Among the wireless weaknesses laid out in the report, the GAO found many agencies suffer from insecure wireless device configurations, a lack of risk-based management of wireless infrastructure, and decentralized wireless management structures. The latter, in particular, poses problems with respect to monitoring, the GAO warned.
"A decentralized wireless management structure can result in disparate, ad hoc networks that are independently managed, which can impede effective implementation and monitoring of security controls and inhibit sufficient oversight of the wireless network," the report said.
The GAO also expressed concern about the lack of monitoring and scanning tools in use at some organizations, and ineffective use of these tools at others. The GAO reported that only 18 agencies mandated some type of monitoring for unauthorized access points in their policies -- and of those some required only yearly scans, with two agencies using outdated scanning tools that could miss wireless activity.
"Six agencies lacked any requirements for wireless monitoring," the report said. "This lack of requirements, combined with the ease of setting up wireless networks, creates a situation in which wireless networks can be operating in these agencies without authorization or the required security configurations."
The GAO made recommendations for federal agencies that might also apply to many enterprises. According to Arthur Hedge, owner of security consulting firm Castle Ventures, many businesses today suffer from the same weaknesses that the GAO pinpointed at federal agencies.
"It can be easy to hijack wireless access connections and conduct man in the middle attacks," Hedge says of poorly monitored wireless networks. "This is especially a problem in remote sites, such as retail stores -- see TJ Maxx as an example of a problem here. In addition, within a corporate environment people sometimes deploy unapproved [wireless access points], and this can enable outsiders to access a corporate network without having to 'plug-in' to the LAN."
Implementation of continuous monitoring and frequent assessments for vulnerabilities are two of the key recommendations, according to the GAO report.
"Regular monitoring and security assessments are key practices for ensuring the security of wireless networks and devices," the report said. "Even at agencies that have no wireless networks deployed, wireless-enabled devices that are deployed on the network, such as laptop computers, can provide a potential means for an attacker to gain unauthorized access to the network, putting critical agency systems and information at risk of unauthorized modification, misuse, disclosure, or destruction.
"Until regular monitoring and assessment policies and practices are implemented, these networks are at increased vulnerability to attack."
Hedge concurs, particularly in the case of vulnerability analysis.
"A regular practice of vulnerability analysis should include testing for WAP configuration and to identify potential rogue access points," he said. "This is not sufficient to remove the threat, but it is something that should be conducted."
Hedge believes that in many cases, organizations can leverage existing monitoring tools to increase wireless network vulnerability.
"A practice of using network access control [NAC] solutions -- which test to make sure that only approved devices can connect to the network -- can reduce the risk of someone hijacking a WAP or inserting a rogue access point to provide surreptitious access to a network," Hedge says.
No matter what tool is used to keep track of wireless activity, it will be rendered ineffective if not used properly. In one case, the GAO said, an agency tried to save money by installing a centrally monitored and managed wireless intrusion detection system at only one of its locations, rather than all of them.
"At the location we visited that did not have the system deployed, there was no alternate approach to wireless monitoring, posing the risk of undetected wireless access points, intrusions, and loss of sensitive, proprietary data," the report said.
And at several agencies that had a wireless intrusion detection system in place, the system was rendered ineffective due to poor rule-setting practices.
"Specifically, the systems at each location had not been tailored to ignore known false-positives. As a result, the systems generated large numbers of alerts for rogue access points, most of which were false," the report said. "Local network administrators therefore had no way to determine which alerts were actual security events, hindering their ability to take advantage of the security aspects of the system."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.