In a report touching on a topic of concern to all agencies, security of wireless networks, the IG at the Interior Department said that the department “is vulnerable to the breach of a high-value IT asset, which could cripple department operations and result in the loss of highly sensitive data.”
The IG said it was able to penetrate that department’s networks using the “same tools, techniques, and practices that malicious actors use to eavesdrop on communications and gain unauthorized access.” Its employees used “portable test units for less than $200 that were easily concealed in a backpack or purse” and “operated these units with smartphones from publicly accessible areas and locations open to visitors,” a report said.
“These attacks—which went undetected by security guards and IT security staff as we explored department facilities—were highly successful. In fact, we intercepted and decrypted wireless network traffic in multiple bureaus. Even worse, with regard to two bureaus, our penetration test went far beyond the wireless network at issue and gained access to their internal networks,” it said.
“In addition, we successfully obtained the credentials of a bureau IT employee and were able to use that person’s credentials to log into the bureau’s help desk ticketing system and view the list of tickets assigned to the employee,” it said.
Further, because several bureaus and offices did not implement measures to limit the potential adverse effect of breaching a wireless network, “we were able to identify assets containing sensitive data or supporting mission-critical operations.”
The report also criticized the department for not requiring regular testing of network security, not maintaining a complete inventory of its wireless networks, and for producing “contradictory, outdated and incomplete guidance.”
The IG said the department agreed with all 14 of its recommendations. Interior told Fedweek that in the past two years the department has “implemented multiple controls to standardize wireless networks” and said that it had “substantially addressed” all of the IG’s recommendations prior to the release of the report.
Agencies Must Collaborate to Secure Networks, Council Says (January 2020)
DHS Issues Cyber Toolkit for Leaders (June 2020)
Cybersecurity Detail Opportunities Offered (April 2020)