Information Security:

Federal Agencies Need to Improve Controls over Wireless Networks

GAO-05-383: Published: May 17, 2005. Publicly Released: May 17, 2005.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The use of wireless networks is becoming increasingly popular. Wireless networks extend the range of traditional wired networks by using radio waves to transmit data to wireless-enabled devices such as laptops. They can offer federal agencies many potential benefits but they are difficult to secure. GAO was asked to study the security of wireless networks operating within federal facilities. This report (1) describes the benefits and challenges associated with securing wireless networks, (2) identifies the controls available to assist federal agencies in securing wireless networks, (3) analyzes the wireless security controls reported by each of the 24 agencies under the Chief Financial Officers (CFO) Act of 1990, and (4) assesses the security of wireless networks at the headquarters of six federal agencies in Washington, D.C.

Wireless networks offer a wide range of benefits to federal agencies, including increased flexibility and ease of network installation. They also present significant security challenges, including protecting against attacks to wireless networks, establishing physical control over wireless-enabled devices, and preventing unauthorized deployments of wireless networks. To secure wireless devices and networks and protect federal information and information systems, it is crucial for agencies to implement controls--such as developing wireless security policies, configuring their security tools to meet policy requirements, monitoring their wireless networks, and training their staffs in wireless security. However, federal agencies have not fully implemented key controls such as policies, practices, and tools that would enable them to operate wireless networks securely. Further, our tests of the security of wireless networks at six federal agencies revealed unauthorized wireless activity and "signal leakage"--wireless signals broadcasting beyond the perimeter of the building and thereby increasing the networks' susceptibility to attack. Without implementing key controls, agencies cannot adequately secure federal wireless networks and, as a result, their information may be at increased risk of unauthorized disclosure, modification, or destruction.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides guidance for establishing wireless networking security policies, which includes criteria for identifying requirements and creating security controls.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with the Federal Information Security Management Act (FISMA). In particular, agencywide security programs should include robust policies for authorizing the use of the wireless networks, identifying requirements, and establishing security controls for wireless-enabled devices in accordance with National Institute of Standards and Technology guidance.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides guidance for establishing wireless client device security. NIST Guidance states organizations should consider security tools such as personal firewall and host-based intrusion detection and prevention system for the protection of wireless client devices.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include security configuration requirements for wireless devices that include available security tools, such as encryption, authentication, virtual private networks, and firewalls.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  3. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007 that OMB, in response to our recommendation, has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides guidance for establishing access point configuration and awareness of access point security concerns.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include security configuration requirements for wireless devices that include placement and strength of wireless access points to minimize signal leakage.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  4. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publications, 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks and 800-53: Information Security, provides guidance on the physical protection of wireless devices; such as establishing usage restrictions and implementation guidance for organization-controlled portable and mobile devices.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include security configuration requirements for wireless devices that include physical protection of wireless-enabled devices.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007 OMB, in response to our recommendation, has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks provides criteria for conducting site surveys, which describes the use of appropriate wall-mounted antennas to minimize signal leakage.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to detect signal leakage.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  6. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks provides criteria for conducting site surveys, which describes the need for network administrators to ensure client devices are properly configured and comply with implemented Wireless Local Area Network (WLAN) policies.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to ensure compliance with configuration requirements.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  7. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to our recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publications 800-48: Guide to Securing Legacy IEEE 802.11 Wireless Networks and 800-97: Establishing Wireless Robust Security Networks, provides criteria for conducting site surveys, which describes physical access controls and proper locations for access points.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to ensure only authorized access and use of wireless networks.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  8. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to our recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publication 800-97: Establishing Wireless Robust Security Networks, provides criteria for conducting site surveys, which describes the need for wireless intrusion detection systems to detect suspicious or unauthorized wireless-enabled devices and activity.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to identify unauthorized wireless-enabled devices and activities in the agency's facilities.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  9. Status: Closed - Implemented

    Comments: GAO has verified that as of December 2007, in response to GAO's recommendation, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of National Institute of Standards and Technology (NIST) guidance. In particular, NIST Special Publications 800800-53: Information Security and 800-97: Establishing Wireless Robust Security Networks, provides guidance on wireless security training for employees and contractors; which describes security awareness and training policy and procedures to mitigate risks.

    Recommendation: Because of the governmentwide challenges of wireless network security, the Director of OMB should instruct the federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. In particular, agencywide security programs should include wireless security training for employees and contractors.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here