CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Tactics

Wireless Weaknesses in Federal Agencies

From the Editors of ITSC

Reflecting the technological advances seen throughout American society, the federal government is increasingly relying on wireless networks in its communications infrastructure. And as with the rest of America, the ease of installation and convenience of wireless networks have allowed adoption before security issues could be properly identified and addressed.

But even as wireless devices -- including wireless laptops as well as new generations of mobile phones and handheld devices -- proliferate throughout the federal government, the security of wireless networks inside federal facilities is increasingly essential. Poorly controlled or ineffectively secured wireless networks can allow sensitive data, passwords, and other information to be easily intercepted by unauthorized users, including those with hostile intentions. Failure to secure wireless networks may also open federal networks to use by unauthorized personnel who, while they may not intend to harm the government, are making illegal use of federally owned resources for their own purposes.

To get a sense of the scope of the challenge, the Government Accountability Office recently completed a six-month study, conducted between September 2004 and March 2005. For the report, "Information Security Federal Agencies Need to Improve Controls over Wireless Networks" (GAO-05-383), the GAO analyzed the wireless security controls reported by each of the 24 government agencies operating under the Chief Financial Officers (CFO) Act of 1990, and physically assessed the security of wireless networks at six of those agencies.

Among the key findings of the report:

  • Federal agencies have not fully implemented key controls such as policies, practices, and tools that would enable them to operate wireless networks securely.
  • Security tests at six federal agencies (which the GAO did not identify) revealed insecure configurations of wireless equipment, unauthorized wireless activity, and "signal leakage."
  • Wireless security is a "serious, pervasive, and crosscutting challenge to federal agencies."

The central conclusion: "If these challenges are not addressed, federal agency information and operations will be at increased risk" at a time when the nation's reliance on wireless networks is growing rapidly.

A persistent problem

There have been warnings for some time that the federal government faced this significant vulnerability challenge. Prior to the GAO report, a 2004 investigation of federal agencies by Federal Computer Week (FCW) also found serious wireless vulnerabilities.

The FCW report found that federal agencies have data traveling unencrypted over their wireless networks, as well as wireless access points broadcasting signals that hackers could use to attack the network. The FCW investigation also uncovered rogue wireless access points on the campus of a large system integrator with multimillion-dollar contracts with the National Security Agency and the Internal Revenue Service.

As far back as 2002, the National Institute of Standards and Technology examined the security concerns surrounding the 802.11 wireless specification, Bluetooth, and handheld devices in order to provide federal agencies with guidance for establishing secure wireless networks. The NIST's recommendations for maintaining secure wireless networks included a warning that "agencies should not undertake wireless deployment for essential operations until they have examined and can acceptably manage and mitigate the risks to their information, system operations, and continuity of essential operations." The report also warned that "agencies should be aware that maintaining a secure wireless network is an ongoing process that requires greater effort than that required for other networks and systems."

Identifying the threats

The GAO report, co-written by the agency's information securities director and chief technologist, identifies a half-dozen serious threats to unprotected wireless networks.

  • Eavesdropping  The attacker monitors transmissions for message content. For example, a person listens to the transmissions on a network between two workstations or tunes in to transmissions between a wireless handset and a base station.
  • Traffic analysis  The attacker, in a more subtle way, gains intelligence by monitoring transmissions for patterns of communication. A considerable amount of information is contained in the flow of messages among communicating parties.
  • Masquerading  The attacker impersonates an authorized user and exploits the user's privileges to gain unauthorized access in order to modify data.
  • Replay  The attacker places himself between communicating parties, intercepting their communications and retransmitting them (this is commonly referred to as a "man-in-the-middle" attack).
  • Message modification  The attacker alters a legitimate message by deleting or modifying it.
  • Jamming  Attackers flood a wireless network with excess radio signals that prevent authorized users from accessing it.

Implementing comprehensive, flexible solutions

The GAO and NIST agree that there are basic steps, both organizational and technological, that the federal government should take quickly to provide basic security for its wireless networks. The greater challenge is how to meet the ever-evolving nature of the threats and to insure security follows the burgeoning expansion of wireless devices. Solutions and procedures must be put in place so that agencies can respond quickly -- and proactively -- to new threats or variations on known threats.

The first step -- already taken by the GAO in the instances of the 24 federal agencies it investigated -- is for each federal agency to gain greater control over its network infrastructure through asset inventory and the discovery, prioritization, and safeguarding of vulnerabilities. A vulnerability assessment solution can deliver automated, fast, and thorough assessments, plus prioritized remediation recommendations, enabling administrators to quickly identify those systems and applications most at risk and deploy countermeasures to proactively secure them before security breaches occur. A vulnerability assessment solution can also provide a comprehensive view of security and help protect critical systems on the network and perimeter. In addition, it allows organizations to proactively prevent the exploitation of potential breaches that threaten the confidentiality, integrity, and availability of business systems.

Conclusion

Wireless networks offer a wide range of benefits to federal agencies, and clearly their use will only increase. But it remains an ongoing challenge to ensure that they are secure against intrusions, interceptions, and attacks.

 

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"Wireless security is a "serious, pervasive, and crosscutting challenge to federal agencies."

--General Accountability Office
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service