From the Editors of CIOSC
Reflecting the technological advances seen throughout American society, the federal government is increasingly relying on wireless networks in its communications infrastructure. And as with the rest of America, the ease of installation and convenience of wireless networks have allowed adoption before security issues could be properly identified and addressed.
But even as wireless devices -- including wireless laptops as well as new generations of mobile phones and handheld devices -- proliferate throughout the federal government, the security of wireless networks inside federal facilities is increasingly essential. Poorly controlled or ineffectively secured wireless networks can allow sensitive data, passwords, and other information to be easily intercepted by unauthorized users, including those with hostile intentions. Failure to secure wireless networks may also open federal networks to use by unauthorized personnel who, while they may not intend to harm the government, are making illegal use of federally owned resources for their own purposes.
To get a sense of the scope of the challenge, the Government Accountability Office recently completed a six-month study, conducted between September 2004 and March 2005. For the report, "Information Security Federal Agencies Need to Improve Controls over Wireless Networks" (GAO-05-383), the GAO analyzed the wireless security controls reported by each of the 24 government agencies operating under the Chief Financial Officers (CFO) Act of 1990, and physically assessed the security of wireless networks at six of those agencies.
Among the key findings of the report:
- Federal agencies have not fully implemented key controls such as policies, practices, and tools that would enable them to operate wireless networks securely.
- Security tests at six federal agencies (which the GAO did not identify) revealed insecure configurations of wireless equipment, unauthorized wireless activity, and "signal leakage."
- Wireless security is a "serious, pervasive, and crosscutting challenge to federal agencies."
The central conclusion: "If these challenges are not addressed, federal agency information and operations will be at increased risk" at a time when the nation's reliance on wireless networks is growing rapidly.
A persistent problem
There have been warnings for some time that the federal government faced this significant vulnerability challenge. Prior to the GAO report, a 2004 investigation of federal agencies by Federal Computer Week (FCW) also found serious wireless vulnerabilities.
The FCW report found that federal agencies have data traveling unencrypted over their wireless networks, as well as wireless access points broadcasting signals that hackers could use to attack the network. The FCW investigation also uncovered rogue wireless access points on the campus of a large system integrator with multimillion-dollar contracts with the National Security Agency and the Internal Revenue Service.
As far back as 2002, the National Institute of Standards and Technology examined the security concerns surrounding the 802.11 wireless specification, Bluetooth, and handheld devices in order to provide federal agencies with guidance for establishing secure wireless networks. The NIST's recommendations for maintaining secure wireless networks included a warning that "agencies should not undertake wireless deployment for essential operations until they have examined and can acceptably manage and mitigate the risks to their information, system operations, and continuity of essential operations." The report also warned that "agencies should be aware that maintaining a secure wireless network is an ongoing process that requires greater effort than that required for other networks and systems."
Identifying the threats
The GAO report, co-written by the agency's information securities director and chief technologist, identifies a half-dozen serious threats to unprotected wireless networks.
- Eavesdropping The attacker monitors transmissions for message content. For example, a person listens to the transmissions on a network between two workstations or tunes in to transmissions between a wireless handset and a base station.
- Traffic analysis The attacker, in a more subtle way, gains intelligence by monitoring transmissions for patterns of communication. A considerable amount of information is contained in the flow of messages among communicating parties.
- Masquerading The attacker impersonates an authorized user and exploits the user's privileges to gain unauthorized access in order to modify data.
- Replay The attacker places himself between communicating parties, intercepting their communications and retransmitting them (this is commonly referred to as a "man-in-the-middle" attack).
- Message modification The attacker alters a legitimate message by deleting or modifying it.
- Jamming Attackers flood a wireless network with excess radio signals that prevent authorized users from accessing it.
Implementing comprehensive, flexible solutions
The GAO and NIST agree that there are basic steps, both organizational and technological, that the federal government should take quickly to provide basic security for its wireless networks. The greater challenge is how to meet the ever-evolving nature of the threats and to insure security follows the burgeoning expansion of wireless devices. Solutions and procedures must be put in place so that agencies can respond quickly -- and proactively -- to new threats or variations on known threats.
The first step -- already taken by the GAO in the instances of the 24 federal agencies it investigated -- is for each federal agency to gain greater control over its network infrastructure through asset inventory and the discovery, prioritization, and safeguarding of vulnerabilities. A vulnerability assessment solution can deliver automated, fast, and thorough assessments, plus prioritized remediation recommendations, enabling administrators to quickly identify those systems and applications most at risk and deploy countermeasures to proactively secure them before security breaches occur. A vulnerability assessment solution can also provide a comprehensive view of security and help protect critical systems on the network and perimeter. In addition, it allows organizations to proactively prevent the exploitation of potential breaches that threaten the confidentiality, integrity, and availability of business systems.
Conclusion
Wireless networks offer a wide range of benefits to federal agencies, and clearly their use will only increase. But it remains an ongoing challenge to ensure that they are secure against intrusions, interceptions, and attacks.