GAO discovers abundance of wireless security holes

Security holes and unauthorized activity are common on federal agency wireless IT networks, the Government Accountability Office said in a report released today.

The GAO said it found security leaks at wireless networks set up by six federal agency headquarters in Washington, D.C. For security reasons, the GAO does not name the agencies.

"Specifically, we were able to detect wireless networks at each of the agencies from outside of their facilities. Wireless-enabled devices were operating with insecure configurations at all six of the agencies," including 90 laptop computers with improper configurations at one agency, the GAO said.

And the GAO apparently discovered hackers. "Finally, there was unauthorized wireless activity at all of the agencies that had not been detected by their monitoring programs," the report said.

In some cases, the unauthorized activity may be the result of outside links to wireless access points within the agency's traditional wired network environment without the knowledge of the agency's CIO.

"Agency information security officials might be unaware that wireless networks are being used and would therefore be unable to take the appropriate mitigating actions," the GAO said.

Furthermore, federal IT executives may be buying wireless-enabled IT devices without realizing it. "An agency may inadvertently procure wireless network components that could pose risks to its enterprise," the GAO said.

Wireless networks have become popular at federal agencies because of their flexibility and ease of installation. But many agencies are not deploying effective security controls, resulting in a potential of data loss, modification or disclosure, the GAO said.

Despite the need for controls, nine out of 24 federal agencies contacted by the GAO reported they have not issued policies on wireless networks, and 13 agencies reported they have not established requirements for configuring or setting up wireless networks in a secure manner.

"Further, the majority of federal agencies lack wireless network monitoring to ensure compliance with agency policies, prevent signal leakage and detect unauthorized wireless devices," the GAO said.

In addition, 18 federal agencies do not provide training programs on wireless security for their employees or for contractors.

The GAO said it is recommending that the director of the Office of Management and Budget instruct agencies to include wireless networks in their information security programs.