Written by Sean Lyngaas
While multibillion-dollar companies hire expensive outside experts to conduct elaborate mock-raids on their networks, federal agencies tend to rely on their inspectors general for that. But a new report from the Department of Interior’s watchdog would make any crack team of corporate security-testers proud.
To test the hundreds of wireless security networks at the DOI, inspector general (IG) investigators surreptitiously used cheap hacking tools from publicly accessible areas to intercept and decrypt communications in multiple bureaus at the sprawling department. They found systematic weakness in the department’s security that a malicious hacker could have exploited to steal data.
“The department’s failure to securely configure wireless networks has put its wireless and internal networks at high risk of compromise,” IG investigators said in a report published Wednesday.
The IG’s mock attacks — which weren’t noticed by either physical security guards or IT staff — were “highly successful,” the watchdog said. In one instance, investigators conducted an “evil twin” attack which used a rogue wireless access point to trick devices into sending it data. In another, the IG’s penetration-testers were able to get beyond the wireless network at two of the department’s bureaus and into internal networks.
The report underscores how a tech-savvy IG team can expose and help fix the type of gaping security holes that foreign spies or criminals might covet. The stakes are high as weaknesses at one agency can affect others. For example, when alleged Chinese hackers stole sensitive personal data on millions of federal employees five years ago, they did so in part by accessing a database stored on DOI servers.
The new IG report has the Department of Interior’s attention: Officials have agreed to act on a slew of security recommendations, including conducting regular penetration tests of networks and exploring setting up a system to prevent specific hacking techniques.
There is also work to be done in better protecting the agency’s more sensitive data, according to the IG. “Because the bureaus did not have such protective measures in place, such as network segmentation, we were able to identify assets containing sensitive data or supporting mission-critical operations,” the IG report says.
“Effectively implementing security controls across such a diverse, decentralized, and interconnected infrastructure is a very difficult and complex goal,” the watchdog said. “Any misconfiguration or inherent weakness in one technology can have a domino effect that allows an attacker to pivot from one system to the next, one bureau to the next, repeatedly.”