PTO Wi-Fi put critical systems at risk

Tools

The Patent and Trademark Office put its critical operational systems at risk when it connected an unsecure wireless network to its core network without implementing security controls, says the Commerce Department's office of inspector general.

In a Feb. 1 report (.pdf) auditors say PTO was unable to assess the risk of connecting the wireless network because it didn't  identify, implement and document security controls required to protect its systems while the wireless network was tested or after it was left connected. This "put its critical operational systems at risk," says the report.

The wireless LAN provides access on PTO's Alexandria, Va. campus for employees and contractors.

The office did perform some initial penetration testing that found problems. However, the IG says it is disconcerting that PTO knew about these risks, did not address them and still allowed the wireless LAN to stay connected. Known risks included:

  • internal infrastructure components that were publicly visible;
  • authentication of users did not function properly;
  • credentials used to log in to PTO systems were vulnerable on the wireless network, and;
  • the existing security system did not appropriately detect security events.

Auditors say that PTO employees in development roles are required to coordinate with the office's cybersecurity division to ensure security documents, controls and actions are developed and followed. The report says the security issues during the network's development "occurred largely because this coordination was ineffective."

The report recommends the creation of proper security documents and protocols, and that development staff go through training on system development lifecycle and that SDLC processes, including required security measures, should be applied to all IT projects.

In response to the report, PTO agreed with the findings. The agency says it has approved and implemented a security plan and conducted security assessments on the wireless network to test for other issues. It has also implemented SDLC role-based training course for security officers, development staff and program managers. The training incorporates the security documents and procedures for system production and maintenance, as well as specifies the points of contact for security concerns.

For more:
download the IG report, OIG-13-014-A (.pdf)

Related Articles:
Cybersecurity issues remain unresolved at Commerce agencies, say auditors
GAO: FCC Enhanced Secured Network at risk from security weaknesses
IG: DOE lacks integrated enterprisewide cybersecurity strategy