WASHINGTON–The FDIC has some work to do when it comes to Wi-Fi security, according to a new report.
The agency’s Inspector General has released a report that said it uncovered issues in Wi-Fi security controls in five areas at the federal regulator. The report makes eight recommendations, including that wireless security weaknesses are tracked and remediated.
In introducing its findings, the Inspector General said it was seeking to identify whether the FDIC had applied effective security controls to protect its wireless networks, and to that end it retained TWM Associates to conduct the review.
The review found the agency did not comply with five practices recommended by the federal National Institute of Standards and Technology (NIST).
The Weaknesses
Among the weaknesses the OIG said were discovered at the FDIC:
- The FDIC did not properly configure its policy manager, which enforces security policies for wireless network connectivity. In addition, the FDIC’s Chief Information Officer Organization’s (CIOO) Wi-Fi Operations Group did not have control or awareness of the set-up and configuration of numerous wireless devices operating in FDIC buildings and facilities.
- The FDIC did not have processes to examine and modify the signal strength of wireless devices/networks broadcasting throughout its buildings and leaking outside of FDIC facilities.
- The agency did not maintain a current Authorization to Operate (ATO) for its wireless network and did not conduct sufficient continuous monitoring testing activities to support the Agency’s ongoing authorization of its wireless network.
- The FDIC did not include certain wireless infrastructure devices in its vulnerability scans. In addition, the agency did not use credentialed scans on wireless infrastructure devices.
- The federal bank regulator did not maintain policies and procedures addressing key elements of the FDIC’s wireless networks, including roles and responsibilities for the CIOO’s Wi-Fi Operations Group; procedures for remediating wireless equipment alerts; standards for configuration settings; updates of wireless inventory records; and detection of rogue access points.
Potential Security Risks
As a result of the points outlined above, the OIG said in the report that the agency “faces potential security risks based upon its current wireless practices and controls, including unauthorized access to the FDIC networks and insecure wireless devices broadcasting Wi-Fi signals.”
The report goes on to add, however, that it found the agency did have effective controls related to physical access controls of wireless devices, access control and encryption, monitoring of user internet destinations on its wireless networks, and disabling legacy wireless networks.
Eight Actions
To fix the deficiencies, the review advocated that the agency take eight actions:
- Ensure that wireless security weaknesses are tracked and remediated
- Review, approve, and centrally manage the configuration settings of all FDIC Wi-Fi enabled devices
- Identify wireless devices that should not be broadcasting inside and leaking outside buildings and take appropriate measures
- Regularly examine wireless devices and broadcast areas to determine appropriate mitigation measures
- Develop and provide training on the use of vendor hardening guidelines
- Ensure all wireless devices are included in vulnerability scans
- Enhance the vulnerability scanning process for the wireless infrastructure
- Ensure policies, procedures, and standards reflect current business practices and key aspects of wireless data communications.
Just in Time for the Holidays, CUToday’s Free Morning Headline Email is Now Double-Free!
Don’t forget to check your Spam/Junk email folder if you haven’t been receiving your free, popular and daily CUToday.info news headlines.
And if you haven’t yet signed up for the new email solution on which CUToday.info has partnered with ResponseGenius, you can do so here. Signing up requires less than one minute of your time.
CUToday.info has received very positive response from readers following the move to an improved provider of the daily headlines, but many also noted they did need to go to their Spam/Junk folder and mark it as safe.
The new email solution has not only improved every reader’s delivery experience, but it also features a fresh, new format that is easy to read, especially on mobile devices.
Please note and/or make your IT department or email administrator aware the emails will be coming from the domains CUTodayinfo.com and CUTodayinfoReply.com.