IT systems of the governmental institutions are vital elements required to maintain smooth operations of a state or a country. Ransomware attack cases of the past few years definitely proved their importance. Highly sensitive data are often transmitted, processed and stored by information technology. Parts of the systems are regularly accessed by public in accordance with particular processes. Thus, it is important to take all the measures available to improve security of these systems. A recently published Penetration Test Report of the Department of Interior by the Office of Inspector General points, that this is not always the case.
Department of Interior Penetration Test Report
The Office reported results of their evaluation of wireless network security of 91 bureaus of the Department of Interior. The findings included that the inventories of wireless networks were not kept updated. No strong user authentication policy was enforced. Also, no network monitoring for well-known attacks and no periodic penetration testing was required.
The Office of Inspector General performed penetration testing of wireless networks accessible from public spaces, using handheld devices. They tested attack methods reportedly used by the real world adversaries, including eavesdropping, evil twin, and password cracking. Some of these were frequently used by intelligence agencies of foreign governments as well. The simulated attacks went unnoticed by security and IT staff.
Discoveries in the Department of Interior
The testers discovered, that in multiple cases no network segmentation was implemented. Also, wireless network security was not built in accordance with NIST recommendations and best practices. They intercepted and decrypted wireless network traffic in multiple bureaus. Four bureaus were vulnerable to evil twin attack, where a rouge access point device impersonates the legitimate one. The testers gained access to the internal networks of two bureaus. Department’s Enterprise Services Network, which is the backbone of DoI network communication, was also compromised. In one scenario they even gained access to the ticketing system account of a certain IT employee. His credentials were intercepted during an evil twin attack. Four networks were compromised on-site by eavesdropping on pre-shared keys, while the keys for 14 other networks were captured.
The case of the Department of interior demonstrates the importance of regular penetration testing. 14 recommendations were given to the Department of Interior bundled with the final findings report. 13 of them have been resolved by the time the report was published.