The Office of Inspector General at the Federal Deposit Insurance Corporation (FDIC) has issued its report on Security Controls Over the FDIC’s Wireless Networks. Our objective was to determine whether the FDIC has implemented effective security controls to protect its wireless networks.
The term, “Wi-Fi,” refers to wireless technology that allows internet enabled devices (laptops, tablets, and smartphones) to connect to wireless access points and communicate through a wireless network. Wi-Fi technology offers benefits to organizations; however, it also introduces security risks to the confidentiality, availability, and integrity of FDIC data and systems, because it is not bound by wires or walls. If not properly configured, Wi-Fi technology is susceptible to signal interception and attack.
We found that the FDIC did not comply or partially complied with five practices recommended by the National Institute of Standards and Technology and guidance from the FDIC and other Federal agencies in the following areas:
- Configuration of Wireless Networks: The FDIC did not properly configure its Policy Manager, which enforces security policies for wireless network connectivity. Also, the FDIC’s Chief Information Officer Organization’s (CIOO) Wi-Fi Operations Group did not have control or awareness of the set-up and configuration of numerous wireless devices operating in FDIC buildings and facilities.
- Wireless Signal Strength: The FDIC did not have processes to examine and modify the signal strength of wireless devices/networks broadcasting throughout its buildings and leaking outside of FDIC facilities.
- Security Assessments and Authorizations: The FDIC did not maintain a current Authorization to Operate for its wireless network and did not conduct sufficient continuous monitoring testing activities to support the Agency’s ongoing authorization of its wireless network.
- Vulnerability Scanning: The FDIC did not include certain wireless infrastructure devices in its vulnerability scans. In addition, the FDIC did not use credentialed scans on wireless infrastructure devices.
- Wireless Policies, Procedures, and Guidance: The FDIC did not maintain policies and procedures addressing key elements of the FDIC’s wireless networks, including roles and responsibilities for the CIOO’s Wi-Fi Operations Group; procedures for remediating wireless equipment alerts; standards for configuration settings; updates of wireless inventory records; and detection of rogue access points.
As a result, the FDIC faced potential security risks based upon its wireless practices and controls, including unauthorized access to the FDIC networks and insecure wireless devices broadcasting Wi Fi signals. The FDIC had effective controls related to physical access controls of wireless devices, access control and encryption, monitoring of user internet destinations on its wireless networks, and disabling legacy wireless networks.
We made eight recommendations intended to strengthen the security controls over the FDIC’s wireless networks and protect the confidentiality, availability, and integrity of FDIC systems and data. We engaged the professional services firm of TWM Associates, Inc. to conduct the technical aspects of this review.