"Hotspots" in cafes, airports, hotels, and other businesses are growing in demand due in part to increasing bandwidth and decreasing laptop costs. Although such wireless networks provide many benefits, they also are vulnerable to attacks and pose significant security risks particularly to federal agencies that have a wealth of confidential information.

A new U.S. Government Accountability Office (GAO) report, Information Security: Federal Agencies Need to Improve Controls Over Wireless Networks, warns federal agencies to improve controls over their wireless networks. GAO, which was asked by Congress to study the security of wireless networks in federal facilities, worked from September 2004 to March 2005 to analyze wireless security procedures reported by 24 federal agencies with Washington, D.C., offices. GAO also tested the security of wireless networks at six of the agencies — finding security leaks at all six, in one case as far as several blocks. GAO did not name the agencies for security reasons.

"Specifically, we were able to detect wireless networks at each of the agencies from outside of their facilities," according to the report. "Wireless-enabled devices were operating with insecure configurations at all six." Wireless signals can draw the attention of potential cyberattackers, and protecting against them is challenging, because information is broadcast over radio waves and can be accessed more easily by attackers than data in a conventional wired network. Lack of safeguards puts confidential information at "increased risk for unauthorized disclosure, modification, or destruction," the report said.

GAO concluded that the majority of federal agencies also lack wireless network monitoring to prevent security leaks, ensure compliance with their own security policies, and detect unauthorized wireless devices. Also, unauthorized wireless activity was not detected by in-house monitoring programs in any of the agencies. And, government offices were not alone. During a 15-block drive in downtown Washington, GAO auditors detected more than 1,000 wireless networks with a commonly available wireless scanner.

The report also found:

• More than 90 laptops at one federal agency had not been configured properly. The computers were hardwired into the agency's network and connected to other wireless networks, allowing attackers to access internal hard-line networks.
• Eighteen of the agencies had no wireless security training programs for employees or contractors.
• Nine agencies had not issued wireless network policies, and 13 had not developed requirements on what kind of information employees and contractors may safely transmit wirelessly.

Agencies face three main vulnerabilities when maintaining the confidentiality, integrity, and availability of information transmitted wirelessly: Protecting against attacks that exploit wireless transmissions; establishing physical control of wireless-enabled devices; and preventing unauthorized wireless deployments. Examples of wireless network security threats, as explained in the GAO report, are:

• Eavesdropping, where an attacker monitors transmissions for message content.
• Traffic analysis, where an attacker, in a more subtle way, gains intelligence by monitoring transmissions for communication patterns.
• Masquerading, which involves an attacker impersonating authorized users to exploit user privileges and gain unauthorized access to modify data.
• Replay, which means attackers get in the middle of communicating parties, intercept their communications, and retransmit them.
• Message modification, where an attacker alters a legitimate message by deleting or modifying it.
• Jamming, when attackers flood a wireless network with excess radio signals to prevent authorized users from accessing it.

The GAO report outlines several tools and procedures for mitigating risks associated with wireless networks, such as:

• Developing comprehensive policies that govern the implementation and use of wireless networks. Policies should identify who is authorized to use or install the networks, the type of information allowed, and any limitations on how a wireless device is used. They also should describe the hardware and software configuration of wireless devices, provide guidelines for reporting device losses, and define standard security settings for access points, as well as the frequency and scope of security tests.
• Defining configuration requirements to guide the deployment of available security tools. Requirements can help agency employees identify and set up wireless security tools, such as encryption, authentication, virtual private networks, and firewalls.
• Establishing comprehensive monitoring programs to help ensure that wireless networks are operating securely. Programs usually focus on detecting signal leakage, determining compliance with configuration requirements, and identifying authorized and unauthorized wireless-enabled devices. Effective monitoring programs typically employ site surveys and wireless intrusion detection systems.
• Training employees and contractors effectively in an agency's wireless policies.

In the report, GAO recommends that the Office of Management and Budget (OMB) require all federal agencies to use the tools suggested above to improve their wireless network security. Also, agencies must integrate wireless security into their information security programs as required under the Federal Information Security Management Act. OMB officials said that the National Institute of Standards and Technology is updating its guidance for wireless technology and in August will send revisions for comment. The office also said it would consider including wireless security as a metric in performance reviews of agency information security programs.

Information Security: Federal Agencies Need to Improve Controls Over Wireless Networks can be downloaded from the GAO Web site, www.gao.gov/cgi-bin/getrpt?GAO-05-383.