GAO: Vulnerabilities remain in agency wireless networks

By Jason Miller
Executive Editor
Federal News Radio

Agencies are doing a better job securing wireless networks, but vulnerabilities remain because of inconsistent policies, decentralized network management and numerous weaknesses in the configurations of laptops and smartphones.

The Government Accountability Office issued a report on Tuesday that detailed six governmentwide steps and more than 120 agency specific suggestions to improve the security of wireless networks.

This is the first report on federal wireless networks since 2005. Congress required GAO to take a look at the security of these devices and networks in the conference report accompanying the Financial Services and General Government Appropriations Act of 2010.


Five years ago, auditors found a host of problems with agency wireless networks, including:

  • Not fully implementing key controls for securing these networks, not issuing wireless policies.
  • Not establishing requirements for configuring or setting up wireless networks in a secure manner
  • Lacking wireless network monitoring to ensure compliance with agency policies, to prevent signal leakage and to detect unauthorized wireless devices.

This time GAO found that many of these problems have been fixed or at least improved upon.

“Most agencies developed policies that reflected NIST guidelines and leading practices, but gaps existed in these policies, particularly with respect to dual-connected laptops and use of mobile devices on international travel,” according to the GAO report. “Many agencies used a decentralized structure for management of wireless, limiting the potential standardization that centralized management can provide, and guidance on centralization is limited.”

GAO also found most agencies still missed specific training for wireless security. Auditors said 20 of 24 agencies they looked at required encryption, including eight that specified a virtual private network for remote access. However, GAO found four did not require encryption at all.

“Many agencies had insufficient practices for monitoring or conducting security assessments,” the report stated. “Furthermore, federal guidance in this area lacks specificity. Existing governmentwide guidance and oversight efforts do not fully address agency implementation of the leading practices. Until agencies fully address these practices, they will not have sufficient assurance that the risks to sensitive wireless systems, and sensitive data transmitted across or processed by those systems, are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction.”

GAO also found laptops and smartphones were vulnerable.

“Many agencies also did not enforce secure configurations on their BlackBerry smartphones,” according to the report. “The Defense Information Systems Agency has developed a configuration checklist to help its administrators securely configure its BlackBerry Enterprise Servers, which are servers that allow agencies to centrally control security policy for BlackBerry smartphones. However, 18 of the 24 agencies had server configurations that were less secure than the DISA guidelines.”

Auditors found 14 agencies allowed BlackBerry passwords of insufficient length of less than DISA’s recommended eight characters. Ten agencies did not configure a setting that prevents applications from opening internal and external connections simultaneously, exposing the device to malware.

Among the recommendations GAO makes is for the National Institute of Standards and Technology to develop and issue guidelines in the following four areas:

  • Technical steps agencies can take to mitigate the risk of dual connected laptops.
  • Governmentwide secure configurations for wireless functionality on laptops and for smartphones such as BlackBerries.
  • Appropriate ways agencies can centralize their management of wireless technologies based on business need.
  • Criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessments and recommendations for when continuous monitoring of wireless networks may be appropriate.

(Copyright 2010 by All Rights Reserved.)