency
policies, prevent signal leakage, and detect unauthorized wireless
devices. Finally, 18 agencies do not provide training programs in
wireless security for their employees and contractors.
The wireless networks at the six federal agencies we tested were not
secure. Specifically, we were able to detect wireless networks at each
of the agencies from outside of their facilities. Wireless-enabled
devices were operating with insecure configurations at all six of the
agencies. For example, in one agency we found over 90 laptops that were
not configured appropriately. Finally, there was unauthorized wireless
activity at all of the agencies that had not been detected by their
monitoring programs.
We are recommending that the Director of the Office of Management and
Budget (OMB) instruct agencies to ensure that wireless network security
is addressed in their agencywide information security programs. OMB
officials generally agreed with the report's content and identified
planned actions to address the recommendation.
Background:
Wireless networks extend the range of traditional wired networks by
using radio waves to transmit data to wireless-enabled devices such as
laptops and personal digital assistants. Wireless networks are
generally composed of two basic elements: access points and other
wireless-enabled devices, such as laptops. Both of these elements rely
on radio transmitters and receivers to communicate or "connect" with
each other. Access points are physically wired to a conventional
network, and they broadcast signals with which a wireless device can
connect. The signal broadcast by the access point at regular intervals-
-several times per second--includes the service set identifier, as well
as other information. Typically, this identifier is the name of the
network. Wireless devices within range of the signal automatically
receive the service set identifier, associate themselves with the
wireless network, and request access to the local wired network.
Wireless networks are characterized by one of two basic topologies,
referred to as infrastructure mode and ad hoc mode.
* Infrastructure mode--By deploying multiple access points that
broadcast overlapping signals, organizations can achieve broad wireless
network coverage. Commonly used on campuses or in office buildings,
infrastructure mode enables a laptop or other mobile device to be moved
about freely while maintaining access to the resources of the wired
network (see fig. 1).
Figure 1: Example of a Wireless Infrastructure Mode Network:
[See PDF for image]
[End of figure]
* Ad hoc mode--This type of wireless topology allows wireless devices
that are near one another to easily interconnect. In ad hoc mode
laptops, desktops, and other wireless-enabled devices can share network
functionality without the use of an access point or a wired network
connection (see fig. 2).
Figure 2: Example of Wireless Ad Hoc Networking:
[See PDF for image]
[End of figure]
Increased Speed Fueled the Growth of Wireless Networks:
The increased speed of wireless networks has helped to fuel their
growth and popularity. The growing popularity of wireless networks can
be easily witnessed in urban environments. For example, during a recent
test in Washington, D.C., we drove around 15 square blocks and, using a
commonly available wireless network scanner, we detected over a
thousand wireless networks. Figure 3 depicts a sample of the saturation
of wireless networks we detected during our brief test.
Figure 3: Wireless Networks Detected in a Section of Downtown D.C.
[See PDF for image]
[End of figure]
Wireless networks offer connectivity without the physical restrictions
associated with building wired networks. Though generally developed as
an extension to an existing wired infrastructure, a wireless network
may be stand-alone as well. The key reason for the growth in the use of
wireless networks is the increased bandwidth made possible by the
802.11 standard and its successors. The implementation of the 802.11
family of standards increased the data transfer rates offered by
wireless networks, making them comparable to those available in the
wired environment.
The 802.11 standard was first approved by the Institute of Electrical
and Electronics Engineers (IEEE) in 1997. IEEE's goal was to develop
and establish a technology standard that insured global
interoperability among wireless products, regardless of their
manufacturers. This initial wireless standard was useful for certain
applications, but the data transfer rate it specified was far slower
than that of wired networks. Responding to the data transfer rate
limitations set by the initial standard, the IEEE released several
additional standards with the intent of increasing the transfer rates
and making wireless functionality comparable to that of wired networks.
The significant increases in data transfer rates of the new standards,
coupled with the availability of affordable wireless-enabled devices,
contributed to the rapid adoption of wireless networks.
Federal Laws and Guidance Provide a Framework for Wireless Security
Policies:
The Federal Information Security Management Act (FISMA)[Footnote 2]
requires each agency to develop, document, and implement an agencywide
information security program to provide security for the data and
information systems that support the agency's operations and assets.
FISMA gives OMB many responsibilities for overseeing the agency
information security policies, including developing and overseeing the
implementation of policies and standards for information security;
requiring agencies to identify and provide information security
protections commensurate with the risk and magnitude of the harm
resulting from unauthorized access, use, disclosure, modification, or
destruction of federal information and information systems; and
coordinating the development of standards and guidance. OMB annually
reports to Congress on the progress of agencies' compliance with
FISMA.[Footnote 3] Accordingly, agencies need to evaluate the risks and
develop policies for emerging technologies such as wireless networks.
The National Institute of Standards and Technology (NIST) develops
standards that agencies are required to follow and guidelines
recommending steps that agencies can take to protect their information
and information systems. In November 2002, NIST released Wireless
Network Security: 802.11, Bluetooth and Handheld Devices (Special
Publication 800-48), which is intended to provide agencies with
guidance for establishing secure wireless networks. The guidance
recognizes that maintaining a secure wireless network is a continuous
process requiring additional effort beyond that required to maintain
other networks and systems. Accordingly, NIST has recommended that
federal agencies:
* perform risk assessments and develop security policies before
purchasing wireless technologies and anticipate that their unique
security requirements will determine which products should be
considered for purchase;
* wait to deploy wireless networks for essential operations until after
agencies have fully assessed the risks to their information and system
operations and have determined that they can manage and mitigate those
risks;
* assess risks, test and evaluate security controls more frequently
than they would on a wired network.
Currently, NIST is in the process of developing a follow-up to this
publication, which will reflect the recent updates to the 802.11
network standards.
Wireless Networks Provide Benefits and Present Challenges to Agencies:
Wireless networks offer federal agencies two primary benefits:
increased flexibility and easier installation. Because wireless
networks rely on radio transmissions, federal employees can work in a
variety of ways. For example, users can take laptops to meetings,
create ad hoc networks, and collaboratively develop products or work on
projects. In addition, if a federal agency has installed a wireless
infrastructure, users with wireless-enabled devices can work throughout
the agency's facilities without having to be in a particular office.
Finally, an agency employee traveling with a wireless-enabled device
may be able to connect to an agency network via any one of the many
public Internet access points or hotspots found in hotels or in
commercial, retail, or transportation centers. This ability to connect
to the agency's systems via wireless networks can increase employee
productivity.
Ease of installation is commonly cited as a key attribute of wireless
networks. Generally, deployments of wireless networks do not require
the complicated undertakings that are associated with wired networks.
For example, the ability to "connect" the network without having to add
or pull wires through walls or ceilings or modify the physical network
infrastructure can greatly expedite the installation process. As a
result, a wireless network can offer a cost-effective alternative to a
wired network. In addition to their increased ease of installation,
wireless networks can be easily scaled from small peer-to-peer networks
to very large enterprise networks that enable roaming over a broad
area. For example, an agency can greatly expand the size of its
wireless network and the number of users it can serve by increasing the
number of access points.
Wireless Networks Present Additional Challenges for Federal Information
Security:
Wireless networks face all of the information security risks that are
associated with conventional wired networks, such as worms and viruses,
malicious attacks, and software vulnerabilities, but there are
significant challenges that are unique to the wireless network
environment. In implementing wireless networks, federal agencies face
three overarching challenges to maintaining the confidentiality,
integrity, and availability of their information:
* protecting against attacks that exploit wireless transmissions,
* establishing physical control of wireless-enabled devices, and:
* preventing unauthorized wireless deployments.
Protecting Against Wireless Network Security Exploits is Challenging:
Protecting against wireless network security attacks is challenging
because information is broadcast over radio waves and can be accessed
more easily by attackers than can data in a conventional wired network.
For example, wireless communications that are not appropriately secured
are vulnerable to eavesdropping and other attacks. Poorly controlled
wireless networks can allow sensitive data, passwords, and other
information about an organization's operations to be easily read by
unauthorized users. In addition, wireless networks can experience
attacks from unauthorized parties that attempt to modify information or
transmissions. Table 1 provides examples of the different types of
attacks that can threaten wireless networks and the information that
they are transmitting.
Table 1: Examples of Wireless Network Security Threats:
Eavesdropping;
The attacker monitors transmissions for message content. For example, a
person listens to the transmissions on a network between two
workstations or tunes in to transmissions between a wireless handset
and a base station.
Traffic analysis;
The attacker, in a more subtle way, gains intelligence by monitoring
transmissions for patterns of communication. A considerable amount of
information is contained in the flow of messages among communicating
parties.
Masquerading;
The attacker impersonates an authorized user and exploits the user's
privileges to gain unauthorized access in order to modify data.
Replay;
The attacker places himself between communicating parties, intercepting
their communications, and retransmitting them; this is commonly
referred to as "Man-in-the-Middle.".
Message modification;
The attacker alters a legitimate message by deleting or modifying it.
Jamming;
Attackers flood a wireless network with excess radio signals to prevent
authorized users from accessing it. Other devices that emit radio
signals, such as cordless phones and microwaves, can also disrupt or
degrade wireless network performance.
Source: NIST.
[End of table]
Physical Control of Wireless-Enabled Devices Takes on New Importance in
Maintaining Security:
Physical control of wireless-enabled devices takes on new importance in
maintaining information security. Areas of physical risk include the
placement and configuration of wireless access points and control of
the wireless-enabled device that connects to the agency's network. For
example, it can be difficult to control the distance of wireless
network transmissions, because wireless access points can broadcast
signals from 150 feet to as far as 1,500 feet, depending on how they
are configured. As a result, wireless access points can and do
broadcast signals outside building perimeters. Figure 4 illustrates how
poorly positioned or improperly configured wireless access points may
radiate signals beyond the physical boundaries of the agency's facility
or the range within which the agency desires to send its signal.
Wireless signals broadcast from within an agency's facility that extend
through physical walls, windows, and beyond a building's perimeter--
commonly known as "signal leakage"--can increase an agency's
susceptibility to the various attacks described in table 1 above.
Figure 4: Example of Signal Leakage at Federal and Private Facilities:
[See PDF for image]
[End of figure]
In addition to the challenge of signal leakage, it can be difficult for
wireless network administrators to track the physical location of
wireless-enabled devices. For example, in conventional wired networks,
users are required to physically plug in to the agency's networks via
cable. This allows administrators to determine where each device is
connected. However, with a wireless network, pinpointing a wireless-
enabled device's location can be difficult because the device is
mobile. As a result, it can be harder for information security
officials to locate unauthorized devices and eliminate the risks they
pose.
Unauthorized Wireless Deployments Create New Challenges for Agencies'
Information Security:
Unauthorized wireless networks create two main challenges for agencies'
information security. The first challenge comes from legitimate agency
organizations, employees, or contractors seeking to benefit from the
flexibility of wireless networks. Because of the affordability and
availability of wireless network equipment, well-meaning individuals
might install unauthorized wireless-enabled devices or wireless access
points into an agency's traditional wired network environment without
the approval of the agency's chief information officer. As a result,
agency information security officials might be unaware that wireless
networks are being used and would therefore be unable to take the
appropriate mitigating actions--such as protecting against potential
wireless attacks or preventing signal leakage.
The second challenge stems from the increasing availability and
integration of wireless technology into products such as laptops. For
example, agencies that are not seeking to install a wireless network
may find that as they purchase new equipment they are buying wireless-
enabled devices. In some instances, these devices are not available
without wireless technology. As a result, an agency may inadvertently
procure wireless network components that could pose risks to its
enterprise. It is critical that agencies understand whether or not the
equipment they are procuring is wireless-enabled and determine how they
will mitigate the risks it can pose to their information and systems.
Controls Can Mitigate Wireless Network Security Challenges:
Controls such as policies, practices, and tools can help to mitigate
wireless network security challenges that federal agencies face. These
controls include:
* developing comprehensive policies that govern the implementation and
use of wireless networks,
* defining configuration requirements that provide guidance on the
deployment of available security tools,
* establishing comprehensive monitoring programs that help to ensure
that wireless networks are operating securely, and:
* training employees and contractors effectively in an agency's
wireless policies.
Developing Comprehensive Policies Can Mitigate Security Risks to
Wireless Networks:
Developing comprehensive information security policies that address the
security of wireless networks can help agencies mitigate risks. FISMA
recognizes that development of policies and procedures is essential to
cost-effectively reducing the risks associated with information
technology to an acceptable level. NIST specifies 13 elements[Footnote
4] that should be addressed in a policy for securing wireless networks.
These elements can be broadly organized into the following three
categories: (1) authorized use, (2) identification of requirements, and
(3) security controls.
Table 2: Policies for Managing Wireless Network Risks:
Authorize use of wireless networks:
identify who may use WLAN technology in an agency.
describe the type of information that may be sent over wireless links.
describe who can install access points and other wireless equipment.
describe conditions under which wireless devices are allowed.
describe limitations on how the wireless device may be used, such as
location.
provide guidelines on reporting losses of wireless devices and security
incidents.
Identify requirements:
describe the hardware and software configuration of all wireless
devices.
provide guidelines for the protection of wireless clients to
minimize/reduce theft.
identify whether Internet access is required.
Establish security controls:
define standard security settings for access points.
provide limitations on the location of and physical security for access
points.
define the frequency and scope of security assessments including access
point discovery.
provide guidelines on the use of encryption and key management.
Source: NIST.
[End of table]
By establishing policies that address the issues in table 2 above,
agencies can create a framework for applying practices, tools, and
training to help support wireless network security.
Defining Configuration Requirements Can Improve the Security of
Wireless Networks:
Defining requirements for how specific wireless security tools or
wireless-enabled devices should be used or configured can help to
improve network security in accordance with agency policy. For example,
configuration requirements can guide agency employees in identifying
and setting up wireless security tools such as encryption,
authentication, virtual private networks, and firewalls (see table 3).
Table 3: Examples of Wireless Security Tools That Can Be Configured to
Meet Agency Policies:
Encryption;
Encryption protects the confidentiality of information traversing
wireless networks by transforming data into code form (ciphertext).
Authentication;
Authentication technologies such as smart cards or time synchronized
tokens help to establish the validity of a user's claimed identity and
prevent unauthorized access to data and systems.
Virtual private networks;
Virtual private networks allow users in two separate physical locations
to establish network connections over a shared public infrastructure,
such as the Internet, with functionality that is similar to that of a
private encrypted network.
Firewalls;
Firewalls are network devices or systems that run special software to
control the flow of network traffic among networks or between a host
and a network. Firewalls on wireless networks can be used to protect a
wireless network from unauthorized access and to prevent some types of
behaviors.
Source: NIST.
[End of table]
In addition to helping promote the effective and efficient use of
security tools, establishing settings or configuration requirements for
devices such as wireless access points can help agencies manage the
risks of wireless networks. It is important to secure wireless access
points to ensure that they are not tampered with or modified.
Configuration requirements can guide the placement and signal strength
of wireless access points to minimize signal leakage and exposure to
attacks.
Comprehensive Wireless Network Monitoring Is a Key Security Practice:
Comprehensive wireless network monitoring programs are important
security for protecting wireless networks and their information.
Comprehensive wireless monitoring programs usually focus on:
* detecting signal leakage,
* determining compliance with configuration requirements, and:
* identifying authorized and unauthorized wireless-enabled devices.
Effective monitoring programs typically employ site surveys and
wireless intrusion detection systems to accomplish these goals. Site
surveys involve using wireless monitoring tools that identify wireless-
enabled devices such as wireless access points, laptops, and personal
digital assistants. Site surveys can include exterior scans of a
building to detect signal leakage. Such scans can inform agency
personnel about the strength of wireless signals and the effectiveness
of wireless access point configuration. In addition, site surveys can
assist agencies in detecting unauthorized wireless-enabled devices.
A wireless network intrusion detection system can be used to
automatically detect inappropriate activity, ensure that configuration
requirements are followed, and ensure that only authorized wireless-
enabled devices are functioning. Such a detection system scans radio
signals to obtain information on a wireless network, analyzes the
information based on set security policy, and then responds to the
analysis accordingly. An intrusion detection system for wireless
networks includes positioning sensors, similar to access points, near
authorized access points or in other areas that require monitoring. A
wireless detection system can be combined with a system designed for
wired networks to provide comprehensive network monitoring, but neither
type alone provides adequate security for both wired and wireless
networks.
Training Staff is a Fundamental Element of Successful Wireless Security:
Training employees and contractors in an agency's wireless policies is
a fundamental part of ensuring that wireless networks are configured,
operated, and used in a secure and appropriate manner. For security
policies to be effective, those expected to comply with them must be
aware of them. FISMA mandates that agencies provide security awareness
training for their personnel, including contractors and other users of
information systems that support the operations and assets of the
agency.[Footnote 5] It is important to provide training on technology
to ensure that users comply with current policies. NIST also strongly
recommends specific training on wireless security and asserts that
trained and aware users are the most important protection against
wireless risks.
Federal Agencies Lack Key Controls for Securing Wireless Networks:
Agencies often lack key controls for securing wireless networks, such
as:
* comprehensive policies that govern the implementation and use of
wireless networks,
* configuration requirements that provide guidance on the settings and
deployment of available security tools,
* comprehensive monitoring programs that help to ensure that wireless
networks are operating securely, and:
* training in an agency's wireless policies for both employees and
contractors.
If agencies do not establish effective controls for securing federal
wireless networks, federal information and operations can be placed at
risk.
Agencies Have Not Developed Comprehensive Policies for Wireless
Networks:
Many agencies have not developed policies addressing wireless networks,
and those that have often omitted key elements. Nine of the 24 major
agencies reported having no specific policies and procedures related to
wireless networks. Thirteen agencies stated that they had established
policies that authorize the operation and use of wireless networks.
Twelve of these 13 agencies also reported that their policies extended
to the use of wireless networks by contractors. Two federal agencies
reported having policies that forbid the use of wireless networks or
devices.
Policies for many of the agencies did not address acceptable use of
wireless networks. For example, 7 of the 13 agencies with policies had
not established an acceptable use policy or provided specific guidance
on the type of information agency personnel were allowed to transmit
using wireless networks. NIST guidance recommends that acceptable use
policies delineate the type of information that may be sent over
wireless networks, in order to reduce the risk that sensitive
information will be exposed. Without establishing acceptable use
policies, agencies will not be able to determine whether wireless
networks are being used appropriately. The lack of such a policy could
result in unauthorized disclosure of agency information or could
increase the agency's risk of a security breach.
Most Agencies Have Not Set Configuration Requirements for Wireless
Networks:
Thirteen of 24 agencies reported not having configuration requirements
for wireless networks. Further, the configuration requirements
submitted by the remaining 11 agencies were often incomplete, omitting
key elements that NIST guidance identifies--such as the use of and
settings for security tools, including encryption, authentication,
virtual private networks, and firewalls; the placement and strength of
wireless access points to minimize signal leakage; and the physical
protection of wireless-enabled devices. Two of the 11 agencies with
policies had established configuration requirements that addressed all
of these elements. However, the configuration requirements of the other
9 agencies did not cover key areas of wireless security. For example,
* Three agencies did not have policies explaining how to configure
wireless access points and other wireless-enabled devices.
* Five agencies have not developed detailed guidance describing how to
physically secure wireless-enabled devices.
Most Agencies Lack Comprehensive Wireless Network Monitoring Programs:
Most of the major agencies have not established comprehensive wireless
network monitoring programs for detecting signal leakage or ensuring
compliance with security policies. For example, 14 agencies, including
4 agencies that permit wireless networks, do not monitor for signal
leakage. Additionally, 19 agencies report not monitoring the data
flowing through their systems to ensure that users of wireless networks
are complying with acceptable use policies. Further, 14 agencies have
not established programs to monitor wireless networks to ensure
compliance with configuration requirements.
Fifteen agencies reported monitoring for the existence of unauthorized
or "rogue" wireless networks. Of these 15 agencies, only 6 continuously
monitored their facilities 24 hours a day. The remaining 9 agencies
monitored only periodically, sometimes as rarely as twice a year. The
lack of continuous monitoring, combined with the ease of setting up
wireless networks, creates a situation in which wireless networks can
be operating in agencies with neither authorization nor the required
security configurations. Consequently, agencies may not be able to
determine whether security policies are being implemented in an
appropriate manner, whether employees are conforming to policy, and--
more importantly--they may not have a full understanding of the
existing risks to agency information and information systems. Even if
an agency does not allow wireless networks, monitoring is one of the
most effective ways to ensure compliance with agency policy.
The Majority of Agencies Have Not Established Wireless Security
Training Efforts:
Eighteen of the 24 agencies have not established any training programs
for their employees and contractors on wireless security or the
policies surrounding wireless networks. FISMA requires that agencies
provide information security awareness training to all personnel,
including contractors. Awareness about wireless security challenges can
assist employees in complying with policies and procedures to reduce
agency information security risks. Without such training, employees and
contractors may practice behaviors that threaten the safety of the
agency's data. For example, employees may use wireless-enabled devices-
-configured to attach to wireless networks automatically--to access the
agency's private wired network. An attacker might connect to such a
device, accessing the agency's network under a legitimate user's
authority.
Selected Agencies Did Not Implement Wireless Networks Securely:
We tested the wireless network security at the headquarters of six
federal agencies in Washington, D.C., and identified significant
weaknesses related to signal leakage, configuration, and unauthorized
devices.
* Signal leakage--We were able to detect signal leakage outside the
headquarters buildings at all six agencies. In one case, we were able
to detect an agency's network while we were testing at another agency
several blocks away. By not managing signal leakage, agencies increase
their susceptibility to attack. In addition, the confidentiality of
agency data may be diminished because an unauthorized user could be
eavesdropping or monitoring wireless traffic.
* Insecure configurations--We also found wireless-enabled devices
operating with insecure configurations at all six agencies. For
example, at one agency over 90 wireless laptops were attempting to
associate with wireless networks while they were connected to the
agency's wired networks. This configuration could provide unauthorized
access to an agency's internal networks. In all six agencies we found
wireless devices operating in ad hoc mode. In over half of these cases
the ad hoc networks could be detected outside of the building and could
have provided access to the agency's networks. We found these
situations at agencies without monitoring programs as well as at
agencies with extensive monitoring programs.
* Unauthorized wireless-enabled devices--We detected unauthorized
wireless-enabled devices at all six agencies. These devices included
both unauthorized wireless access points and ad hoc wireless networks.
None of the six agencies we tested maintained continuous wireless
monitoring. Three had programs that would periodically test portions of
their facilities; however, periodic monitoring was not sufficient to
prevent unauthorized wireless activity.
Signal leakage, insecure configuration, and unauthorized wireless
devices pose serious risks to the confidentiality, integrity, and
availability of the information of the six agencies we tested. Because
attackers in a wireless environment can focus on an easily discernable
location, such as a headquarters building, federal agencies need to be
especially concerned about signal leakage, insecure configurations, and
unauthorized devices. If wireless signals emanate from a building, they
could make the agency a target of attack.
Conclusions:
Wireless networks can offer a wide range of benefits to federal
agencies, including increased productivity, decreased costs, and
additional flexibility for the federal workforce. However, wireless
networks also present significant security challenges to agency
management. The affordability of wireless technology, along with the
increasing integration of wireless capabilities into equipment procured
by the federal government, increases the importance of developing
appropriate policies, procedures, and practices. Such actions could
help ensure that wireless devices and networks do not place federal
information and information systems at increased risk.
Currently, the lack of key controls in federal agencies means that
unauthorized or poorly configured wireless networks could be creating
new vulnerabilities. In some instances, the lack of policies and
procedures for assessing and protecting wireless networks is impeding
agency efforts to effectively address wireless security. In other
cases, agencies' ineffective compliance monitoring hinders their
ability to detect unauthorized wireless devices, ensure compliance with
agency policies, and supervise behavior on wireless networks. Finally,
the majority of agencies have not trained their employees and
contractors in the challenges of wireless networking and in agency
policies concerning this technology.
Our testing at six major federal agencies found significant security
weaknesses: signal leakage, insecure configurations of wireless
equipment, and unauthorized devices. Wireless network security is a
serious, pervasive, and crosscutting challenge to federal agencies,
warranting increased attention from OMB. If these challenges are not
addressed, federal agency information and operations will be at
increased risk.
Recommendation for Executive Action:
Because of the governmentwide challenges of wireless network security,
we recommend that the Director of OMB instruct the federal agencies to
ensure that wireless network security is incorporated into their
agencywide information security programs, in accordance with FISMA. In
particular, agencywide security programs should include:
* robust policies for authorizing the use of the wireless networks,
identifying requirements, and establishing security controls for
wireless-enabled devices in accordance with NIST guidance;
* security configuration requirements for wireless devices that include:
* available security tools, such as encryption, authentication, virtual
private networks, and firewalls;
* placement and strength of wireless access points to minimize signal
leakage; and:
* physical protection of wireless-enabled devices;
* comprehensive monitoring programs, including the use of tools such as
site surveys and intrusion detection systems to:
* detect signal leakage;
* ensure compliance with configuration requirements;
* ensure only authorized access and use of wireless networks; and:
* identify unauthorized wireless-enabled devices and activities in the
agency's facilities; and:
* wireless security training for employees and contractors.
Agency Comments:
In providing oral comments on a draft of this report, representatives
of OMB's Office of Information and Regulatory Affairs and Office of
General Counsel told us that they generally agreed with the contents of
the report. OMB officials told us that NIST is developing updated
wireless guidance for the federal agencies, which is scheduled to be
issued for comment in August 2005. Further, OMB stressed that the
agencies have the primary responsibility for complying with FISMA's
information security management program requirements. OMB told us that
as part of its annual review of agency information security programs,
it would consider whether agencies' programs adequately addressed
emerging technology issues such as wireless security before approving
them.
We are sending copies of this report to the Director of OMB and to
interested congressional committees. We will provide copies to other
interested parties upon request. The report will also be available on
GAO's Web site at [Hyperlink, http://www.gao.gov].
If you have any questions or wish to discuss this report, please
contact either Gregory Wilshusen at (202) 512-6244 or Keith Rhodes at
(202) 512-6412. We can also be reached at [Hyperlink,
wilshuseng@gao.gov] or [Hyperlink, rhodesk@gao.gov]. Key contributors
to this report are listed in appendix II.
Sincerely yours,
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Keith A. Rhodes:
Chief Technologist:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to:
* describe the benefits and challenges associated with securing
wireless networks,
* identify the controls (policies, practices, and tools) available to
assist federal agencies in securing wireless networks,
* analyze the wireless policies and practices reported by each of the
24 agencies covered by the Chief Financial Officers (CFO) Act of
1990,[Footnote 6] and:
* test the security of wireless networks at the headquarters of six
major federal agencies in Washington, D.C.
For the first three objectives, the scope of our review included (1)
the 24 agencies under the CFO Act and focused on wireless networks
conforming to the 802.11x standard. For the fourth objective, we tested
the wireless network security at 6 major federal agencies. Our review
did not evaluate the risks that remote wireless users, such as
teleworkers, might pose to agency systems.
To determine the benefits and challenges of using 802.11x wireless
networks securely, we reviewed federal and private-sector technical
documents, including National Institute of Standards and Technology
(NIST) guidance and leading private sector practices. Additionally, we
documented the various benefits and challenges of wireless networks
with representatives from private-sector wireless security providers,
federal experts and agency officials, and financial institutions.
To determine what controls were available to agencies for securing
their 802.11x wireless networks, we reviewed federal and private-sector
technical documents, including NIST guidance and leading private-sector
practices. Additionally, we documented various controls for securing
wireless networks--such as policies, practices, and tools--with
representatives of private-sector wireless security providers, federal
experts and agency officials, and financial institutions.
To determine the wireless security practices and policies used at
federal agencies, we conducted a survey of the 24 CFO agencies. We
developed a series of questions that were incorporated into a Web-based
survey instrument. We tested this instrument with one federal agency
and internally at GAO through our Chief Information Officer's office.
The survey included questions on the agencies' use of wireless networks
and their policies and procedures for securing them. For each agency to
be surveyed, we identified the office of the chief information officer,
notified each office of our work, and, distributed a link to each
office via e-mail to allow them to access the Web-based survey. In
addition, we discussed the purpose and content of the survey with
agency officials when they requested it. All 24 agencies responded to
our survey. We did not verify the accuracy of the agencies' responses;
however, we reviewed supporting documentation that the agencies
provided to validate their responses. We contacted agency officials
when necessary for follow-up.
Although this was not a sample survey and, therefore, there were no
sampling errors, conducting any survey may introduce errors--commonly
referred to as nonsampling errors. For example, difficulties in how a
particular question is interpreted, in the sources of information that
are available to respondents, or in how the data are entered into a
database or analyzed can introduce unwanted variability into the survey
results. We took steps in the development of the survey instrument, the
data collection, and the data analysis to minimize these nonsampling
errors. For example, a survey specialist designed the survey instrument
in collaboration with GAO staff with subject-matter expertise. Then, as
stated earlier, it was pretested to ensure that the questions were
relevant, clearly stated, and easy to comprehend. When the data were
analyzed, a second, independent analyst checked all computer programs.
Because this was a Web-based survey, respondents entered their answers
directly into the electronic questionnaire. This eliminated the need to
have the data keyed into a database, thus removing an additional
potential source of error.
To assess the state of wireless security at a selected group of federal
agencies, we conducted onsite network surveys at 6 of the 24 CFO
agencies. We selected 6 agencies in various stages of wireless
implementation: 2 had established wireless networks, 1 had a pilot
system, 2 did not have any authorized wireless networks, and 1 forbade
the use of wireless. At each agency's Washington, D.C., headquarters,
we scanned for signal leakage and wireless activity, using wireless
monitoring tools both inside and outside the agency's facility. For
security purposes, we do not identify the 6 agencies in the report.
We performed our work in the Washington, D.C., metropolitan area from
September 2004 to March 2005, in accordance with generally accepted
government auditing standards.
[End of section]
Appendix II: Contacts and Staff Acknowledgments:
GAO Contact:
J. Paul Nicholas, (202) 512-4457, Assistant Director:
Staff Acknowledgments:
In addition to the person mentioned above, Mark Canter, Lon Chin, West
Coile, Derrick Dicoi, Neil Doherty, Joanne Fiorino, Suzanne Lightman,
Kush Malhotra, and Christopher Warweg made key contributions to this
report.
(310534):
FOOTNOTES
[1] 31 U.S.C. 901(b).
[2] 44 U.S.C. §3544(b).
[3] 44 U.S.C. §3543(a)(8).
[4] National Institute of Standards and Technology, Wireless Network
Security: 802.11, Bluetooth and Handheld Devices, Special Publication
800-48 (Gaithersburg, Md.: November 2002).
[5] 44 U.S.C. §3544(b)(4).
[6] 31 U.S.C. 901(b).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
