Government agencies are not taking the proper procedures to ensure that wireless networks are secure, leaving their networks susceptible to attack. That is the alarming conclusion of a Government Accountability Office (GAO) study of security controls at 24 agencies and assessments of wireless security at six federal agencies in the nation’s capital.

Among the problems found at 13 of the 24 agencies whose security controls were studied was not having established requirements for configuring wireless networks securely. At the majority of agencies, investigators noted the absence of policies and training programs and a lack of tools that could be used to prevent signal leakage and detect unauthorized wireless devices.

The study is blunt about the security status of the six agencies whose wireless networks were tested: these networks were insecure. The investigators note: “Specifically, we were able to detect wireless networks at each of the agencies from outside of their facilities. Wireless-enabled devices were operating with insecure configurations at all six of the agencies…. Finally, there was unauthorized wireless activity at all of the agencies that had not been detected by their monitoring programs.”

The GAO report details ways to mitigate security risks. Policies for managing wireless network risks should address authorizing the use of these networks, identifying configuration requirements and guidelines for protecting computers that use wireless clients, and establishing security controls such as defining the frequency and scope of security assessments meant to discover illicit access points.

@     Information Security: Federal Agencies Need to Improve Controls over Wireless Networks