[ISN] Homeland Security Rapped On Wireless Security

From: InfoSec News (isn@private)
Date: Fri Jul 02 2004 - 05:35:57 PDT

  • Next message: InfoSec News: "[ISN] Usenix: Experts debate security through diversity"

    http://www.informationweek.com/story/showArticle.jhtml;jsessionid=QPAWJ2SISJPDGQSNDBCSKHY?articleID=22103346
    
    By Eric Chabrow 
    July 1, 2004 
    
    The Department of Homeland Security's Office of Inspector General
    contends the department has failed to establish adequate security
    controls over its wireless network.
    
    In a report made public Wednesday, the inspector general said wireless
    policy is incomplete, procedures don't establish a sound baseline for
    wireless security implementation, and the National Wireless Management
    Office isn't exercising its full responsibilities in addressing
    Homeland Security's wireless technologies. In addition, the report
    said, the department hasn't established adequate security measures to
    protect its wireless networks and devices.
    
    "Although the DHS security policy requires certification and
    accreditation for its systems to operate, none of the wireless systems
    reviewed had been certified or accredited," the 42-page report says.  
    "As a result of these wireless network exposures, DHS cannot ensure
    that the sensitive information processed by its wireless systems are
    effectively protected from unauthorized accesses and potential
    misuse."
    
    Except for the contention that the National Wireless Management Office
    isn't exercising its full responsibilities, department CIO Steve
    Cooper generally concurred with the inspector general's assessment.  
    Cooper asserts that the Wireless Management Office has made
    significant progress and is improving its outreach throughout the
    department so all offices become aware of its existence and
    responsibilities. In addition, Cooper said in a written response, the
    Wireless Management Office works closely with the department's chief
    information security officer to ensure that wireless security policy
    is properly formulated and disseminated, and that it's sufficient to
    ensure the department's wireless communications. Despite Cooper's
    response, the inspector general stands by his conclusion that
    oversight by the office of wireless functionality needs to be
    improved.
    
    The report cited a number of problems. For instance, the inspector
    general said his office performed random 802.11b detection scans at 10
    department facilities to identify rogue wireless devices, verify
    signal coverage for access points, and review configuration settings
    to evaluate security controls. Of four department offices that use
    802.11x technology, none monitored wireless activity. They also failed
    to set a schedule to review access-point logs to identify unauthorized
    login attempts or to determine whether rogue devices had been
    introduced into the network. In addition, the inspector general found
    several 802.11x security vulnerabilities.
    
    The inspector general offered five recommendations it says would help
    the department remedy the identified deficiencies. Specifically, the
    Homeland Security Department's CIO should:
    
    * Define the conditions and limitations for using wireless
      technologies in the department's security policy
    
    * Update the departmental IT Security Program Handbook for Sensitive
      Systems to include implementation procedures required by National
      Institute of Standards and Technology for the use of wireless
      technologies
    
    * Require the National Wireless Management Office to provide the
      necessary oversight and guidance to align components' wireless
      programs with DHS's wireless goals--something Cooper contends it's
      already doing
    
    * Implement a standardized configuration for wireless technologies on
      department networks
    
    * Complete certification and accreditation for each departmental
      system
    
    
    
    _________________________________________
    Help InfoSec News with a donation: http://www.c4i.org/donation.html
    



    This archive was generated by hypermail 2b30 : Fri Jul 02 2004 - 07:05:29 PDT