Non- or partial compliance with Wi-Fi security controls were found in five areas at the federal bank deposit insurance agency, according to a report released Wednesday by the agency’s inspector general.
To address those shortcomings and strengthen security, the Federal Deposit Insurance Corp.’s (FDIC) office of inspector general made eight recommendations, including that wireless security weaknesses are tracked and remediated.
The agency’s OIG said the goal of the review was to determine if the FDIC had applied effective security controls to protect its wireless networks. The review (technical aspects of which were conducted by TWM Associates, Inc., the agency said) found that the agency did not comply with five practices recommended by the federal National Institute of Standards and Technology (NIST). Those compliance weaknesses, according to the OIG, are that the agency:
- Did not properly configure its policy manager, which enforces security policies for wireless network connectivity. Also, the FDIC’s Chief Information Officer Organization’s (CIOO) Wi-Fi Operations Group did not have control or awareness of the set-up and configuration of numerous wireless devices operating in FDIC buildings and facilities.
- Did not have processes to examine and modify the signal strength of wireless devices/networks broadcasting throughout its buildings and leaking outside of FDIC facilities.
- Did not maintain a current Authorization to Operate (ATO) for its wireless network and did not conduct sufficient continuous monitoring testing activities to support the Agency’s ongoing authorization of its wireless network.
- Did not include certain wireless infrastructure devices in its vulnerability scans. In addition, the FDIC did not use credentialed scans on wireless infrastructure devices.
- Did not maintain policies and procedures addressing key elements of the FDIC’s wireless networks, including roles and responsibilities for the CIOO’s Wi-Fi Operations Group; procedures for remediating wireless equipment alerts; standards for configuration settings; updates of wireless inventory records; and detection of rogue access points.
“As a result, the FDIC faces potential security risks based upon its current wireless practices and controls, including unauthorized access to the FDIC networks and insecure wireless devices broadcasting Wi-Fi signals,” the report stated.
However, the reported added, it determined that the FDIC had effective controls related to physical access controls of wireless devices, access control and encryption, monitoring of user internet destinations on its wireless networks, and disabling legacy wireless networks.
To fix the deficiencies, the review advocated that the agency take eight actions:
- ensure that wireless security weaknesses are tracked and remediated;
- review, approve, and centrally manage the configuration settings of all FDIC Wi-Fi enabled devices;
- identify wireless devices that should not be broadcasting inside and leaking outside buildings and take appropriate measures;
- regularly examine wireless devices and broadcast areas to determine appropriate mitigation measures;
- develop and provide training on the use of vendor hardening guidelines;
- ensure all wireless devices are included in vulnerability scans;
- enhance the vulnerability scanning process for the wireless infrastructure; and
- ensure policies, procedures, and standards reflect current business practices and key aspects of wireless data communications.