Feds: Wireless Works, But Remains Vulnerable

Wednesday, December 8, 2010 @ 05:12 PM gHale

Wireless networking continues its growth curve, there is no doubt. Government agencies now have the technology embedded throughout their enterprises. A new study by the Government Accountability Office said gaps remain in its security.
Agencies know the technologies and policies needed to secure their wireless connections, but they are not consistently applying and enforcing them, the GAO found.
The report recommends the Office of Management and Budget, which has primary oversight responsibility for civilian cyber security, include metrics for wireless security in the Federal Information Security Management Act reporting process.
Existing guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices, the GAO report said. Until agencies take steps to better implement these leading practices and OMB takes steps to improve oversight, wireless networks will remain at an increased vulnerability to attack.
National Institute of Standards and Technology (NIST), which provides standards, specifications and guidance for complying with the Federal Information Security Management Act (FISMA), plans to develop additional guidelines for wireless security.
The study covered wireless technologies, including the Wi-Fi, IEEE 802.11 family of standards for wireless local-area networks (WLANs); Bluetooth, used for personal area networking; and cellular data connectivity. Emerging technologies, such as WiMax and Long Term Evolution fourth-generation technology, also need to be in the mix of security policies, GAO said.
Wireless networks are vulnerable to most of the same threats to which wired networks are subject, as well as to threats specifically targeting wireless connections. In some ways, wireless connections are easier to attack.
For WLANs, attackers only need to be in range of wireless transmissions and do not have to gain physical access to the network or remotely compromise systems on the network, according to the report. WLANs also have to protect against unauthorized wireless devices, such as access points.
Wi-Fi security has evolved since approval of the initial 802.11 standard in 1997. Wired Equivalent Privacy (WEP) came into the picture, and then replaced after experts found flaws. Eventually, Wi-Fi Protected Access became an adopted technology, and in 2004 WPA2 entered the picture with interoperability with the 802.11i security standard. In 2009, the 802.11w-2009 standard increased security with additional encryption features to help prevent denial-of-service attacks against WLANs.
GAO’s recommended best practices for agencies in securing wireless networks include:
• A risk-based approach for wireless deployment and monitoring.
• A centralized wireless management structure integrated with the management of the existing wired network.
• Configuration requirements for wireless networks and devices.
• Incorporation of wireless and mobile device security in training.
• Use of encryption, such as a virtual private network for remote access.
• Continuous monitoring for rogue access points and clients.
• Regular assessments to ensure wireless networks are secure.
NIST released publications with guidance and baseline requirements for IT configuration and security measures that focus on or include wireless devices. These include:
NIST SP 800-48, “Guide to Securing Legacy IEEE 802.11 Wireless Networks.”
NIST SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations.”
NIST SP 800-97, “Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i.”