8 Best Ways to Secure Wireless TechnologyGAO: Agencies Inconsistent on Ways They Secure Wireless Assets
"Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack," GAO Director of Information Security Issues Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the 50-page report.
To help agencies secure their wireless networks and technologies, GAO came up with eight leading practices:
- Develop comprehensive security policies that govern the implementation and use of wireless networks and mobile devices, implement secure encryption with enterprise authentication, establish usage restrictions and implementation guidance for wireless access and enforce access controls for connection of mobile devices.
- Employ a risk-based approach for wireless deployment.
- Use a centralized wireless management structure that is integrated with the existing wired network.
- Establish configuration requirements for wireless networks and devices in accordance with the developed security policies and requirements.
- Incorporate wireless and mobile device security component in training.
- Use a virtual private network to facilitate the secure transfer of sensitive data during remote access.
- Deploy continuous monitoring procedures for detecting rogue access points and clients using a risk-based approach.
- Perform regular security assessments to help ensure wireless networks are operating securely.
"Many of these practices are consistent with the key information security controls required for an effective information security program ... and reflect wireless-specific aspects of those controls," the Wilshusen and Barkakati wrote in the report requested by the chairs and ranking members of the Senate and House Appropriations Subcommittees on Financial Services and General Government.
GAO said the approach to securing wireless technologies is inconsistent among the agencies for most of the following leading practices:
- Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dual-connected laptops and mobile devices taken on international travel.
- All agencies required a risk-based approach for management of wireless technologies.
- Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide.
- Five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smart-phone configurations.
- Most agencies were missing key elements related to wireless security in their security awareness training.
- Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access.
- Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks.
In preparation of the report, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these five agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration.
Responding to the report, Commerce Secretary Gary Lock said he concurred with the GAO's recommendations to instruct the National Institute of Standards and Technology, a Commerce Department agency, to develop and issuance guidance on:
- Technical steps agencies can take to mitigate the risk of dual connected laptops;
- Government-wide secure configuration for wireless functionality on laptops and for BlackBerry smartphones;
- Appropriate ways agencies can centralize their management of wireless technologies based on business needs; and
- Criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessment and recommendations for when continuous monitoring of wireless networks may be appropriate.