Dec 07 2010

Securing Wireless Networks: GAO Offers 8 Pointers

As more users go mobile, GAO recommends agencies do more to protect federal data and users — particularly at the endpoint.

As the Government Accountability Office notes in a new report, the best practices for securing wireless “are consistent with the key information security controls required for an effective information security program” generally.

For the report, GAO refines these items — comprehensive policies, configuration controls, training and other practices — by homing in on the aspects specific to wireless.

Because wireless technologies use radio waves instead of direct physical connections, they can be more vulnerable to cyberthreats, GAO points out. “Without proper security precautions, these data can be more easily intercepted and altered than if being transmitted through physical connections.”

This is a critical area because wireless use is growing. Of the 24 major agencies that GAO reviewed over the past 10 months, 18 reported use of wireless LANs to some degree; all use smartphones. Although agencies have undertaken efforts to improve wireless security, GAO auditors found that gaps exist. For instance, in the five agencies where GAO performed detailed testing, the agencies in the main had securely configured their wireless access points, but had numerous weaknesses in notebook and smartphone configurations.

As for encryption, GAO found that 20 agencies required it, and eight of these agencies mandated virtual private network use; four agencies did not require encryption for remote access. Auditors also noted that many agencies had insufficient practices for monitoring and conducting security assessments of wireless networks.

For these reasons, GAO called for the National Institute of Standards and Technology to develop guidelines more targeted at wireless. In its response, the Commerce Department agreed that NIST should do so.

Here is GAO’s cheat sheet of leading practices for securing wireless networks and technologies:

Practice Category Practice Description

Develop comprehensive security policies that govern the implementation and use of wireless networks and mobile devices that include the following safeguards:

  • implement secure encryption with enterprise authentication;
  • establish usage restrictions and implementation guidance for wireless access;
  • enforce access controls for connection of mobile devices.
Risk-Based Approach Employ a risk-based approach for wireless deployments.
Centralized Management Employ a centralized wireless management structure that is integrated with the existing wired network.
Configuration Requirements Establish configuration requirements for wireless networks and devices in accordance with the developed security policies and requirements.
Training Incorporate a wireless and mobile device security component in training.
Remote Access Use a VPN to facilitate the secure transfer of sensitive data during remote access.
Monitoring Deploy continuous monitoring procedures for detecting rogue access points and clients using a risk-based approach.
Security Assessments Perform regular security assessments to ensure wireless networks are operating securely.

For more information about these practices, read the full report: Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk.