Wave Systems Corp. (fka WAVXQ)

[dude_danny]

O.T. Feds Faulted For Weak Wireless Security

Sorry if posted.

http://www.securitypipeline.com/showArticle.jhtml?articleId=163105182

Feds Faulted For Weak Wireless Security



By Eric Chabrow Courtesy of InformationWeek

Congressional auditors contend the federal government isn't doing enough to secure its wireless networks.
In a 31-page report issued Tuesday, the Government Accountability Office said federal agencies have yet to fully apply key controls such as policies, practices, and tools to let them operate wireless networks securely. GAO tests of the security of wireless networks at six federal agencies revealed unauthorized wireless activity and "signal leakage," wireless signals broadcasting beyond the perimeter of the building and thereby increasing the networks' susceptibility to attack.

A diagram in the report shows signal leakage emanating from wireless-access points in three federal buildings onto surrounding streets and into nearby privately owned buildings in Washington, presenting security exposures. "Without implementing key controls, agencies cannot adequately secure federal wireless networks and, as a result, their information may be at increased risk of unauthorized disclosure, modification, or destruction," said the report, co-written by GAO information security issues director Gregory Wilshusen and chief technologist Keith Rhodes.

The report detailed four examples of wireless network security threats:

• Eavesdropping: The attacker monitors transmissions for message content. For example, a person listens to the transmissions on a network between two workstations or tunes in to transmissions between a wireless handset and a base station.

• Traffic analysis: The attacker, in a more subtle way, gains intelligence by monitoring transmissions for patterns of communication. A considerable amount of information is contained in the flow of messages among communicating parties.

• Masquerading: The attacker impersonates an authorized user and exploits the user's privileges to gain unauthorized access in order to modify data.

• Replay: The attacker places himself between communicating parties, intercepting their communications, and retransmitting them; this is commonly referred to as "Man-in-the-Middle."

GAO pointed out the wide range of benefits wireless networks offer federal agencies, including increased flexibility and ease of network installation. Still, the report said, wireless networks also present significant security challenges, including protecting against attacks to the networks, establishing physical control over wireless-enabled devices, and preventing unauthorized deployments of wireless networks. "To secure wireless devices and networks and protect federal information and information systems, it is crucial for agencies to implement controls--such as developing wireless security policies, configuring their security tools to meet policy requirements, monitoring their wireless networks, and training their staffs in wireless security," the report says.

GAO recommends that the director of the White House Office of Management and Budget instruct the agencies to ensure that wireless network security is incorporated into their agencywide information-security programs in accordance with the Federal Information Security Management Act.

Congressional auditors briefed representatives of OMB's Office of Information and Regulatory Affairs and the Office of General Council on its findings. OBM told GAO it generally agreed with the contents of the report, and that the Commerce Department's National Institute for Standards and Technology is updating wireless guidance for federal agencies, which is slated to be issued for comments in August.

OMB stressed that it's the individual agencies and departments, not the White House, that have the primary responsibility for complying with FISMA's information-security-management program requirements. As part of its annual review of agency information-security programs, OMB told GAO it would consider whether agencies' programs adequately addressed emerging-technology issues such as wireless security before approving them.

In 2002, the National Institute for Standards and Technology issued guidelines for securing wireless networks. Those recommendations include identifying who may use wireless LAN technology in an agency; describing the type of information that may be sent over wireless links; describing who can install access points and other wireless equipment; describing conditions under which wireless devices are allowed; describing limitations on how the wireless device may be used, such as location; and providing guidelines on reporting losses of wireless devices and security incidents.

It also urged agencies to describe the hardware and software configuration of all wireless devices; provide guidelines for the protection of wireless clients to minimize and reduce theft; and identify whether Internet access is required. It also suggested that agencies define standard security settings for access points; provide limitations on the location of and physical security for access points; define the frequency and scope of security assessments, including access point discovery; and provide guidelines for the use of encryption and key management.

dude_danny