As the Government Accountability Office notes in a new report, the best practices for securing wireless “are consistent with the key information security controls required for an effective information security program” generally.
For the report, GAO refines these items — comprehensive policies, configuration controls, training and other practices — by homing in on the aspects specific to wireless.
Because wireless technologies use radio waves instead of direct physical connections, they can be more vulnerable to cyberthreats, GAO points out. “Without proper security precautions, these data can be more easily intercepted and altered than if being transmitted through physical connections.”
This is a critical area because wireless use is growing. Of the 24 major agencies that GAO reviewed over the past 10 months, 18 reported use of wireless LANs to some degree; all use smartphones. Although agencies have undertaken efforts to improve wireless security, GAO auditors found that gaps exist. For instance, in the five agencies where GAO performed detailed testing, the agencies in the main had securely configured their wireless access points, but had numerous weaknesses in notebook and smartphone configurations.
As for encryption, GAO found that 20 agencies required it, and eight of these agencies mandated virtual private network use; four agencies did not require encryption for remote access. Auditors also noted that many agencies had insufficient practices for monitoring and conducting security assessments of wireless networks.
For these reasons, GAO called for the National Institute of Standards and Technology to develop guidelines more targeted at wireless. In its response, the Commerce Department agreed that NIST should do so.
Here is GAO’s cheat sheet of leading practices for securing wireless networks and technologies:
|Practice Category||Practice Description|
Develop comprehensive security policies that govern the implementation and use of wireless networks and mobile devices that include the following safeguards:
|Risk-Based Approach||Employ a risk-based approach for wireless deployments.|
|Centralized Management||Employ a centralized wireless management structure that is integrated with the existing wired network.|
|Configuration Requirements||Establish configuration requirements for wireless networks and devices in accordance with the developed security policies and requirements.|
|Training||Incorporate a wireless and mobile device security component in training.|
|Remote Access||Use a VPN to facilitate the secure transfer of sensitive data during remote access.|
|Monitoring||Deploy continuous monitoring procedures for detecting rogue access points and clients using a risk-based approach.|
|Security Assessments||Perform regular security assessments to ensure wireless networks are operating securely.|
For more information about these practices, read the full report: Information Security: Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk.