GAO: Agencies Inconsistent on Ways They Secure Wireless Assets
The government's efforts to safeguard federal wireless networks and technologies have not fully secured them, the Government Accountability Office said in a report issued Tuesday entitled Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk. "Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack," GAO Director of Information Security Issues Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the 50-page report.
To help agencies secure their wireless networks and technologies, GAO came up with eight leading practices:
- Develop comprehensive security policies that govern the implementation and use of wireless networks and mobile devices, implement secure encryption with enterprise authentication, establish usage restrictions and implementation guidance for wireless access and enforce access controls for connection of mobile devices.
- Employ a risk-based approach for wireless deployment.
- Use a centralized wireless management structure that is integrated with the existing wired network.
- Establish configuration requirements for wireless networks and devices in accordance with the developed security policies and requirements.
- Incorporate wireless and mobile device security component in training.
- Use a virtual private network to facilitate the secure transfer of sensitive data during remote access.
- Deploy continuous monitoring procedures for detecting rogue access points and clients using a risk-based approach.
- Perform regular security assessments to help ensure wireless networks are operating securely.
GAO said the approach to securing wireless technologies is inconsistent among the agencies for most of the following leading practices:
- Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dual-connected laptops and mobile devices taken on international travel.
- All agencies required a risk-based approach for management of wireless technologies.
- Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide.
- Five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smart-phone configurations.
- Most agencies were missing key elements related to wireless security in their security awareness training.
- Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access.
- Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks.
Responding to the report, Commerce Secretary Gary Lock said he concurred with the GAO's recommendations to instruct the National Institute of Standards and Technology, a Commerce Department agency, to develop and issuance guidance on:
- Technical steps agencies can take to mitigate the risk of dual connected laptops;
- Government-wide secure configuration for wireless functionality on laptops and for BlackBerry smartphones;
- Appropriate ways agencies can centralize their management of wireless technologies based on business needs; and
- Criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessment and recommendations for when continuous monitoring of wireless networks may be appropriate.
Tidak ada komentar:
Posting Komentar