While multibillion-dollar companies hire expensive outside experts to conduct elaborate mock-raids on their networks, federal agencies tend to rely on their inspectors general for that. But a new report from the Department of Interior’s watchdog would make any crack team of corporate security-testers proud.
To test the hundreds of wireless security networks at the DOI, inspector general (IG) investigators surreptitiously used cheap hacking tools from publicly accessible areas to intercept and decrypt communications in multiple bureaus at the sprawling department. They found systematic weakness in the department’s security that a malicious hacker could have exploited to steal data.
“The department’s failure to securely configure wireless networks has put its wireless and internal networks at high risk of compromise,” IG investigators said in a report published Wednesday.
The IG’s mock attacks — which weren’t noticed by either physical security guards or IT staff — were “highly successful,” the watchdog said. In one instance, investigators conducted an “evil twin” attack which used a rogue wireless access point to trick devices into sending it data. In another, the IG’s penetration-testers were able to get beyond the wireless network at two of the department’s bureaus and into internal networks.
The report underscores how a tech-savvy IG team can expose and help fix the type of gaping security holes that foreign spies or criminals might covet. The stakes are high as weaknesses at one agency can affect others. For example, when alleged Chinese hackers stole sensitive personal data on millions of federal employees five years ago, they did so in part by accessing a database stored on DOI servers.
The new IG report has the Department of Interior’s attention: Officials agreed to act on a slew of security recommendations, including conducting regular penetration tests of networks and exploring setting up a system to prevent specific hacking techniques.
“The Office of the Chief Information Officer takes the protection of our assets and systems very seriously,” the department said in a statement. “Over the past two years, we have implemented multiple controls to standardize wireless networks across the Department to ensure a consistent level of security. As a result, we substantially addressed all Office of Inspector General recommendations prior to the release of this report.”
Included in those recommendations were steps to better protect the agency’s more sensitive data. “Because the bureaus did not have such protective measures in place, such as network segmentation, we were able to identify assets containing sensitive data or supporting mission-critical operations,” the IG report says.
“Effectively implementing security controls across such a diverse, decentralized, and interconnected infrastructure is a very difficult and complex goal,” the watchdog said. “Any misconfiguration or inherent weakness in one technology can have a domino effect that allows an attacker to pivot from one system to the next, one bureau to the next, repeatedly.”
UPDATE, 05:44 p.m., EDT: This story has been updated with a statement from the Department of Interior.