The US Government Accountability Office (GAO) has issued a report that says Federal Agencies need to take further actions to reduce risk from wireless. They have boiled it down to just eight things that need to be done properly:

1. Policies
2. Risk-based approach
3. Centralized network management (both wireless and wired)
4. Configuration requirements
5. Training
6. VPN
7. Continuous monitoring
8. Regular security assessments

That’s a comprehensive list and not different from the kind of list you might have found ten years ago for wired and wireless networks. This begs the question of what this has to do with risk; where and how should an agency apply a “risk-based” framework to today’s biggest risks?

The first example they give is dual-connected systems — devices that bridge two security levels on a network. A laptop could access a wireless network and at the same time be plugged into a wired network, theoretically allowing attackers access from the wireless into the wired. Controls should be in place that can prevent this configuration altogether or detect it and initiate enhanced monitoring, response, etc.. Not a new threat, but a vulnerability that has become far more likely as almost all new devices have at least two network options built-in.

Another example they give is “insufficient practices for monitoring or conducting security assessments of their wireless networks.” I find this hard to believe. It is trivial and inexpensive to do a wireless assessment, as well as to build monitoring; what has led to the insufficient practices?

Although there are a number (six, to be exact) recommendations made at the summary of the report on page 38, assessment and monitoring seem to have been omitted. The closest reference I could find is this:

…develop the scope and specific time frames for additional activities that address wireless security as part of their reviews of agency cybersecurity programs.

The report therefore appears to be strong on making recommendations for technical configuration but not on how and when internal tests should be performed.