A review of wireless network security at federal agencies by the Government Accountability Office found some vulnerabilities. In a report dated Nov. 30, GAO auditors also decry a lack of governmentwide oversight of wireless security practices at agencies.

From January to November, GAO examined policies at 24 major federal agencies and performed detailed testing at five of them.

At one agency, auditors say they could penetrate a firewall segmenting a guest wireless network from the agency's internal core network by using IPv6, since the firewall was configured to allow the next generation Internet protocol traffic pass through it without control.

None of the five agencies had controls to prevent laptops from simultaneously connecting to a wireless network while also being connected to the wired network, the report also states.

It's a best cybersecurity practice not to allow dual connections, since a hacker could potentially gain access by deploying a rogue access point that gains connection to a networked laptop already actively linked to the agency network via a wire.

While most agencies do have an access control policy for mobile devices, eight of the 24 reviewed agencies did not have a documented policy requiring laptop wireless capability to be turned off when utilizing a wired connection.

While the Federal Desktop Core Configuration does specify that wireless connectivity should be shut off, agencies often deviate from that standard and there's no other setting within the FDCC that prevents multiple network connections, says the report.

Annual Federal Information Security Management Act metrics don't require agencies to measure risks associated with dual-connected laptops or other possible vulnerabilities such as adequate monitoring for rogue wireless networks, report authors say.

Until the Office of Management and Budget and the Homeland Security Department--OMB devolved FISMA authority onto DHS earlier this year--institute greater oversight over wireless network security, "they lack full visibility of the vulnerability of these networks to attack," the report concludes. OMB did not respond with comments to the report.

For more:
- download the report, GAO-11-43 (.pdf)

Related Articles:
VA reports stolen laptops, BlackBerries and hints at health data policy changes
OMB gives DHS new powers under revised FISMA guidance