GAO discovers abundance of wireless security holes

Security holes and unauthorized activity are common on federal agency wireless IT networks, the Government Accountability Office said in a report released today.

The GAO said it found security leaks at wireless networks set up by six federal agency headquarters in Washington, D.C. For security reasons, the GAO does not name the agencies.

"Specifically, we were able to detect wireless networks at each of the agencies from outside of their facilities. Wireless-enabled devices were operating with insecure configurations at all six of the agencies," including 90 laptop computers with improper configurations at one agency, the GAO said.

And the GAO apparently discovered hackers. "Finally, there was unauthorized wireless activity at all of the agencies that had not been detected by their monitoring programs," the report said.

In some cases, the unauthorized activity may be the result of outside links to wireless access points within the agency's traditional wired network environment without the knowledge of the agency's CIO.

"Agency information security officials might be unaware that wireless networks are being used and would therefore be unable to take the appropriate mitigating actions," the GAO said.

Furthermore, federal IT executives may be buying wireless-enabled IT devices without realizing it. "An agency may inadvertently procure wireless network components that could pose risks to its enterprise," the GAO said.

Wireless networks have become popular at federal agencies because of their flexibility and ease of installation. But many agencies are not deploying effective security controls, resulting in a potential of data loss, modification or disclosure, the GAO said.

Despite the need for controls, nine out of 24 federal agencies contacted by the GAO reported they have not issued policies on wireless networks, and 13 agencies reported they have not established requirements for configuring or setting up wireless networks in a secure manner.

"Further, the majority of federal agencies lack wireless network monitoring to ensure compliance with agency policies, prevent signal leakage and detect unauthorized wireless devices," the GAO said.

In addition, 18 federal agencies do not provide training programs on wireless security for their employees or for contractors.

The GAO said it is recommending that the director of the Office of Management and Budget instruct agencies to include wireless networks in their information security programs.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.