Federal agencies are acquiring wireless technology almost by accident by failing to track government-issued laptops and other mobile devices and therefore applying inadequate safeguards to secure them. One result: signal leakage.
At least that's the opinion of one agency expert who asked not to be identified. He said it's almost impossible to buy a laptop without wireless technology, but agency policies and network security programs don't recognize this and haven't adapted. He said a recent Government Accountability Office [GAO] report highlights an instance in which nearly 100 laptops attempted to connect to the test machine. Those laptops weren't well configured, and the agency had no wireless policy and no monitoring programs.
In 2002, the National Institute of Standards and Technology [NIST] released "Wireless Network Security: 802.11, Bluetooth and Handheld Devices," which is intended to provide agencies with guidance for establishing secure
wireless networks. In the guide, NIST recommended that federal agencies perform risk assessments and develop security policies before purchasing wireless technologies; delay deployment for essential operations until after agencies have determined they can manage and mitigate the corresponding risks; and assess risks, test and evaluate security controls more frequently than they would on a wired network.
The frequency of audits is indeed one of the problems the GAO found. The unidentified insider said some agencies attempt to monitor their networks, but only do so on a monthly basis. He likened it to running a firewall only once a month.
"We have a long road ahead before the cyberstructure that underpins our nation's critical infrastructure is secured from pranksters and saboteurs," Sen. Joseph I. Lieberman [D-Conn.] said in a statement. "Over a year ago, I sent a detailed letter to [Department of Homeland Security] Secretary [Tom] Ridge, raising concerns about the lack of results similar to those identified by GAO, and I am troubled that more progress has not been made in this vital area."
The GAO is the audit, evaluation and investigative arm of Congress, and is mandated to help improve the performance and accountability of the federal government. Its latest report evaluated six unnamed federal agencies in Washington and found they haven't fully implemented policies, practices and tools that would enable them to operate wireless networks securely. Wireless signal leakage beyond the perimeter of the building was also a common problem.
- Eavesdropping An attacker monitors transmissions for message content transmitted on a network between two workstations or tunes in to transmissions between a wireless handset and a base station.
- Traffic analysis An intruder gains intelligence by monitoring transmissions for patterns in the flow of messages among communicating parties.
- Masquerading An attacker impersonates an authorized user and exploits the user's privileges to gain unauthorized access to modify data.
- Replay In this instance, someone places himself between communicating parties, intercepting their communications, and retransmitting them; this is commonly referred to as a "man-in-the-middle" attack.
- Message modification An attacker alters a legitimate message by deleting or modifying it.
- Jamming Attackers flood a wireless network with excess radio signals to prevent authorized users from accessing it.
"Without effective security controls for wireless networks, agency information is at risk of unauthorized disclosure, modification or destruction," according to the GAO report. "Despite the risks associated with wireless networks, federal agencies have not fully implemented key controls for securing these networks."
Based on information reported by federal agencies, the GAO said nine haven't issued policies on wireless networks; 13 agencies haven't established requirements for securely configuring or setting up wireless networks; and 18 don't provide training programs in wireless security for their employees and contractors. "Further, the majority of federal agencies lack wireless network monitoring to ensure compliance with agency policies, prevent signal leakage and detect unauthorized wireless devices," the GAO said.
The GAO report recommended the Office of Management and Budget require agencies to ensure that wireless network security is incorporated in their infosecurity programs in accordance with the Federal Information Security Management Act.
"We have to start looking at government as an enterprise," says former cybersecurity czar Howard Schmidt. "In private industry we deploy technology to seek out rogue access points. There's got to be more operational excellence in what the government does with cybersecurity."