US Department of the Interior OIG Audit Report Details Wireless Network Security Problems
According to an audit report from the Department of the Interior Office of Inspector General (DOIOIG), "the Department did not deploy and operate a secure wireless network infrastructure, as required by the National Institute of Standards and Technology (NIST) guidance and industry best practices." Penetration testers were able to access DOI's internal wireless network with a smartphone and about $200 of equipment stashed in a backpack. They were able to intercept and decrypt traffic. The attacks the pen testers conducted were not detected by DOI employees.
This story is in "The Top of the News" not so much because the results are remarkable, but rather because the organization is remarkable; this is one of only two audit groups in government that have developed the technical skills to perform hands-on audits that go beyond checklists and questionnaires.
While there are always tradeoffs between security and usability, particularly with Wi-Fi, having an independent entity perform an active test is an important component to verifying the resulting security meets expectations for protecting services available from that network. Also make sure that you are able to detect these activities, which may necessitate the deployment and integration of a Wireless IPS, which can also help detect use of wireless in areas it is not permitted, rogue networks, and unauthorized devices.
This is an example of the value of active testing by auditors/IGs that I mentioned in the Newsbites 73 item about the USPS audit results. In the DoI report, the authors point out doing active testing is NOT beyond the capabilities of audit team budgets, though it definitely requires investment on the technical skills side. Here's the quote from the report: "We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office. To do this, we assembled portable test units for less than $200 that were easily concealed in a backpack or purse and operated these units with smartphones from publicly accessible areas and locations open to visitors. Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking."
Read more in
The Register: Feeling bad about your last security audit? Check out what just happened to the US Department of Interior
Cyberscoop: The Interior Department OIG clearly had some fun hacking the agency's Wi-Fi networks
The Hill: Interior Department watchdog 'highly successful' at hacking agency's networks
Evil Twins, Eavesdropping, and Password Cracking: How the Office of
Inspector General Successfully Attacked the U.S. Department of the
Interior's Wireless Networks (PDF)