Information Security
Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk Gao ID: GAO-11-43 November 30, 2010Over the past several years, federal agencies have rapidly adopted the use of wireless technologies for their information systems. In a 2005 report, GAO recommended that the Office of Management and Budget (OMB), in its role overseeing governmentwide information security, take several steps to help agencies better secure their wireless networks. GAO was asked to update its prior report by (1) identifying leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks and (2) assessing agency efforts to secure wireless networks, including their vulnerability to attack. To do so, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these 5 agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration.
GAO identified a range of leading security practices for deploying and monitoring secure wireless networks and technologies that can help secure these networks. The leading practices include the following: (1) comprehensive policies requiring secure encryption and establishing usage restrictions, implementation practices, and access controls; (2) a risk-based approach for wireless deployment and monitoring; (3) a centralized wireless management structure that is integrated with the management of the existing wired network; (4) configuration requirements for wireless networks and devices; (5) incorporation of wireless and mobile device security in training; (6) use of encryption, such as a virtual private network for remote access; (7) continuous monitoring for rogue access points and clients; and (8) regular assessments to ensure wireless networks are secure. Agencies have taken steps to secure their wireless networks, but more can be done to improve security and to limit vulnerability to attack. Specifically, application was inconsistent among the agencies for most of the following leading practices: (1) Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dual-connected laptops and mobile devices taken on international travel. (2) All agencies required a risk-based approach for management of wireless technologies. (3) Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide. (4) The five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smartphone configurations. (5) Most agencies were missing key elements related to wireless security in their security awareness training. (6) Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access. (7) Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks. Existing governmentwide guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices. Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Gregory C. Wilshusen Team: Government Accountability Office: Information Technology Phone: (202) 512-6244GAO-11-43, Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk
This is the accessible text file for GAO report number GAO-11-43
entitled 'Information Security: Federal Agencies Have Taken Steps to
Secure Wireless Networks, but Further Actions Can Mitigate Risk' which
was released on November 30, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to Congressional Committees:
November 2010:
Information Security:
Federal Agencies Have Taken Steps to Secure Wireless Networks, but
Further Actions Can Mitigate Risk:
GAO-11-43:
GAO Highlights:
Highlights of GAO-11-43, a report to congressional committees.
Why GAO Did This Study:
Over the past several years, federal agencies have rapidly adopted the
use of wireless technologies for their information systems. In a 2005
report, GAO recommended that the Office of Management and Budget
(OMB), in its role overseeing governmentwide information security,
take several steps to help agencies better secure their wireless
networks.
GAO was asked to update its prior report by (1) identifying leading
practices and state-of-the-art technologies for deploying and
monitoring secure wireless networks and (2) assessing agency efforts
to secure wireless networks, including their vulnerability to attack.
To do so, GAO reviewed publications, guidance, and other documentation
and interviewed subject matter experts in wireless security. GAO also
analyzed policies and plans and interviewed agency officials on
wireless security at 24 major federal agencies and conducted
additional detailed testing at these 5 agencies: the Departments of
Agriculture, Commerce, Transportation, and Veterans Affairs, and the
Social Security Administration.
What GAO Found:
GAO identified a range of leading security practices for deploying and
monitoring secure wireless networks and technologies that can help
secure these networks. The leading practices include the following:
* comprehensive policies requiring secure encryption and establishing
usage restrictions, implementation practices, and access controls;
* a risk-based approach for wireless deployment and monitoring;
* a centralized wireless management structure that is integrated with
the management of the existing wired network;
* configuration requirements for wireless networks and devices;
* incorporation of wireless and mobile device security in training;
* use of encryption, such as a virtual private network for remote
access;
* continuous monitoring for rogue access points and clients; and;
* regular assessments to ensure wireless networks are secure.
Agencies have taken steps to secure their wireless networks, but more
can be done to improve security and to limit vulnerability to attack.
Specifically, application was inconsistent among the agencies for most
of the following leading practices:
* Most agencies developed policies to support federal guidelines and
leading practices, but gaps existed, particularly with respect to dual-
connected laptops and mobile devices taken on international travel.
* All agencies required a risk-based approach for management of
wireless technologies.
* Many agencies used a decentralized structure for management of
wireless, limiting the standardization that centralized management can
provide.
* The five agencies where GAO performed detailed testing generally
securely configured wireless access points but had numerous weaknesses
in laptop and smartphone configurations.
* Most agencies were missing key elements related to wireless security
in their security awareness training.
* Twenty agencies required encryption, and eight of these agencies
specified that a virtual private network must be used; four agencies
did not require encryption for remote access.
* Many agencies had insufficient practices for monitoring or
conducting security assessments of their wireless networks.
Existing governmentwide guidelines and oversight efforts do not fully
address agency implementation of leading wireless security practices.
Until agencies take steps to better implement these leading practices,
and OMB takes steps to improve governmentwide oversight, wireless
networks will remain at an increased vulnerability to attack.
What GAO Recommends:
GAO is making two recommendations to OMB to enhance governmentwide
oversight and four recommendations to the Department of Commerce for
additional guidelines related to wireless security. The Department of
Commerce concurred with GAO‘s recommendations. OMB did not provide
comments on the report.
View [hyperlink, http://www.gao.gov/products/GAO-11-43] or key
components. For more information, contact Gregory Wilshusen at (202)
512-6244 or wilshuseng@gao.gov or Nabajyoti Barkakati at (202) 512-
4499 or barkakatin@gao.gov.
Contents:
Letter:
Background:
Comprehensive Policies, Use of Secure Technologies, Risk-Based
Approach, Training, and Monitoring Among Leading Practices for
Deploying and Monitoring Secure Wireless Networks:
Agencies Have Acted to Secure Wireless Networks, but Additional Steps
Are Needed to Effectively Mitigate Security Challenges:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Commerce:
Appendix III: GAO Contacts and Staff Acknowledgments:
Tables:
Table 1: Examples of Network Security Threats:
Table 2: Wireless Security Guidelines Identified in NIST Guidelines:
Table 3: Guidelines in NIST Publications Addressing Recommendations
from GAO-05-383:
Table 4: Leading Practices for Securing Wireless Networks and
Technologies:
Figures:
Figure 1: Example of a Wireless Infrastructure Mode Network:
Figure 2: Example of Wireless Ad Hoc Networking:
Figure 3: Dual-Connect Attack Scenario:
Figure 4: Wireless Man-in-the-Middle Attack Scenario:
Figure 5: Smartphone Data Attack Scenario:
Abbreviations:
DISA: Defense Information Systems Agency:
DHS: Department of Homeland Security:
EAP: extensible authentication protocol:
FDCC: Federal Desktop Core Configuration:
FIPS: Federal Information Processing Standards:
FISMA: Federal Information Security Management Act:
IEEE: Institute of Electrical and Electronics Engineers:
IT: information technology:
IPv6: Internet protocol version 6:
NIST: National Institute of Standards and Technology:
OMB: Office of Management and Budget:
PDA: personal digital assistant:
SP: Special Publications:
VPN: virtual private network:
WEP: wired equivalent privacy:
WiMAX: Worldwide Interoperability for Microwave Access:
WPA: Wi-Fi Protected Access:
WLAN: wireless local area network:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
November 30, 2010:
The Honorable Richard J. Durbin:
Chairman:
The Honorable Susan Collins:
Ranking Member:
Subcommittee on Financial Services and General Government:
Committee on Appropriations:
United States Senate:
The Honorable José E. Serrano:
Chairman:
The Honorable Jo Ann Emerson:
Ranking Member:
Subcommittee on Financial Services and General Government:
Committee on Appropriations:
House of Representatives:
In the last several years, federal agencies have increasingly adopted
the use of wireless technologies. While wireless technologies provide
many potential benefits, including greater flexibility for a mobile
workforce and ease of installation and use, they also pose significant
risks to information and systems. Wireless technologies use radio
waves instead of direct physical connections to transmit data between
networks and devices. As a result, without proper security
precautions, these data can be more easily intercepted and altered
than if being transmitted through physical connections.
We have previously reported on the security of wireless networks at
federal agencies in 2005.[Footnote 1] The conference report
accompanying the Financial Services and General Government
Appropriations Act, 2010, directed us to update our 2005 report.
[Footnote 2] Accordingly, our objectives for this report were to: (1)
identify leading practices and state-of-the-art technologies for
deploying and monitoring secure wireless networks and (2) assess
agency efforts to secure wireless networks, including their
vulnerability to attack.
To identify leading practices and state-of-the-art technologies for
deploying and monitoring secure wireless networks, we obtained and
reviewed publications, guidance, and other documentation, and
interviewed private and federal subject matter experts. To assess
agency efforts to secure wireless networks, we reviewed agency
documents and conducted structured interviews with agency officials to
learn about the wireless posture at 24 major federal
agencies.[Footnote 3] We supplemented these questions with site visits
and detailed testing of wireless security controls at five of the
agencies.
We conducted this performance audit from January 2010 to November
2010, in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. Appendix I
contains additional details on the objectives, scope, and methodology
of our review.
Background:
The advantages of wireless technology for federal agencies include
increased flexibility, easier installation, and easier scalability
than wired technologies. If a federal agency has installed a wireless
infrastructure, users with wireless-enabled devices can more easily
connect to the agency's network throughout its facilities. In
addition, agency employees traveling with wireless-enabled devices may
be able to connect to an agency network via any one of the many public
Internet access points or hot spots. Installation can be easier and
less costly because the network can be established without having to
pull cables through walls or ceilings or modify the physical network
infrastructure. Wireless networks can also be easily scaled from small
peer-to-peer networks to very large enterprise networks. For example,
an agency can greatly expand the size of its wireless network and the
number of users it can serve by increasing the number of access
points. The following wireless technologies are commonly used by
federal agencies:
* wireless local area network (WLAN)--a group of wireless networking
nodes within a limited geographic area that serve as an extension to
existing wired local area networks;
* wireless personal area network--used to establish small-scale
wireless networks such as those using Bluetooth®, which is an open
standard for short-range communication; and:
* wireless cellular networks--a telecommunications network managed by
a service provider that supports smartphones, which offer the ability
to provide data such as e-mail and Web browsing wirelessly over
cellular networks, and cellular data cards, which provide Internet
connectivity to laptop computers.
Wireless Local Area Networks:
WLANs are generally composed of two basic elements: access points and
other wireless-enabled client devices, such as laptop computers. These
elements rely on radio transmitters and receivers to communicate with
each other. Access points are physically wired to a conventional
network and provide a means for wireless devices to connect to them.
WLANs that are based on the Institute of Electrical and Electronics
Engineers[Footnote 4] (IEEE) 802.11 standards are also known as Wi-Fi.
WLANs are characterized by one of the following two basic structures,
referred to as infrastructure mode and ad hoc mode:
* Infrastructure mode. By deploying one or more access points that
broadcast overlapping signals, an organization can achieve broad
wireless network coverage. Infrastructure mode enables a laptop or
other mobile device to be moved about freely while maintaining access
to the resources of the wired network (see figure 1).
Figure 1: Example of a Wireless Infrastructure Mode Network:
[Refer to PDF for image: illustration]
The illustration depicts a traditional wired network with wireless
access points and mobile devices connecting to that point.
Sources: GAO; Microsoft Visio and Art Explosion (images).
[End of figure]
* Ad hoc mode. This type of wireless structure allows wireless devices
that are near one another to easily interconnect. In ad hoc mode,
wireless-enabled devices can share network functionality without the
use of an access point or a wired network connection (see figure 2).
Figure 2: Example of Wireless Ad Hoc Networking:
[Refer to PDF for image: illustration]
The illustration depicts mobile devices sharing network functionality
without the use of an access point.
Sources: GAO; Microsoft Visio and Art Explosion (images).
[End of figure]
After approval of the initial IEEE 802.11 standard in 1997, IEEE
released several 802.11 amendments to increase WLAN network speeds to
be more comparable to that of wired networks. The 802.11 standard and
these subsequent amendments include security features known
collectively as wired equivalent privacy (WEP). However,
configurations that use WEP have significant security flaws.
To address these flaws, IEEE released the 802.11i security standard in
2004, which specifies security components that work together with
802.11 transmission standards. The IEEE 802.11i security standard
supports wireless connections that provide moderate to high levels of
assurance against WLAN security threats through the use of different
cryptographic techniques.
While IEEE was developing 802.11i, the Wi-Fi Alliance[Footnote 5]
developed the Wi-Fi Protected Access (WPA) security certification as
an interim means to improve security over WEP. The protocols used
under the WPA certification address vulnerabilities of WEP, but the
certification does not require support for strong encryption.
In conjunction with the ratification of the 802.11i security standard
in 2004, the Wi-Fi Alliance introduced WPA2--the interoperability
certification for 802.11i. The WPA2 certification extends the security
capabilities offered by WPA to include all requirements of the 802.11i
standard. Both WPA and WPA2 offer two modes of operation: Personal and
Enterprise. WPA2-Personal protects unauthorized network access by
using a preshared password as a key for network setup and access,
while WPA2-Enterprise verifies network users through an authentication
server. In most cases, WPA2-Enterprise is recommended to eliminate the
continuous process of generating, deploying, and replacing outdated
passwords. Although WPA2-Enterprise-certified products provide more
security protections than WEP and WPA, recent reports revealed that
wireless networks protected with WPA2-Enterprise encryption can also
be susceptible to attacks.
Most recently, in 2009, IEEE ratified the 802.11w-2009 standard, which
further increases the overall security of 802.11-based networks.
Specifically, 802.11w-2009 provides improved protection for WLANs by
defining additional encryption security features to help prevent
incidents such as denial of service attacks against WLANs.
Wireless Personal Area Networks:
Wireless personal area networks provide wireless connectivity to
devices such as telephone headsets or computer keyboards within close
proximity. Bluetooth is commonly used to establish these types of
networks. Several versions of the Bluetooth standard have been adopted
by the Bluetooth Special Interest Group.[Footnote 6]
Each Bluetooth device must operate in one of the four security modes
defined by the Bluetooth standard. Each version of Bluetooth supports
some, but not all, of these modes.
Wireless Cellular Networks:
Cellular networks are managed by service providers who provide
coverage based on dividing a large geographical service area into
smaller areas of coverage called cells. As a mobile phone moves from
one cell to another, a cellular arrangement requires active
connections to be monitored and effectively passed along between cells
to maintain the connection.
In addition to cellular phones, cellular networks support smartphones
and cellular data cards. Smartphones offer more functionality than
basic cellular phones, including e-mail and other office productivity
applications and have extended expansion capabilities through
peripheral card slots and other built-in wireless communications such
as Bluetooth and Wi-Fi. Cellular data cards allow laptop users to
connect to the Internet anywhere cellular service is available.
However, cellular data cards can only access the Internet if the user
is within the service provider's network coverage area.
Federal Agencies Make Widespread Use of Wireless Technologies:
Agencies reported significant use of WLANs to extend working mobility
for employees and contractors. For example, 18 agencies reported using
WLANs in a variety of ways. Five agencies reported having wireless
networks available for headquarters along with field offices or
components. Twelve other agencies reported that components have
different wireless practices than headquarters. For example, one major
agency reported no WLANs at its headquarters, but it has components
that use them. Further, several agencies use wireless networks for
more limited purposes than connecting to the core agency network.
Specifically, five agencies reported offering WLANs that connect
directly to the Internet for use in conference rooms or other public
spaces. Another agency reported using wireless access points to
provide Internet connectivity at outdoor construction sites.
Personal area networks using Bluetooth technology were also reported
by many agencies. Specifically, 14 agencies reported using Bluetooth
devices. Ten agencies reported permitting cellular phone users to
connect wireless headsets, and four agencies reported permitting
wireless keyboards or mice.
Agencies also reported extensive use of smartphones and cellular data
cards. All 24 agencies we queried reported using smartphones,
primarily the BlackBerry® brand. Agencies' smartphone management
structures included: management through a central server located at
the department level or at the component level and one component or
office providing smartphone management to another office. Seventeen
agencies reported using cellular data cards to provide Internet
connectivity to user laptops. These cards and services are typically
provided by commercial telecommunications carriers.
Wireless Technologies Are Susceptible to Security Risks:
Without proper safeguards, computer systems are vulnerable to
individuals and groups with malicious intent who can intrude and use
their access to obtain sensitive information, commit fraud, disrupt
operations, or launch attacks against other computer systems and
networks. The risk to these systems is well-founded for a number of
reasons, including the dramatic increase in reports of security
incidents, the ease of obtaining and using hacking tools, and steady
advances in the sophistication and effectiveness of attack technology.
Table 1 provides a compilation of threats to wireless and wired
networks as identified by the National Institute of Standards and
Technology (NIST).
Table 1: Examples of Network Security Threats:
Denial-of-service:
Preventing or limiting the normal use or management of networks or
network devices.
Eavesdropping:
Passively monitoring network communications for data, including
authentication credentials.
Man-in-the-middle:
Actively impersonating multiple legitimate parties, such as appearing
as a client to an access point and appearing as an access point to a
client. Allows attacker to intercept communications between an access
point and a client, thereby obtaining authentication credentials and
data.
Masquerading:
Impersonating an authorized user and gaining unauthorized privileges.
Message modification:
Altering a legitimate message by deleting, adding to, changing, or
reordering it.
Message replay:
Passively monitoring transmissions and retransmitting messages, acting
as if the attacker were a legitimate user.
Misappropriation:
Stealing or making unauthorized use of a service.
Traffic analysis:
Passively monitoring transmissions to identify communication patterns
and participants.
Source: GAO analysis of NIST data.
[End of table]
Wireless networks also face challenges that are unique to their
environment. A significant difference between wireless and wired
networks is the relative ease of intercepting WLAN transmissions. For
WLANs, attackers only need to be in range of wireless transmissions
and do not have to gain physical access to the network or remotely
compromise systems on the network. WLANs also have to protect against
the deployment of unauthorized wireless devices, such as access
points, that are configured to appear as part of an agency's wireless
network infrastructure. In implementing wireless networks, federal
agencies need to address these challenges to maintain the
confidentiality, integrity, and availability of the information.
Bluetooth-enabled devices are susceptible to general networking
threats and are also threatened by more specific Bluetooth-related
attacks such as bluesnarfing, which enables attackers to gain access
to a Bluetooth-enabled device by exploiting a software flaw in older
devices.
Smartphones are also susceptible to general networking threats and
face additional security risks. Those risks include those caused by
their size and portability, as well as the availability of different
wireless interfaces and associated services. For example, the size and
portability of smartphones can result in the loss of physical control
of a device that could reveal sensitive data to an unauthorized user.
Recent articles released by the media reinforce the need for federal
agencies to secure their wireless networks and devices. Examples of
reported incidents and risks include the following:
* A retail company admitted in 2007 that hackers located and tested
wireless networks for vulnerabilities and installed programs on these
networks to steal the credit card information of more than 45 million
consumers.
* An assessment of wireless vulnerability conducted in 2008 at 27
airports that had wireless networks found that personal information
could be leaked because only 3 percent of hot spot users used a
virtual private network (VPN)[Footnote 7] to encrypt their data.
* In 2009, a counterintelligence official described how smartphones
could have been tagged, tracked, monitored, and exploited at the 2008
Beijing Olympics. The malicious software could have also posed a
threat to e-mail servers in the United States.
Scenarios Provide Examples of Attacks Using Wireless Vulnerabilities:
The following scenarios (figs. 3-5) provide examples of well-known
attacks used to exploit vulnerabilities in wireless technologies.
These scenarios do not represent all possible attacks on wireless
technology vulnerabilities.
In a dual-connect scenario (see figure 3), the attacker exploits
insecure laptop configurations to gain unauthorized access to an
organization's core network.
Figure 3: Dual-Connect Attack Scenario:
[Refer to PDF for image: illustration]
1) A target laptop has a wired connection to the agency network. With
wireless enabled, the target laptop automatically looks for any
previously connected wireless networks by network name.
2) An attacker with a scanning tool can identify wireless network
names and deploy a rogue wireless access point with the same name as
one of the previously connected wireless networks.
3) While still connected to the agency network, the target laptop
automatically connects to the rogue wireless access point, creating a
dual connection, i.e., the target laptop has both an active wired and
wireless connection.
4) While connected to the rogue wireless access point, the target
laptop can be probed and vulnerabilities exploited that could provide
an attacker with access to the agency network through the target
laptop. [Agency core wired network]
5) With unauthorized access to an agency network, an attacker is
capable of destroying, modifying, or copying sensitive information.
Source: GAO; Art Explosion (images).
[End of figure]
Wireless man-in-the-middle attacks (see figure 4) use an insecure
laptop configuration to intercept or alter information transmitted
wirelessly between the target laptop and a wireless access point.
Figure 4: Wireless Man-in-the-Middle Attack Scenario:
[Refer to PDF for image: illustration]
1) While located between a target laptop and a legitimate wireless
access point, an attacker impersonates the legitimate access point.
2) The target laptop unintentionally connects to the rogue wireless
access point, which acts as a man-in-the-middle, reading and then
relaying information to the legitimate access point.
3) The rogue wireless access point can then intercept network
communications between the target laptop and the legitimate access
point.
4) As a result, the attacker could read and modify sensitive data in
transmission, or inject malicious code to infect the target laptop.
Source: GAO; Art Explosion (images).
[End of figure]
Attacks on smartphones (see figure 5) can involve stealing data or
injecting malicious code using phone storage cards.
Figure 5: Smartphone Data Attack Scenario:
[Refer to PDF for image: illustration]
1) Smartphones have the capability to store data on removable storage
cards.
2) If this capability is not disabled and the target phone is left
unattended, an attacker could replace the storage card with a card
with malicious code or simply remove the storage card with its
contents that could include sensitive information.
Source: GAO.
[End of figure]
Federal Laws and Guidelines Provide a Framework for Wireless Security
Policies:
The Federal Information Security Management Act (FISMA) of 2002
requires each agency to develop, document, and implement an agencywide
information security program to provide security for the data and
information systems that support the agency‘s operations and assets.
[Footnote 8] Significant amounts of agency data are stored on and
transmitted through wireless devices and networks. Wireless
technologies are often important parts of the information systems that
support the agency‘s operations and assets. Accordingly, wireless
technologies are typically encompassed by agency information security
programs required under FISMA. FISMA also assigns additional
information security responsibilities for the Office of Management and
Budget (OMB) and NIST.
FISMA assigns OMB specific responsibilities, including:
* overseeing the implementation of policies, standards, and guidelines
on information security, including ensuring timely agency adoption of
and compliance with standards;
* requiring agencies to identify and provide information security
protections commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information collected or maintained by
or on behalf of an agency, or information systems used or operated by
or on behalf of an agency;
* overseeing agency compliance with FISMA requirements;
* reviewing at least annually, and approving or disapproving, agency
information security programs; and;
* annual reporting to Congress on agency compliance with the
requirements of FISMA, including significant deficiencies in agency
information security practices and planned remedial action to address
such deficiencies.
In a July 2010 memo, OMB directed the Department of Homeland Security
(DHS) to exercise primary responsibility within the executive branch
for the operational aspects of federal agency cybersecurity with
respect to the federal information systems that fall within FISMA.
[Footnote 9] According to the memo, DHS is to oversee the
implementation of and reporting on information security policies and
guidance in federal agencies, oversee agency compliance with FISMA,
and annually review agency cybersecurity programs. OMB will continue
to report annually to Congress on the progress of agencies‘ compliance
with FISMA.
According to the Director of Federal Network Security”the DHS official
responsible for many of DHS‘s newly assigned FISMA-related activities”
DHS is beginning its oversight activities through the annual FISMA
reporting process that federal agencies are required to follow. The
official stated that the department does not currently have any
wireless-security-specific activities under way, but that the
department is planning future activities that may address wireless
security, including compliance audits and an architecture document.
Under FISMA, NIST is responsible for developing standards and
guidelines that include minimum information security requirements.
Table 2 describes NIST Special Publications (SP) that include
guidelines intended to secure wireless technologies.
Table 2: Wireless Security Guidelines Identified in NIST Guidelines:
NIST SP: 800-48, Guide to Securing Legacy IEEE 802.11 Wireless
Networks[A];
Purpose: Provides guidelines to organizations in securing their legacy
IEEE 802.11 WLAN that cannot use the IEEE 802.11i standard.
NIST SP: 800-53, Recommended Security Controls for Federal Information
Systems and Organizations[B];
Purpose: Provides guidelines for selecting and specifying security
controls for information systems that include wireless access and
access controls for mobile devices.
NIST SP: 800-94, Guide to Intrusion Detection and Prevention
Systems[C];
Purpose: Provides a basis for designing, implementing, configuring,
securing, monitoring, and maintaining intrusion detection and
prevention systems including a wireless intrusion detection system.[D]
NIST SP: 800-97, Establishing Wireless Robust Security Networks: A
Guide to IEEE 802.11i[E];
Purpose: Assists organizations in understanding, selecting, and
implementing technologies based on IEEE 802.11i.
NIST SP: 800-101, Guidelines on Cell Phone Forensics[F];
Purpose: Provides basic information on the preservation, acquisition,
examination, analysis, and reporting of digital evidence on cell
phones, relevant to law enforcement, incident response, and other
types of investigations.
NIST SP: 800-114, User‘s Guide to Securing External Devices for
Telework and Remote Access[G];
Purpose: Provides guidelines for securing external devices used for
telework including wireless home networks and wireless-enabled
personal computers.
NIST SP: 800-120, Recommendation for EAP Methods Used in Wireless
Network Access Authentication[H];
Purpose: Formalizes a set of core security requirements for extensible
authentication protocol (EAP)[I] for wireless access authentication
and key establishment.
NIST SP: 800-121, Guide to Bluetooth Security[J];
Purpose: Provides information on the security capabilities of
Bluetooth and provides recommendations to secure Bluetooth devices
effectively.
NIST SP: 800-124, Guidelines on Cell Phone and PDA Security[K];
Purpose: Provides an overview of cell phone and personal digital
assistant (PDA) devices in use today and provides safeguards for
securing these devices.
Source: GAO analysis of NIST data.
[A] NIST, Guide to Securing Legacy IEEE 802.11 Wireless Networks, SP
800-48 Revision 1 (Gaithersburg, MD: July 2008).
[B] NIST, Recommended Security Controls for Federal Information
Systems and Organizations, SP 800-53 Revision 3 (Gaithersburg, MD:
August 2009).
[C] NIST, Guide to Intrusion Detection and Prevention Systems (IDPS),
SP 800-94 (Gaithersburg, MD: February 2007).
[D] An intrusion detection system monitors the events occurring in a
computer system or network and analyzes them for signs of possible
incidents.
[E] NIST, Establishing Wireless Robust Security Networks: A Guide to
IEEE 802.11i, SP 800-97 (Gaithersburg, MD: February 2007).
[F] NIST, Guidelines on Cell Phone Forensics, SP 800-101
(Gaithersburg, MD: May 2007).
[G] NIST, User‘s Guide to Securing External Devices for Telework and
Remote Access, SP 800-114 (Gaithersburg, MD: November 2007).
[H] NIST, Recommendation for EAP Methods Used in Wireless Network
Access Authentication, SP 800-120 (Gaithersburg, MD: September 2009).
[I] EAP supports multiple authentication methods used when connecting
a computer to the Internet.
[J] NIST, Guide to Bluetooth Security, SP 800-121 (Gaithersburg, MD:
September 2008).
[K] NIST, Guidelines on Cell Phone and PDA Security, SP 800-124
(Gaithersburg, MD: October 2008).
[End of table]
NIST is also responsible for administering the United States
Configuration Baseline, which is an initiative to create security
configuration baselines for information technology (IT) products
deployed across federal agencies.
In addition to NIST guidelines, other federal agencies have developed
guidance for securing wireless technologies. For example, the
Department of Defense‘s Defense Information Systems Agency (DISA) has
created a series of security technical implementation guides that
address general purpose or multiuse technologies. These guides serve
as configuration standards for the Department of Defense‘s wireless
devices and systems. In addition, DISA has made these guides available
for other federal agencies to provide them with a baseline level of
security.
GAO Has Previously Recommended Improvements to Wireless Network
Security Guidance:
In 2005, we reported that federal agencies lacked key controls for
securing wireless networks.[Footnote 10] We recommended that the
Director of OMB instruct federal agencies to ensure that wireless
network security is incorporated into their agencywide information
security programs, in accordance with FISMA. Specifically, we
recommended that agencywide security programs should include the
following security controls.
* Robust policies for authorizing the use of the wireless networks,
identifying requirements, and establishing security controls for
wireless-enabled devices in accordance with NIST guidelines.
* Security configuration requirements for wireless devices that
include:
- security tools, such as encryption, authentication, VPN, and
firewalls;
- placement and strength of wireless access points to minimize signal
leakage; and;
- physical protection of wireless-enabled devices.
* Comprehensive monitoring programs, including the use of tools such
as site surveys and intrusion detection systems to:
- detect signal leakage;
- ensure compliance with configuration requirements;
- ensure only authorized access and use of wireless networks; and
- identify unauthorized wireless-enabled devices and activities in the
agency‘s facilities.
* Wireless security training for employees and contractors.
In response to our recommendations, OMB has instructed federal
agencies to ensure network security is incorporated into their
agencywide network security program through the use of NIST
guidelines. In addition, OMB‘s annual FISMA reporting requirements
state that agencies must follow NIST standards and guidelines for non-
national security programs and information systems. Since our report
was issued, NIST has released guidelines that address the items
identified in our recommendations. These guidelines include NIST SP
800-48, Guide to Securing Legacy IEEE 802.11 Wireless Networks; NIST
SP 800-53, Recommended Security Controls for Federal Information
Systems and Organizations; and NIST SP 800-97, Establishing Wireless
Robust Security Networks: A Guide to IEEE 802.11i (see table 3).
Table 3: Guidelines in NIST Publications Addressing Recommendations
from GAO-05-383:
Recommendation: Establish policies;
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Check];
Area: Establishing wireless networking security policies, such as
infrastructure and client device security; criteria for identifying
and implementing security requirements; access controls for portable
and mobile devices; and establishing and maintaining robust security
for wireless local area networks.
Recommendation: Configuration requirements include security tools;
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Empty];
Area: Configuring wireless client device security tools and the use of
security tools such as personal firewalls, host-based intrusion
detection and prevention systems for the protection of wireless
clients; the use of VPNs as an alternative method of achieving
confidentiality and integrity protection; and security protocols.
Recommendation: Configuration requirements address access points;
NIST SP 800-48: [Check];
NIST SP 800-53: [Empty];
NIST SP 800-97: [Empty];
Area: Establishing access point configuration and awareness of access
point security concerns, including signal boundary considerations.
Recommendation: Configuration requirements include physical protection
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Empty];
Area: Ensuring physical protection of wireless devices such as usage
restrictions and implementation guidance for organization-controlled
portable and mobile devices.
Recommendation: Monitoring programs include tools to detect signal
leakage;
NIST SP 800-48: [Check];
NIST SP 800-53: [Empty];
NIST SP 800-97: [Empty];
Area: Determining criteria for conducting site surveys and the use of
appropriate wall-mounted antennas to minimize signal leakage.
Recommendation: Monitoring programs include tools to ensure
configuration compliance;
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Empty];
Area: Using wireless intrusion detection and prevention systems to
determine misconfigured clients and using policy driven software
solutions to ensure client devices and users comply with defined WLAN
policies.
Recommendation: Monitoring programs include tools to ensure access is
authorized;
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Check];
Area: Using wireless intrusion detection and prevention systems to
determine whether unauthorized users or devices are attempting to
access, have already accessed, or have compromised the WLAN; and
performing regular audits using wireless sniffers and other tools to
determine whether wireless products are transmitting correctly and on
the correct channels.
Recommendation: Monitoring programs include tools to identify
unauthorized access;
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Check];
Area: Using wireless intrusion detection and prevention systems to
detect suspicious or unauthorized activity and completing site surveys
to discover any sources of radio interference.
Recommendation: Security training;
NIST SP 800-48: [Check];
NIST SP 800-53: [Check];
NIST SP 800-97: [Check];
Area: Establishing wireless security awareness and training for
employees and contractors to ensure good security practices and
prevent inadvertent or malicious intrusions into an organization‘s
information systems.
Source: GAO analysis of NIST data.
[End of table]
Comprehensive Policies, Use of Secure Technologies, Risk-Based
Approach, Training, and Monitoring Among Leading Practices for
Deploying and Monitoring Secure Wireless Networks:
Leading practices for deploying and monitoring secure wireless
networks include comprehensive policies, configuration controls,
training, and other practices as described in table 4. Many of these
practices are consistent with the key information security controls
required for an effective information security program identified in
our previous reports and reflect wireless-specific aspects of those
controls. Furthermore, experts identified several emerging
technologies, such as broadband wireless, third-party device
management, and IEEE 802.11n-2009/802.11w-2009, as potentially
important in securing wireless networks in the future.
Table 4: Leading Practices for Securing Wireless Networks and
Technologies:
Practice category: 1. Policy;
Practice description: Develop comprehensive security policies that
govern the implementation and use of wireless networks and mobile
devices that include the following safeguards:
* implement secure encryption with enterprise authentication,
* establish usage restrictions and implementation guidance for
wireless access, and,
* enforce access controls for connection of mobile devices.
Practice category: 2. Risk-based approach;
Practice description: Employ a risk-based approach for wireless
deployment.
Practice category: 3. Centralized management;
Practice description: Employ a centralized wireless management
structure that is integrated with the existing wired network.
Practice category: 4. Configuration requirements;
Practice description: Establish configuration requirements for
wireless networks and devices in accordance with the developed
security policies and requirements.
Practice category: 5. Training;
Practice description: Incorporate wireless and mobile device security
component in training.
Practice category: 6. Remote access;
Practice description: Use a VPN to facilitate the secure transfer of
sensitive data during remote access.
Practice category: 7. Monitoring;
Practice description: Deploy continuous monitoring procedures for
detecting rogue access points and clients using a risk-based approach.
Practice category: 8. Security assessments;
Practice description: Perform regular security assessments to help
ensure wireless networks are operating securely.
Source: GAO.
[End of table]
Develop Comprehensive Security Policies that Govern Implementation and
Use of Wireless Networks and Mobile Devices:
Comprehensive information security policies that address the security
of wireless networks and mobile devices can help agencies mitigate
risks. FISMA recognizes that the development of policies and
procedures is essential to cost effectively reducing the risks
associated with IT, including wireless IT, to an acceptable level. In
addition, experts noted that sound policy is the basis for all
effective security measures. Policies should cover areas such as roles
and responsibilities, WLAN infrastructure security, WLAN client device
security, and security assessments. By establishing policies that
address these areas, agencies can create a framework for applying
practices, tools, and training to help support the security of
wireless networks.
In addition to these policies, federal guidelines and experts also
emphasized key safeguards to address wireless security concerns that
have surfaced since our 2005 report. These practices include
prohibiting the use of WEP and implementing WPA2 with enterprise
authentication, establishing usage restrictions and implementation
guidance for wireless access, and implementing access controls for
mobile devices that connect to an agency's wireless networks.
Implement Secure Encryption with Enterprise Authentication:
Organizations should establish policies requiring procurement of
wireless products that have been WPA2-Enterprise certified and Federal
Information Processing Standards (FIPS)-validated.[Footnote 11] NIST
guidelines state, and experts agree, that only these devices are
capable of fully implementing the IEEE 802.11i robust security network
protections, which include enhanced user and message authentication
mechanisms, cryptographic key management, and robust enciphering and
data integrity mechanisms. Wireless technologies that rely on older
wireless security protocols, such as WEP and WPA, can be more easily
exploited to circumvent or adversely impact access control and
authentication, confidentiality, integrity, and availability since
they do not require strong encryption algorithms.
Establish Usage Restrictions and Implementation Guidance for Wireless
Access:
Agencies should establish and enforce usage restrictions and
implementation guidance for wireless access. According to NIST
guidelines, security policies should identify which users are
authorized to connect wirelessly to an organization's networks and the
types of information allowed to be transmitted across wireless
networks. In addition, wireless access to information systems should
only be permitted by using authentication and encryption.
NIST guidelines also instruct agencies to identify the acceptable
methods of remote access. Specifically, an agency's policies should
describe which wireless-enabled devices can connect to the agency's
networks remotely and the types of external networks permitted. For
example, policies should specify if users connecting remotely through
public hot spots to an agency's networks are authorized to use only
agency-issued mobile devices.
Enforce Access Controls for Connection of Mobile Devices:
Both NIST guidelines and experts identified establishing access
controls for mobile devices, which includes those taken to locations
the agency deems to be a significant risk, and prohibiting dual
connection as a key practice for securely deploying and monitoring
wireless networks. Our previous reports have also emphasized the
importance of such access controls to limit, prevent, or detect
inappropriate access to computer resources (data, equipment, and
facilities), in order to protect them from unauthorized use,
modification, disclosure, and loss.
Specifically, NIST guidelines state that agencies need to establish
and enforce usage restrictions and implementation guidance for agency-
issued mobile devices taken to locations the agency deems to be a
significant risk. For example, agencies may issue specially configured
mobile devices to individuals before traveling to risky locations,
such as certain countries, which are in accordance with agency
policies and procedures. Upon return from travel, agency-defined
inspection and preventative measures can be applied to the mobile
device such as re-imaging the hard disk drive on laptops. According to
one expert's account, by developing access control requirements for
global use of devices (i.e., managing devices that travel
internationally), organizations can avoid compromises of devices or
information that have occurred at organizations without these
practices.
Another component of establishing access controls for mobile devices
that NIST and experts identified was restricting the access rights of
devices (and individuals) to an organization's network. Enforcing
requirements such as usage restrictions, configuration management, and
device identification and authentication, and disabling unnecessary
hardware can prevent incidents of employees inadvertently connecting
their devices to malicious entities and compromising the
confidentiality, integrity, and availability of the organization's
network.
Employ a Risk-Based Approach for Wireless Deployment:
Federal guidelines underscore, and experts agree with, the need for a
risk-based approach for deploying wireless networks and technologies.
A risk-based approach attempts to ensure that risks to the
organization are identified and prioritized so that available
resources can be most effectively used in defending against the most
significant threats, such as unauthorized access points or devices on
the network, and to prevent the incurrence of undue risk.
Federal guidelines and experts also agreed that risks should be
considered prior to acquisition of wireless technologies in order to
implement management controls early on, determine which WLAN
activities pose an acceptable risk, and identify the potential impact
of the threat to the organization. The Committee on National Security
Systems,[Footnote 12] in its recently issued Policy on Wireless
Communications: Protecting National Security Information, recommended
that agencies consider protecting against the risks that can occur
during various points of data transmission such as at the point of
origin, when received, and while stored on wireless media.[Footnote
10] It is only after considering and then managing such risks that
organizations can make informed decisions such as whether or not to
deploy wireless networks and technologies or determine the types of
devices and extent of their usage throughout the organization.
Moreover, since risks change over time, as a general practice, it is
essential to periodically reassess risks and reconsider the
appropriateness and effectiveness of the policies and controls
organizations have selected to mitigate those risks.
Employ a Centralized Wireless Management Structure That Is Integrated
with the Existing Wired Network:
Security experts agreed that a centralized wireless management
structure that is integrated with the management of the existing wired
network can provide a more effective means to manage the wireless
infrastructure and the information security program as a whole. A
centralized structure can provide a coherent, consistent approach to
managing the entire wireless network. For example, configuration
changes can be centrally monitored, and with centralized reporting,
management can have improved visibility and oversight of the
organization's entire wireless network. Using tools that allow
centralized management of WLANs can provide a management focal point
and reduce the number of attack points in the network.
A centralized structure can also facilitate the development and
implementation of standardized guidance, which allows organizations to
consistently apply information security policies. Organizations can
authorize the use of specific products, coordinate the installation of
WLANs, and issue other such directives to provide a holistic approach
for deploying and monitoring wireless activities. Such implementation
can be centralized at the enterprise or component level, based on the
business needs of the organization.
In conjunction with a centralized management structure, experts agreed
the importance of integrating wireless management with management of
the wired network. By extending established information security
controls, such as intrusion detection systems and monitoring, from the
wired to the wireless network, an organization is better positioned to
both understand and defend its overall information security posture.
Experts agreed that a decentralized wireless management structure can
result in disparate, ad hoc networks that operate and are managed
separately. The existence of multiple networks that are independently
managed can impede effective implementation and monitoring of security
controls and inhibit sufficient oversight of the wireless network.
Although centralized wireless management can have many benefits, the
level of centralization needs to be determined by business need and a
risk-based approach. Centralization can be performed by agency
components or departmentwide and should be balanced against the costs
of centralization.
Existing federal guidelines recognize the benefits that centralized
management of network services and information security can provide
for federal agencies. For example, NIST guidelines state that
centralized security management is an important consideration for
managing mobile devices since it facilitates the configuration control
and management processes that support compliance with an
organization's security policy. Additionally, we previously reported
that establishing a central management focal point for information
security is essential to spotting trends, identifying problem areas,
and determining whether policies and administrative issues are handled
in a consistent manner.[Footnote 14]
Establish Configuration Requirements for Wireless Networks and Devices
in Accordance with the Developed Security Policies and Requirements:
Establishing configuration requirements for wireless networks and
devices can help ensure they are deployed in a secure manner in
accordance with agency policies. For example, NIST SP 800-48 states
that agencies should configure their wireless networks in accordance
with established security policies and requirements. Establishing
settings or configuration requirements for wireless access points can
guide their placement and signal strength to minimize signal leakage
and exposure to attacks.
In addition to access points, client devices should also be configured
to enhance the wireless network security posture. According to NIST,
securing the infrastructure without properly securing the client
devices renders the entire wireless network insecure. Solutions such
as enterprise servers can periodically communicate with managed mobile
devices to ensure security and other configuration settings are
correct and in compliance with policy.
Incorporate Wireless and Mobile Device Security Component in Training:
NIST guidelines and experts stated that training employees and
contractors in an organization's wireless policies is a fundamental
part of ensuring that wireless networks are configured, operated, and
used in a secure and appropriate manner. For security policies to be
effective, those expected to comply with them must be aware of the
policies. Additionally, FISMA mandates that agencies provide security
awareness training for their personnel, including contractors and
other users of information systems that support the operations and
assets of the agency. NIST recommends that the security awareness
training include the risks of wireless security and how to protect
against those risks. In addition, NIST guidelines and experts agree
that an agency's security training should include mobile device
security that addresses (1) maintaining physical control over mobile
devices, (2) protecting sensitive data on mobile devices with
encryption, (3) disabling wireless interfaces on mobile devices when
not needed, and (4) the procedures for reporting lost or stolen mobile
devices. FISMA also requires agency chief information officers to
ensure that personnel with significant information security
responsibilities receive training with respect to their
responsibilities.
Use a VPN to Facilitate the Secure Transfer of Data during Remote
Access:
A VPN can provide a secure communications mechanism for sensitive data
transferred across multiple, public networks. For wireless
technologies, VPNs are useful because they provide a way to secure
WLANs that may be insecure, such as those at public hot spots, in
homes, or other locations. According to NIST guidelines, federal
agencies should consider using VPNs to protect the confidentiality of
WLAN communications during remote access and telework and should
configure the VPNs to use FIPS-140-2-validated encryption. Experts
agreed on the use of VPNs as an integral security measure for an
increasingly mobile workforce.
Deploy Continuous Monitoring Procedures for Detecting Rogue Access
Points and Clients Using a Risk-Based Approach:
Continuous monitoring is a means for an organization to ensure that
security controls remain effective despite the planned and unplanned
changes that can occur to an information system. OMB policy and NIST
guidelines require agencies to implement a continuous monitoring
approach for all information systems, including those using wireless
technologies. According to NIST guidelines, agencies are required to
monitor for unauthorized wireless access to information systems and
should base their determination of the scope and frequency of such
monitoring on an assessment of risk to the agency, the operational
environment, the agency's requirements, and specific threat
information. Continuous monitoring allows an organization to defend
its security posture in a dynamic environment where threats,
vulnerabilities, and technologies are constantly changing. Experts
also noted the importance of continuously monitoring the wireless
network for rogue access points and client devices. Documenting and
implementing an approach to wireless monitoring that uses a risk-based
approach helps to ensure that the scope and frequency of monitoring is
appropriate for the threats facing the agency. As previously
mentioned, centralized management tools can provide continuous
monitoring capabilities for improved visibility and oversight of the
organization's entire wireless network.
Both experts and NIST guidelines highlighted the importance of using a
wireless intrusion detection system to continuously monitor an
agency's wireless networks to detect and respond to malicious
activities on the network before they inflict damage. These types of
systems enable an organization's operations or security staff to
determine whether unauthorized users or devices are attempting to
access, have already accessed, or have compromised a WLAN. A wireless
intrusion prevention system builds on the functionality of a wireless
intrusion detection system by also automatically taking
countermeasures against these unauthorized users or devices. These
systems are able to monitor wireless data as it passes from wireless
to wired networks. They can also detect misconfigured WLAN clients,
rogue access points, ad hoc networks, and other possible violations of
an organization's WLAN policy. In addition, these systems can position
an organization to proactively assess its wireless network at regular
intervals. However, a wireless intrusion detection or prevention
system is a significant expense, and it may not be appropriate in all
cases. For example, an agency may determine that a smaller agency
location with lower risk systems may not warrant the expense that
installing a wireless intrusion detection or prevention system may
entail.
Other tools exist to detect rogue wireless client devices, such as
handheld scanners and network authentication mechanisms, but these may
not be as effective or easy to monitor as an intrusion detection
system. Consistent with NIST guidelines, an organization should use a
risk-based business case to determine the appropriate use of
continuous monitoring solutions.
Perform Regular Security Assessments to Help Ensure Wireless Networks
are Operating Securely:
Experts and NIST guidelines both noted the importance of regular
security assessments for checking the security posture of wireless
networks and for determining corrective actions needed to ensure the
wireless networks remain secure. Regular assessments help to determine
whether wireless devices are transmitting correctly and are on the
correct channels. Experts noted the importance of consistently and
regularly performing security assessments in tandem with continuously
monitoring the wireless network. In addition, organizations should
maintain an inventory of access points deployed and their mobile
devices to help identify rogue devices when conducting assessments.
Assessments can help organizations to determine whether controls are
appropriately designed and operating effectively to achieve the
organization's control objectives.
Broadband Wireless, Device Management, and Newer WLAN Technologies Are
Emerging Wireless Technologies:
Several current and emerging technologies are important to consider
for secure deployment of wireless technologies as follows:
* Long-Term Evolution: Long-Term Evolution is a fourth-generation
wireless broadband technology that experts stated is expected to
improve the speed and quality of service and provide scalable
bandwidth capacity. It is also expected to improve security through
enhanced encryption to prevent eavesdropping and user identity
confidentiality to prevent tracking of specific users. One expert
noted that most of the public safety broadband environments used for
emergency communications at the state and local levels will adopt Long-
Term Evolution and highlighted the importance of its effective
implementation by government entities.
* WiMAX: Another form of broadband wireless technology known as WiMAX
(Worldwide Interoperability for Microwave Access ) is intended for
wireless metropolitan area networking and is an effort to provide
seamless mobile access in much the same way as wide-area cellular
networks with higher transmission speeds. Security advantages of WiMAX
include mutual device/user authentication, improved traffic
encryption, and options for securing data within the core network.
* Third-party device management: The technological capabilities of a
third-party vendor may provide a means for organizations to establish
security for mobile devices. According to experts, a vendor that
specializes in wireless security may be more up-to-date on security
vulnerabilities and better equipped to assess the security of wireless
networks than an agency's own staff. Capabilities provided by a vendor
can include incident management, triggers if a device is taken
overseas, remote trouble shooting, and usage trends, among others.
* IEEE 802.11n-2009/802.11w-2009 technologies: Two additions to the
802.11 family of WLAN technologies-802.11n-2009 and 802.11w-2009-are
expected to improve the performance and security of WLANs. The
technologies specified in 802.11n-2009 increase WLAN speed, improve
reliability, and extend the range of wireless transmissions. The
802.11w-2009 encryption standard builds on the 802.11i framework to
protect against certain types of attacks on WLANs.
Agencies Have Acted to Secure Wireless Networks, but Additional Steps
Are Needed to Effectively Mitigate Security Challenges:
Agencies have taken several steps to address the security of their
wireless networks; however, these steps have not been fully and
comprehensively applied across the government. Specifically,
application was inconsistent among the agencies for most of the
following leading practices:
* Most agencies developed policies that reflected NIST guidelines and
leading practices, but gaps existed in these policies, particularly
with respect to dual-connected laptops and use of mobile devices on
international travel.
* All agencies required a risk-based approach for management of
wireless technologies.
* Many agencies used a decentralized structure for management of
wireless, limiting the potential standardization that centralized
management can provide, and guidance on centralization is limited.
* The five agencies where we did detailed testing generally securely
configured wireless access points, but they had numerous weaknesses in
laptop and smartphone configurations. Gaps in governmentwide guidance
on configuration contributed to these weaknesses.
* Most agencies were missing key elements related to wireless security
in their security awareness training.
* Twenty agencies required encryption, and eight of these agencies
specified that a VPN must be used during remote access; four agencies
did not require encryption.
* Many agencies had insufficient practices for monitoring or
conducting security assessments. Furthermore, federal guidance in this
area lacks specificity.
Existing governmentwide guidance and oversight efforts do not fully
address agency implementation of the leading practices. Until agencies
fully address these practices, they will not have sufficient assurance
that the risks to sensitive wireless systems, and sensitive data
transmitted across or processed by those systems, are adequately
safeguarded from inadvertent or deliberate misuse, fraudulent use,
improper disclosure, or destruction. Also, until OMB and DHS ensure
they have effective means for oversight of federal agencies' efforts
to secure wireless networks they may lack full visibility of the
vulnerability of these networks to attack.
Agencies Have Developed Policies to Support Secure Use of Wireless
Technologies, but Gaps Exist:
Almost all agencies required wireless networks to employ encryption,
but not all agencies required secure forms of encryption.
Specifically, 23 of 24 agencies specified in their policies that
agency wireless networks are required to employ encryption. However, 7
of the 23 agencies did not require secure forms of encryption.
Specifically, 2 agencies' policies required the use of WEP, an older
wireless encryption method that is vulnerable to attack; one agency
required the use of WPA, which is not compliant with federal
requirements for encryption; and 4 other agencies did not specify any
type of encryption or require the use of FIPS 140-2 compliant
encryption. In addition, 1 agency did not have any documented
requirements for wireless transmissions to be encrypted, even though
that agency has a wireless network deployed at its headquarters.
In certain cases, agency policies had been developed several years
ago. Agencies had also not always updated their policies to reflect
their implementations of WLANs or federal requirements for wireless
encryption. Agencies that do not require the use of strong, FIPS-
validated encryption algorithms on their wireless networks have
limited assurance that sensitive agency information is being
adequately protected from unauthorized disclosure or modification.
Most Agencies Have Established Usage Restrictions and Implementation
Guidance for Wireless Networks:
Twenty-three of the 24 agencies provided specific guidance to agency
personnel on the types of information that may be transmitted using
wireless networks or on how sensitive information is to be protected
when transmitted wirelessly. All 24 of the agencies in our review had
also developed policies establishing usage restrictions and
implementation guidance for wireless networks; although policies for 3
agencies were in draft and had not yet been approved.
Examples of usage restrictions in agency policies included the
following:
* requiring that administration of wireless infrastructure devices
(such as access points) be conducted using the wired network,
* prohibiting the use of ad hoc wireless networks, and:
* allowing access to agency wireless networks only via a VPN.
Agencies' policies frequently contained wireless implementation
guidance such as the following:
* physically securing wireless infrastructure devices,
* adjusting the transmission power of access points to ensure adequate
coverage while minimizing signal leakage,
* maintaining audit logs on wireless access points,
* changing default service set identifiers[Footnote 15] and not using
identifiers that would identify the agency,
* enabling media access control[Footnote 16] address filtering, and:
* segregating wireless network traffic from the wired network using
firewalls or other methods.
Agencies Established Policies for Access Controls for Mobile Devices,
but Several Agencies Did Not Specifically Address Wireless
Functionality of Laptops, Dual Connection of Laptops, or International
Travel of Mobile Devices:
Almost all agencies had established some type of access control policy
for mobile devices. Specifically, all 24 agencies developed policies
for PDAs, such as smartphones, although 2 agencies' policies had not
been finalized. Although 23 of the 24 agencies had developed
implementation guidance for laptop computers, the policies of 4 of
these agencies did not specifically address wireless functionality on
laptops. In addition, 1 of the 24 agencies did not document laptop
policies at all.
Fewer agencies had developed access control policies regarding dual
connection of laptops. NIST guidelines recommend that client devices,
such as laptop computers, should be configured not to allow the
simultaneous use of more than one network interface. Although most
agencies had established policies for wireless-enabled laptops, many
did not address the risk of dual connections of laptops in their
policies. As described earlier, the security of an agency network
could be compromised when a laptop is connected to an external
wireless network, and to an agency's wired network simultaneously,
leaving it vulnerable to attack and providing unauthorized access to
the wired network. Turning off or disabling the wireless capability
when a laptop is connected to a wired network mitigates this risk. Of
the 24 agencies in our review, 8 did not have documented policies
requiring the wireless capability to be turned off or disabled when
the agency's laptop is connected to a wired network. One agency with a
decentralized wireless management structure had a high level overall
wireless policy, but allowed its components to determine whether to
augment it with more detailed policies, including policies prohibiting
multiple network connections. Other agency officials incorrectly
thought that the dual connection issue was addressed by governmentwide
guidance such as the Federal Desktop Core Configuration (FDCC).
[Footnote 17]
Although the baseline FDCC standard disables wireless connectivity, in
March 2010,[Footnote 18] we reported that many agencies have chosen to
deviate from the standard and enable wireless functionality on their
workstations. No other setting or combination of settings within the
FDCC standard prevents multiple network connections. We also
previously reported that OMB had not specified any guidance for
agencies to use when considering the risks of deviating from the FDCC
standard; OMB has therefore not specified any such guidance for
agencies regarding permitting the use of wireless technologies. We
recommended that OMB clarify its policies regarding FDCC deviations to
include guidance for agencies to use when assessing the risks of
deviations. Until OMB provides guidance to agencies regarding the
risks associated with enabling wireless on agency laptops, including
the risk of dually connected laptops, agencies may not document and
implement policies prohibiting dual connections, increasing the risk
that an attacker would be able to gain unauthorized access into an
agency's network and destroy, modify, or copy sensitive information.
Further, until agencies fully document and implement policies
prohibiting dual connections, an increased risk exists that an
attacker would be able to gain unauthorized access into an agency's
network and destroy, modify, or copy sensitive information.
Similarly, many agencies also did not have documented policies
governing international travel with mobile devices. As noted earlier,
according to NIST, a leading practice for client and mobile devices is
to issue specially configured laptops, PDAs, and other mobile devices
to individuals traveling to locations considered to be high risk and
to apply preventative measures to devices being returned from such
locations. However, only 12 of the 24 agencies had documented policies
for safeguarding PDAs taken internationally, and policies for 4
agencies were in draft. Policies of 5 agencies required specially
configured devices to be issued for such travel, although policies of
10 agencies required preventative measures to be applied to the
devices after they were returned from travel and before being
connected to agency networks. In addition, just 9 of the 24 agencies
had documented policies for laptops taken internationally; including 2
agencies that had draft policies. Only 4 of the 9 agencies required
that a specially configured laptop be used for travel, although 8
agencies required preventative measures to be applied after the
devices were returned from travel.
Several agency officials stated that they were aware of the risks
posed to mobile devices during international travel, but that agencies
had not yet developed policies to address these risks. NIST issued its
updated guidelines on this practice in August 2009, and many agencies
had not yet updated their security policies to reflect the new
guidelines. By not having documented policies, agencies may be at
increased risk that sensitive information could be compromised while a
device is in another country, or that malware obtained during an
international trip could be inadvertently introduced onto agency
networks, placing sensitive data and systems at risk.
All Agencies Required a Risk-Based Approach to Wireless Deployment,
and Most Required Approval of New Wireless Technologies:
All of the agencies in our review required in their policies that
decisions related to management of wireless technologies be based on
risk. Fifteen agencies had policies that specifically required a risk-
based approach to wireless management; the remaining 9 agencies had
policies that, while not specific to wireless, required a risk-based
approach to all management of IT.
Twenty-two of the 24 agencies had documented policies specifying that
new wireless technologies require approval from an appropriate
official or governing body before they could be implemented, although
one agency's policy was still in draft. The remaining 2 agencies,
while not specifying wireless, required all new technologies to be
approved.
Many Agencies Did Not Use a Centralized Structure for Wireless
Management:
Although a centralized wireless management structure can provide a
more effective means of managing wireless networks, many agencies
reported not using a centralized approach. Eleven agencies indicated
that they did have a centralized wireless management structure, and 3
indicated using both a centralized and decentralized structure,
depending on agency component. Ten agencies employed a decentralized
wireless management structure. As previously mentioned, a
decentralized wireless management structure can result in disparate,
ad hoc networks that are independently managed, which can impede
effective implementation and monitoring of security controls and
inhibit sufficient oversight of the wireless network. The following
examples describe 2 agencies that are implementing a centralized
management approach and identify the benefits and limitations of their
implementation efforts.
One agency where we performed detailed testing had deployed a
centrally monitored and managed wireless intrusion detection system
that was integrated with the agency's national wired networks and
operated centrally by its cybersecurity management center. This system
had several positive aspects such as eliminating the need for trained
personnel in every location, easy integration with other automated
tools, and a console that provided a summary view of security events
and detected devices. Additionally, it provided a central means to
monitor configurations of wireless devices, discover rogue access
points, and detect intrusion attempts. However, this system also had
limitations. According to agency officials, the center did not always
manage the installation and configurations of wireless devices at the
facilities being monitored. As a result, the agency could not take
full advantage of the improved visibility and oversight of the
agency's entire wireless network that centralized management can offer.
Another agency was deploying a centrally managed WLAN nationwide to
hundreds of facilities. According to agency officials, the WLAN would
provide a platform for numerous systems and devices to be operated in
a highly mobile environment. The centrally managed WLAN has the
potential to simplify and provide more control over WLAN management.
For instance, configuration policies created in templates can be
forwarded to all controllers connected to the network and then on to
the wireless access points. It can also provide a graphical display of
the WLAN and its performance.
Agencies had decentralized approaches to wireless management for
several reasons. Several agencies managed IT in a decentralized
manner, delegating responsibility to agency components based on their
business needs. Other agencies were just beginning to consider use of
WLANs, or had only deployed WLANs in a limited manner. Technological
advances have also made centralized management of wireless more
feasible than in the past. Furthermore, while existing federal
guidelines recognizes the benefits that centralized management of
information security can provide for federal agencies; existing NIST
guidelines on wireless security do not provide detail on the
appropriate ways agencies can centralize their management of wireless
technologies based on business need.
Until agencies effectively implement a centralized wireless management
structure, they will have limited visibility and control over WLANs
and a limited ability to integrate wireless management controls with
the existing wired network to provide continuity and robustness to
their organization's overall information security program.
Although Access Points Were Generally Configured Securely, Weaknesses
Existed in Configurations of Laptops, Firewalls, and Smartphones Used
for Wireless Access:
At the five agencies where we conducted detailed testing, the access
points used to provide WLANs were generally configured in a secure
manner. However, we identified weaknesses in laptop or firewall
configurations at these agencies as the following examples illustrate:
* None of the five agencies had fully implemented controls to prevent
laptops from connecting to a wireless network while also being
connected to the agency's internal wired network. As described
earlier, when a laptop is connected to a wireless network and to an
agency's wired network simultaneously, an attacker could exploit this
dual connection to gain unauthorized access to the agency's network,
placing sensitive information and systems at risk. In certain cases,
agency officials were unaware that the potential for a dual connection
existed. In other cases, officials were aware of the risk, but were
unsure of the appropriate controls that could mitigate this risk, or
were concerned that these controls might interfere with needed
functionality of the device. In general, workstations using Microsoft
Windows require an additional third-party application or other
specialized configuration to disable wireless connectivity. Although
NIST guidelines recommend that client devices, such as laptop
computers, be configured to not allow the simultaneous use of more
than one network interface, existing NIST guidelines on wireless
networks do not provide specific technical information on steps that
agencies should take to implement this control.
* One of the five agencies had configured a laptop to allow
nonprivileged users to enable Bluetooth and to connect to other
personal Bluetooth devices. Furthermore, Bluetooth was configured to
default to "discovery" mode, making the laptops visible to other
Bluetooth devices. As a result, an attacker with a Bluetooth device
within range could connect to the agency's laptop, providing a means
of unauthorized access to sensitive information on the laptop itself,
as well as to the agency's network.
* Two agencies allowed general users to have administrative privileges
on their laptops, thus reducing the effectiveness of established
security controls on those machines and increasing the risk that users
could install unapproved and potentially malicious software, which
could allow sensitive information to be viewed, modified, or deleted.
* At one agency, a firewall[Footnote 19] segmented a guest wireless
network from the agency's internal network. However, the firewall was
configured to allow all traffic that used Internet protocol version 6
(IPv6) to flow between the networks without controls. As a result, any
user--whether malicious or not--connected to the guest wireless
network using the IPv6 protocol could traverse the guest network
without any authentication or access controls and could potentially
gain unauthorized access to the internal network, placing sensitive
agency information and systems at risk of unauthorized disclosure,
modification, misuse, or destruction.
Many agencies also did not enforce secure configurations on their
BlackBerry smartphones. DISA has developed a configuration checklist
to help its administrators securely configure its BlackBerry
Enterprise Servers, which are servers that allow agencies to centrally
control security policy for BlackBerry smartphones. These guidelines
have also been made available to other organizations, including
federal agencies, as part of a NIST program providing secure
configurations for computing devices. Although not mandatory, the
guidelines provide a starting point for securely configuring
BlackBerry smartphones. However, 18 of the 24 agencies had server
configurations that were less secure than the DISA guidelines. For
example:
* Fourteen agencies allowed BlackBerry passwords of insufficient
length. DISA recommends that passwords on BlackBerry smartphones be a
minimum of eight characters in length.
* Seven agencies did not require the use of complex passwords. DISA
recommends that this value be configured to require passwords to
contain, at a minimum, at least one alphabetic character and one
numeric character.
* Eleven agencies did not set a sufficient security timeout period.
DISA recommends that this value be set to 15 minutes or less.
* Ten agencies did not configure a setting that prevents applications
from opening internal and external connections simultaneously,
exposing the device to malware.
Several agency officials stated that the DISA checklist was not
mandatory for federal agencies; however, no other federal
configuration standard for BlackBerry smartphones currently exists.
Due to their portability and capacity to collect and store significant
amounts of sensitive information, smartphones such as the BlackBerry
are susceptible to security threats such as loss, theft, unauthorized
access, malware, electronic eavesdropping, and tracking. Without
securely configuring their BlackBerry Enterprise Servers, agencies are
at an increased risk that their BlackBerry smartphones could be
compromised, resulting in tampered, lost, or stolen data.
Agencies Have Improved Wireless Security Training Efforts, but
Training Often Lacked Key Elements:
Many agencies did include key information on the risks of wireless
technologies and how to mitigate such risks in their training
programs. Specifically, 18 agencies provided training on the inherent
lack of security of wireless technology and gave information on how
employees and contractors could protect information that is
transmitted wirelessly. However, 6 agencies did not address wireless
security in their annual training.
In addition, although most agencies included information on mobile
devices in their security awareness training, most agencies did not
include key elements in accordance with NIST guidelines. Specifically,
only 2 of the 24 agencies included in their training that users should
disable the wireless interfaces on their mobile devices when not
needed. In addition, training at 14 agencies did not address physical
control over mobile devices; 5 did not describe the procedures for
reporting lost or stolen mobile devices; and 5 did not include
information on encrypting sensitive data on mobile devices. Finally, 1
agency did not address mobile device security in its annual training.
Awareness about wireless security challenges can assist employees in
complying with policies and procedures to reduce agency information
security risks. Without such training, employees and contractors may
practice behaviors that threaten the safety of the agency's data.
Agency Policies Did Not Always Require the Use of a VPN or Encryption
for Remote Access:
Policies on remote access are important to the security of wireless
devices because a frequent use of wireless technologies is for access
to agency networks from remote locations, such as a home or hotel
WLAN. Twenty of the 24 agencies required remote access sessions to be
encrypted, and 8 of these agencies specified that a VPN must be used.
However, 4 of the 24 agencies did not require remote access to be
encrypted using a VPN or other encryption method. Without having
policies requiring remote access sessions to employ adequate
encryption, agencies will not be able to ensure that sensitive
information is protected from unauthorized access, use, disclosure, or
modification when users connect to agency information systems remotely.
Many Agency Policies and Practices for Monitoring 802.11 Networks and
Conducting Assessments Were Insufficient:
All 24 agencies in our review reported some form of monitoring for the
existence of unauthorized or "rogue" wireless networks. Sixteen
agencies reported that they continuously monitored 24 hours a day at
one or more agency facilities. However, we found significant
weaknesses in agency policies for wireless monitoring. Only 18
agencies required any type of monitoring for unauthorized access
points in their policies, sometimes as rarely as once per year. In
addition, two agencies used outdated scanning tools that could miss
key wireless activities. Six agencies lacked any requirements for
wireless monitoring. This lack of requirements, combined with the ease
of setting up wireless networks, creates a situation in which wireless
networks can be operating in these agencies without authorization or
the required security configurations.
At the five agencies where we performed detailed testing, we found
that the approach that several locations took toward monitoring and
assessments for 802.11 wireless activity had significant weaknesses.
Five agency locations did not have routine procedures for performing
wireless assessments for unauthorized devices and networks. Two of
these locations had not performed wireless scans in the past 2 years;
two other agency locations did not document the results of scans.
One agency where we performed detailed testing had deployed a
centrally monitored and managed wireless intrusion detection system at
one of its locations. However, according to agency officials, because
of the costs of the system, it was not deployed to all locations. At
the location we visited that did not have the system deployed, there
was no alternate approach to wireless monitoring, posing the risk of
undetected wireless access points, intrusions, and loss of sensitive,
proprietary data.
Further, while three other agencies also used a wireless intrusion
detection system at some locations to continuously monitor for
unauthorized devices and networks, the monitoring at these locations
was ineffective. Specifically, the systems at each location had not
been tailored to ignore known false positives. As a result, the
systems generated large numbers of alerts for rogue access points,
most of which were false. Local network administrators therefore had
no way to determine which alerts were actual security events,
hindering their ability to take advantage of the security aspects of
the system.
Although NIST guidelines recommend that agencies use wireless
monitoring, it does not specify criteria for selecting tools to ensure
they provide comprehensive monitoring capabilities, nor does it
suggest appropriate frequencies for recurring assessments or
recommendations for when continuous monitoring may be appropriate.
Regular monitoring and security assessments are key practices for
ensuring the security of wireless networks and devices. Even at
agencies that have no wireless networks deployed, wireless-enabled
devices that are deployed on the network, such as laptop computers,
can provide a potential means for an attacker to gain unauthorized
access to the network, putting critical agency systems and information
at risk of unauthorized modification, misuse, disclosure, or
destruction. Until regular monitoring and assessment policies and
practices are implemented, these networks are at increased
vulnerability to attack.
Existing Governmentwide Reporting and Oversight Efforts Do Not Fully
Address Key Wireless Security Practices:
The annual FISMA reporting process administered by OMB (and recently
devolved from OMB to DHS by an OMB memorandum), which serves as a
means of oversight of federal agency information security, does not
fully address implementation of leading practices in wireless
security. As of October 2010, the fiscal year 2010 draft reporting
metrics do contain measures related to automated configuration
management, vulnerability management, and incident management.
However, they do not include specific metrics related to wireless
security issues identified in this report, such as measures to address
the risk of dual-connected laptops, policies related to international
travel with mobile devices, the extent to which agencies have
centralized their management of wireless devices, and agency practices
for monitoring and assessment of wireless networks.
Furthermore, although the DHS official responsible for the agency's
newly assigned governmentwide FISMA compliance activities stated that
the agency plans additional activities that may address aspects of
wireless security governmentwide, the scope and time frames for these
activities have not yet been finalized.
Until OMB and DHS ensure they have effective means for oversight of
federal agencies' efforts to secure wireless networks, they lack full
visibility of the vulnerability of these networks to attack.
Conclusions:
Federal agencies are making significant use of wireless networks and
devices, including WLANs, laptop computers, and smartphones. Several
leading practices exist to secure these technologies, including
developing comprehensive policies, employing a centralized approach to
management, establishing secure network and device configurations, and
having effective training and monitoring in place.
Agencies have taken several steps to address the security of their
wireless networks and devices, including development of security
policies, centralized management, training, and monitoring; however,
these steps have not been fully and comprehensively applied across the
government. Gaps exist in policies, network management was not always
centralized, and numerous weaknesses existed in configurations of
laptops and smartphones. Particular issues are the risk of dual-
connected laptops and risks related to mobile devices being taken on
international travel In addition, many agencies had insufficient
policies and practices for monitoring or conducting assessments of
wireless technologies. Until OMB, DHS, NIST, and individual agencies
take steps to fully implement leading security practices, federal
wireless networks will remain at increased vulnerability to attack,
and information on these networks is subject to unauthorized access,
use, disclosure, or modification.
Recommendations for Executive Action:
To improve governmentwide oversight of wireless security practices, we
recommend that the Director of OMB, in consultation with the Secretary
of Homeland Security, implement the following two recommendations:
* include metrics related to wireless security as part of the FISMA
reporting process, and:
* develop the scope and specific time frames for additional activities
that address wireless security as part of their reviews of agency
cybersecurity programs.
We also recommend that the Secretary of Commerce instruct the Director
of NIST to develop and issue guidelines in the following four areas:
* technical steps agencies can take to mitigate the risk of dual
connected laptops,
* governmentwide secure configurations for wireless functionality on
laptops and for smartphones such as BlackBerries,
* appropriate ways agencies can centralize their management of
wireless technologies based on business need, and:
* criteria for selection of tools and recommendations on appropriate
frequencies of wireless security assessments and recommendations for
when continuous monitoring of wireless networks may be appropriate.
In addition, in a separate report with limited distribution, we are
making 134 recommendations to 24 major federal agencies to address
weaknesses in wireless-related information security controls,
including policies, procedures, and technical configurations.
Agency Comments and Our Evaluation:
We provided a draft of this report to the Director of OMB and the
Secretary of Commerce for their review and comment. However, OMB did
not provide comments on the report.
In written comments on a draft of this report, the Secretary of
Commerce stated that the department concurred with our recommendations
that NIST develop additional guidance related to wireless security.
The Secretary also suggested that we use the term "NIST guidelines"
rather than "NIST guidance" throughout the report, in addition to
other technical comments. We have incorporated these comments in the
report where appropriate.
We are sending copies of this report to the appropriate congressional
committees, the Director of OMB, the Secretary of DHS, the Secretary
of Commerce, and other interested congressional parties. The report
also is available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff members have any questions about this report,
please contact Gregory Wilshusen at (202) 512-6244 or Dr. Nabajyoti
Barkakati at (202) 512-4499, or by e-mail at wilshuseng@gao.gov and
barkakatin@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Key contributors to this report are listed in appendix III.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
Signed by:
Dr. Nabajyoti Barkakati:
Chief Technologist:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to (1) identify leading practices
and state-of-the-art technologies for deploying and monitoring secure
wireless networks and (2) assess agency efforts to secure wireless
networks, including vulnerability to attack. The scope of our review
included the 24 major federal agencies covered by the Chief Financial
Officers Act.[Footnote 20]
To identify leading practices for deploying and monitoring secure
wireless networks, we first identified subject matter experts,
including leading organizations and individuals, by reviewing
information security-related Web sites and professional literature. In
addition, we identified organizations that received recognition based
on an industry magazine's rankings for top wireless or other
information security-related products. We also solicited suggestions
on subject matter experts from individuals working in the field of
wireless security at major information technology (IT) and
telecommunications companies and federal government agencies, such as
the National Institute of Standards and Technology (NIST), National
Security Agency, and Committee on National Security Systems, because
they were in a position to evaluate and compare wireless security
practices at numerous organizations. We contacted approximately 10
organizations and individuals that met the above criteria; 8,
including 5 organizations and three individuals, agreed to be
interviewed and provide input on the practices we identified. The
organizations were prominent and nationally known, and the individuals
were recognized as experts in the information security community. The
participants included a wireless services provider, a global
technology products and services provider, a global telecommunications
provider, a nonprofit industry organization, a standards laboratory, a
government information security consortium, a defense agency, and a
wireless security consultant.
Then, to determine the specific leading practices, we obtained
information, primarily through analysis of publications, guidance,
checklists, presentations, and other documentation, and interviews
with subject matter experts. We supplemented the information gathered
with information obtained from our professional literature review. We
then analyzed the information obtained to identify common wireless
security leading practices and validated the practices we identified
with the subject matter experts.
To assess agency efforts to secure wireless networks, we obtained and
analyzed documents such as departmental and component policies, plans,
configuration documents, and training materials to determine the
extent of wireless technologies used and the security controls
implemented at each of the 24 major federal agencies. We also obtained
information through structured interviews with officials responsible
for wireless security policies and practices for each of the 24
agencies. For each of these agencies, we used a laptop equipped with
an antenna that served as a mobile scanning device and walked or drove
around the perimeters of publicly accessible areas of their
headquarters facilities in the Washington, D.C., area to collect data
to determine wireless technologies that were deployed in the
buildings. We also conducted scans of multiple agency facilities in
another major metropolitan area outside of the Washington, D.C.,
region. This area was chosen based on the following criteria:
* contained regional offices for the multiple major federal agencies
in locations that were sufficiently dispersed to not have too many
802.11 signals within a narrow proximity; and:
* had several regional offices with additional field offices nearby.
Based on the initial data collected from scans at the headquarters and
field locations, we chose 5 of the 24 agencies at which to complete
additional detailed wireless security testing, specifically, the
Departments of Agriculture, Commerce, Transportation, and Veterans
Affairs, and the Social Security Administration. These agencies were
selected based on several criteria, including the amount of usage of
wireless technologies, the level of centralization of IT management,
and potential security issues revealed by the initial scan results.
More in-depth testing at these agencies included a review of the
configurations of client devices, wireless infrastructure, and
monitoring practices. We inspected client devices to determine if
security controls had been implemented to protect the local network.
We also examined each agency's network infrastructure to determine if
access points were encrypted and configured to deny unauthorized
access. Finally, we determined if the agencies monitored the IEEE
802.11 wireless spectrum.
We conducted this performance audit from January 2010 to November
2010, in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Commerce:
The Secretary Of Commerce:
Washington, D.C. 20230:
November 1, 2010:
Mr. Gregory C. Wilshusen:
Director, Information Security Issues:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Mr. Wilshusen:
Thank you for the opportunity to comment on the draft report from the
U.S. Government Accountability Office (GAO) entitled "Information
Security: Federal Agencies Have Taken Steps to Secure Wireless
Networks, but Further Actions Can Mitigate Risks (GAO-11-43)."
We concur with the report's recommendations that the Department of
Commerce should instruct the Director of the National Institute of
Standards and Technology (NISI) to develop and issue guidance:
* On technical steps agencies can take to mitigate the risk of dual
connected laptops.
* On government-wide secure configurations for wireless functionality
on laptops and for BlackBerry smartphones.
* On appropriate ways agencies can centralize their management of
wireless technologies based on business need.
* On criteria for selection of tools and recommendations on
appropriate frequencies of wireless security assessments and
recommendations for when continuous monitoring of wireless networks
may be appropriate.
We also feel that the draft report does an outstanding job at
highlighting NIST's leadership in this effort. The Department of
Commerce would like to offer the following comments:
1. Inconsistent use of "NIST guidance" and "NIST guidelines." We
recommend using "NIST guidelines" throughout the report.
2. Page 20, last paragraph. GAO refers to the Office of Management and
Budget's annual Federal Information Security Management Act (FISMA)
reporting requirements (OMB M-10-15, FAO #11,) which state that
agencies must follow NIST standards and guidelines for non-national
security programs and information systems. While this is accurate, we
recommend also including OMB M-10-15 FAQ #12, which will help to put
this general statement in full context. OMB FISMA FAQ #12 states,
"While agencies are required to follow NIST standards and guidelines
in accordance with OMB policy, there is flexibility within MST's
guidelines (specifically in the 800-series) in how agencies
apply them. However, Federal Information Processing Standards (FIPS)
are mandatory. Unless specified by additional implementing policy by
OMB, MST guidelines generally allow agencies latitude in their
application. Consequently, the application of NIST guidelines by
agencies can result in different security solutions that are equally
acceptable and compliant with the guidelines."
3. Page 23, footnote 11, last sentence. "... using NIST-certified
cryptographic modules as specified in FIPS 140-2." We recommend
changing "NIST-certified" to "NIST-validated" as this is consistent
with FIPS 140-2 and the Cryptographic Module Validation Program.
4. Page 30, 2nd paragraph, last sentence. "Consistent with NIST
policy, an organization should ..." We recommend changing "NIST
policy" to "NIST guidelines" as NISI does not issue policy.
We welcome further communications with GAO regarding its conclusions
and look forward to receiving your final report. Please contact Rachel
Kinney at (301) 957-8707 if you have any questions regarding this
response.
Sincerely,
Signed by:
Gary Locke:
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gregory C. Wilshusen, (202) 512-6244, or wilshuseng@gao.gov Dr.
Nabajyoti Barkakati, (202) 512-4499, or barkakatin@gao.gov:
Staff Acknowledgments:
In addition to the individuals named above, Lon Chin and Vijay D'Souza
(Assistant Directors), Monica Anatalio, Mark Canter, William Cook,
Neil Doherty, Rebecca Eyler, Nancy Glover, Matthew Grote, Min Hyun,
Javier Irizarry, Franklin Jackson, Vernetta Marquis, Sean Mays, Lee
McCracken, and Michael Stevens made key contributions to this report.
[End of section]
Footnotes:
[1] GAO, Information Security: Federal Agencies Need to Improve
Controls over Wireless Networks, [hyperlink,
http://www.gao.gov/products/GAO-05-383] (Washington, D.C.: May 17,
2005).
[2] H.R. Conf. Rep. No. 111-366, at 914 (2009). We briefed the
committees on the preliminary results of our review on April 13, 2010.
[3] The 24 major federal agencies are the Agency for International
Development; the Departments of Agriculture, Commerce, Defense,
Education, Energy, Health and Human Services, Homeland Security,
Housing and Urban Development, the Interior, Justice, Labor, State,
Transportation, the Treasury, and Veterans Affairs; the Environmental
Protection Agency; the General Services Administration; the National
Aeronautics and Space Administration; the National Science Foundation;
the Nuclear Regulatory Commission; the Office of Personnel Management;
the Small Business Administration; and the Social Security
Administration.
[4] IEEE is a professional association focused on electrical and
computer sciences, engineering, and related disciplines. IEEE is
responsible for developing technical standards through the IEEE
Standards Association, which follows consensus-based standards
development processes.
[5] The Wi-Fi Alliance is a nonprofit international association that
has the goal of certifying the interoperability of WLAN products based
on IEEE 802.11 specifications.
[6] The Bluetooth Special Interest Group is a not-for-profit trade
association developed to serve as the governing body for Bluetooth
specifications.
[7] A VPN is a private network that is maintained across a shared or
public network, such as the Internet, by means of specialized security
procedures. VPNs are intended to provide secure connections between
remote clients, such as branch offices or traveling personnel and a
central office.
[8] 44 U.S.C. § 3544(b).
[9] OMB, Clarifying Cybersecurity Responsibilities and Activities of
the Executive Office of the President and the Department of Homeland
Security (Washington, D.C: July 6, 2010).
[10] [hyperlink, http://www.gao.gov/products/GAO-05-383].
[11] See NIST, Security Requirements for Cryptographic Modules, FIPS
140-2 (Gaithersburg, MD: May 25, 2001). FIPS 140-2 specifies the
security requirements for a cryptographic module used within a
security system protecting sensitive information in computer and
telecommunication systems (including voice systems) and provides four
increasing, qualitative levels of security intended to cover a wide
range of potential applications and environments. Agencies are
required to encrypt agency data, where appropriate, using NIST-
validated cryptographic modules as specified in FIPS 140-2.
[12] The Committee on National Security Systems consists of 21 members
from federal agencies and is charged with establishing national policy
and promulgating direction, operational procedures, and guidance for
the security of national security systems.
[13] Committee on National Security Systems, Policy on Wireless
Communications: Protecting National Security Information, CNSSP No.17
(Ft. Meade, MD: May 2010).
[14] See, for example, GAO, Executive Guide: Information Security
Management, Learning From Leading Organizations, [hyperlink,
http://www.gao.gov/products/GAO/AIMD-98-68] (Washington, D.C.: May
1998).
[15] A service set identifier is a name assigned to a wireless network
that allows wireless clients to distinguish one wireless network from
another.
[16] The media access control address is a unique identifier assigned
to network adapters usually by the manufacturer for identification.
Although intended to be a permanent and unique identification, it is
possible to change the media access control address on most hardware.
[17] The FDCC was an initiative launched by OMB to require federal
agencies to implement common security configurations on Microsoft
Windows XP and Vista operating systems. The initiative has evolved
into the United States Government Configuration Baseline, run by NIST.
[18] GAO, Information Security: Agencies Need to Implement Federal
Desktop Core Configuration Requirements, [hyperlink,
http://www.gao.gov/products/GAO-10-202] (Washington, D.C.: Mar. 12,
2010).
[19] A firewall is a hardware or software component that protects
given computers or networks from attacks by blocking network traffic
or by allowing only authorized protocols and services to cross the
boundary between networks.
[20] The 24 major federal agencies are the Agency for International
Development; the Departments of Agriculture, Commerce, Defense,
Education, Energy, Health and Human Services, Homeland Security,
Housing and Urban Development, the Interior, Justice, Labor, State,
Transportation, the Treasury, and Veterans Affairs; the Environmental
Protection Agency; the General Services Administration; the National
Aeronautics and Space Administration; the National Science Foundation;
the Nuclear Regulatory Commission; the Office of Personnel Management;
the Small Business Administration; and the Social Security
Administration.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
