U.S. federal agencies need to improve controls over their wireless networks, according to a report released Tuesday by the U.S. Government Accountability Office.
The GAO said it found security leaks on wireless networks set up by six federal agencies whose headquarters are in Washington. The agency did not name the agencies for security reasons.
“Despite the risks associated with wireless networks, federal agencies have not fully implemented key controls for securing these networks,” according to the report.
Nine federal agencies reportedly have not issued policies on wireless networks, and 13 agencies reported that they have not yet established requirements for configuring or setting up wireless networks in a secure manner, the GAO said.
In addition, the GAO said the majority of federal agencies lack wireless network monitoring to ensure compliance with their own security policies, prevent signal leaks and detect unauthorized wireless devices. Finally, 18 agencies didn’t provide training programs in wireless security for their employees and contractors, the report said.
The GAO had been asked by Congress to study the security of wireless networks in federal facilities. Between September 2004 and this past March, the agency analyzed wireless security controls reported by 24 federal agencies and assessed the actual security of wireless networks at six of the agencies.
“Specifically, we were able to detect wireless networks at each of the [six] agencies from outside of their facilities,” according to the report. “Wireless-enabled devices were operating with insecure configurations at all six.”
At one agency, the GAO found that more than 90 laptops were not configured properly. It also discovered unauthorized wireless activity at all of the agencies that had not been detected by in-house monitoring programs.
“Without implementing key controls, agencies cannot adequately secure federal wireless networks and, as a result, their information may be at increased risk for unauthorized disclosure, modification or destruction,” according to the report.
The GAO recommended that the director of the Office of Management and Budget instruct the agencies to ensure that wireless network security is included in their information security programs.