This is why they want everyone to weaken security
... it'll keep everyone else's security in line with theirs. :D
The US Department of Homeland Security is running dozens of unpatched databases, some of which are rated "secret" and even "top secret," according to an audit. An inspection [PDF] of the department's IT infrastructure found huge security gaps, including the fact that 136 systems had expired "authorities to operate" – meaning …
Next time, don't piss off the auditors. They get the last word.
Nah, bad planning. The clever thing to do is to compromise the auditors before they get near, I think I've seen that done in the UK with a very well known government project. It takes a bit of planning but it's more effective and much harder to prove unless you can get an insider to speak up, and the press tends to miss those things anyway.
Next time, don't piss off the auditors. They get the last word.
If only. Alas, the DHS routinely fails security audits. (Its least-popular circus, the TSA, fails them spectacularly every few years.
Yet nothing changes. Oh, the agency - a giant shambling bureaucracy even by US standards - makes promises, and the top jobs change hands occasionally, but we keep seeing these reports. No doubt there are some folks there (John Roth, the DHS Inspector General, is one) who are trying to fix some of the problems. But they're facing an Aegean Stables of incompetence, poor record-keeping, ad hoc systems left to rot, jealously maintained fiefdoms, misallocated resources ... all the usual problems of any huge organization left too long without proper management.
It isn't widely known but the reason for the bad feeling between the Allies during WW2 was the incompetence of the US commanders. We called them Our Italians (a reference to the fact that the Allies broke Italian logistics and forced them to behave like the Americans at Kasserine.)
MacArthur in particular was the Wizard of Auz. Apparently they had a mock battle in the 1930's to select the worst generals. Then invaded Italy to prove it, hence the German saying: "I vill buy back."
No, This is the US Government under the OBAMA administration where competency and professionalism don't even exist. Instead "Alfred E. Neumann" has no friggin clue what he is doing or how a President should behave or what he should do besides cower behind Michelle.
Micromanagement is the presidential watchword of the decade, no small wonder he has gone through so many Military advisers in ten years. They all have more military and common sense than Obama does. Hard to be an effective leader when you can't even figure out what is wrong and what is right.
Even worse when you are a proven traitor to your country, having utterly failed to honor your oath of office!
Catch Up! This Is The Future!
Rather than worry about being able to hack into US citizen data, why can't you surveillance zealots figure out that being hackable means You WILL Be Hacked By The Bad Guys! You ARE being hacked by the bad guys. Over and over and over and over again.
What an incoherent mess of cognitive dissonance is my US government.
Its IQ: Diminishing daily.
You could wreck the American economy overnight much worse than a chimpanzee managed in 8 years. Just put everyone on the database. But what you really need to do is slip them on one by one (Generals last) so nobody notices like Clingfilm over speed cameras.
> EL Res has a Snowden article splaffed in the sidebar next to your comment.
Google has this in the first return on "EL Res":
Vamos al bosque a cazar reses. A lo mejor consiga un jabalí.
As a certain G McKinnon found.
Of course the DoD estate is much larger so maybe all Homeland PC's are inaccessible from the web.*
Side question. Is NSA part of Homeland Security? Sounds like they should be, but I bet they are "exempted.2
*And maybe next week I'm dating a super model.
1. NSA is part of the Department of Defense.
2. DoD systems that process secret data and above normally are in rooms that are physically and electrically isolated from the internet and are accessed by workstations not connected to the internet or locally connected terminals. That does not guarantee security (as the Iranian government knows), but it makes unauthorized access quite a lot harder.
3. Within the DoD privileged access is not permitted from the external network,
The report is not an especially good one, but may not be as bad as might seem. Many or most of the audit findings address inadequate or incomplete documentation and do not necessarily indicate unfixed vulnerabilities. It is quite possible, perhaps even likely, that a system without a current ATO is fully patched and configured to conform to the current baseline requirements. Similarly, lack of training documentation does not establish incompetence any more than its existence proves competence. However, failure to obtain or renew ATOs and maintain other required documentation indicates something may be off about management, staffing, or both.
Of much greater concern are the unsecured external access points. Although the auditors found only 40, it is likely that some of them also were found by others, and that is a bad thing. The large number of unsupported operating systems (most apparently Windows XP and Server 2003) also is a bad sign, as some of them almost certainly were internet reachable. Those attached to classified systems should not be, and we may hope that actually is the case. There also were too many unpatched systems, along with an extensive collection of add in software like Firefox, Chrome, and Flash.
All in all, the report suggests a certain slackness of management, hints that users are able to install software (always a bad idea), and delays in patching that suggest inadequate staffing or failure to manage the work effectively. The rapid increase (nearly 700%) in POA&Ms from 2014 to 2015 suggests a significant work backlog, again suggesting management and staffing problems. Staffing and other resource problems may result from external constraints such as budget limits that foster a line management view that "IT is not our primary mission."
...a line management view that "IT is not our primary mission."
Actually that's arguably the most actionable point to come out of this. Someone has classified these databases as secret. Either that's not true and their whole classification system is broken, in which case heads should roll, or it is true in which case the response to "IT is not our primary mission" is simply to point out that "security is" and sack the idiots who disagree.
Formally arguing that the most security-sensitive systems (by your definition) should be excluded from your security audit is a clear indication that you are too stupid to do the job.
IT is not, in fact, a major part of the DHS mission. It is a mission essential part of their infrastructure, though, at least equally with office space and utilites. Accordingly, all aspects of information assurance ought to be seen as prerequisite to any other expenditure, right along with rent (often paid in funny money to GSA, but still in the agency budget). The problem is that if they don't pay the rent they might get evicted, while they can cut back on IT support costs for some time before it becomes evident through either a publicly visible breach or breakdown of services. OPM fell to this, I suspect, and State Department IT was bad enough that Secretary Clinton seems to be receiving a pass for illegally operating a private server for government data processing.
Or perhaps Congress should seriously consider the proposition that keeping the department in existence in this state is actually worse for US security that shutting it down. With pen-tests recently showing that they only stop 5% of forbidden items getting onto planes they clearly aren't achieving anything there and with all their security-related info sitting on insecure databases the risk of future disasters is obvious.
"We found additional vulnerabilities regarding Adobe Acrobat, Adobe Reader, and Oracle Java software on the Windows 7 workstations,"
What's Adobe and Oracle even doing on servers defending the homeland from the cyber terrorists?
"it is clear that the DHS' .. doesn't know how bad its security is because its own security audits are lacking"
How about having Homeland Security run penetration tests against its own computers and then utilize such a report to patch the servers and workstations.
But I can comment w/r to the multi-national corporation that employs me.
More than half of our internal documentation is distributed electronically in PDF format. It's common for a lab worker to carry a month's worth of content with him/her on a thumb drive attached to his/her badge lanyard or keychain. This habit has itself been flagged by corporate security as a security risk, since most workers take their badges, keychains, and thumb drives home after work. But there is no punishment or corrective action in the P&P handbook, and so it goes overlooked.
In order to read a PDF document within a "secure" lab, a worker must use a lab desktop, since personal computing devices are not allowed inside. In order to do this (read PDF files in electronic format, as opposed to making a print-out) many lab workers will install an Adobe PDF reader application, since this is easy and free to do.
Also, there is apparently a hack that allows Adobe to check automatically for updates. Lab computers are theoretically connected only to the internal "secure" lab network. But I have been sitting at a lab computer when an automatic update took place. I deliberately did not look into this.
Oracle markets an application called "Taleo". I don't know much about it, except to say that it is an HR tool that screens job applicants against existing open positions. It/Taleo contains job opening info from HR, and accepts candidate info uploads, such as resume, citizenship status, cover letter, etc. I believe that a portion of the Taleo app resides in the cloud, but have not looked into this.
I have seen other lab workers surfing the "internal open positions" data base in the lab, using a lab desktop. I do not know if Taleo requires a client system app to do this. But I do know that it requires a browser (FireFox, Chrome, etc). I conclude that one or more of my fellow lab workers have installed browser software, and possibly an Oracle client application on some number of the desktops in my lab(s).
Our lab workers are well screened & vetted. Background checks are mandatory and I believe the checks to be reasonably thorough. Nevertheless, I'm confident that we have some numbers of systems that (1) have Adobe, Oracle, and browser software installed (2) Have some sort of external internet access (3) are frequently connected to classified documentation (from the thumb drives).
It is a systemic problem. Absent a draconian reign of terror by the corporate thought police, I cannot think of a pleasant or even a reliable means to resolve the malfunction.
One obvious correction is to lock down the workstations by denying users all software installation rights. Upper level management, of course, must approve and support this, and additional IT staff will be required to support the small number of cases where a particular user has a justifiable need for a product that is not part of a standard configuration. There could be cost reductions, though, from establishing and enforcing compliance with a small number of standard configurations combined with a small number of tested (and maintained) optional software products.
The more I think about it the more I become convinced that the root cause is failure of line management to understand the importance of IT and provide adequate support. In the US government, upper management extends to include the Senate and House of Representatives as well as the President and cabinet officers; and in the private sector, it includes the owners, possibly as represented by the board of directors. And that is a sizable potential problem.
It is encourgaging for ISIS, the Chinese, Korea and othr interested parties that yuo do not need to spy on the USA, all you need to do is to let them collects everything because that is "hot" and "macho" and then rely on their weaknesses to hack into their systemss and siphon everything off. It is perfectly in ine with outsourcing and globlization t let the work be done by those who do it for buttons or for free.
It seems to me that we are in much the same situation as the world was just prior to WW1 and WW2. Many heads of technological organizations, including warfare, are mere figureheads who arrived at their position by political favor and not skill or knowledge and are woefully unprepared for the changes taking place, let alone, coming.
And just like WW1 and 2, drastic changes ARE coming.
DHS was a bad idea from the start. 9/11 happened in large part because the CIA and FBI didn't talk to each other. Adding another layer of bureaucracy was stupid, but you'd expect no better from G.W. DHS folded in FEMA and the Coast Guard, but left CIA and FBI to carry on their pissing contest unaffected. The post-Katrina catastrophe in New Orleans was a direct outcome of demoting FEMA into subordinate status. Fear what may happen after a larger-scale disaster, which no government agency or official "could have seen coming," even though they will.
As someone who's audited by the govt on a regular basis, I find it effing infuriating that the very same government entities that make sure my company is complying with DoD handling of sensitive data is the same group of idiots who are running a complicated IT infrastructure like a bunch of <explicative deleted> noobs. If it were up to me, shit like this would not happen. Period. If it did, department heads would be in jail for criminal negligence, if not tried on espionage. As nosy as this government is and as sophisticated as it's intelligence gathering can be, you'd figure that there's be a little inter-departmental assistance going on and they'd get their security shored up. But no, it's like a bunch of independent fiefdoms, all squabbling and finger pointing until they get caught with their pants down.
If I get a deficient on my audits, I have a short amount of time or I lose my business. It's as simple as that. The fact that there have been so many public facing systems, networks and services that have had so many security problems is in-effing-excusable. Someone in the executive branch (god forbid) or the legislative branch (even bigger imbeciles) should get off their asses and do something.
But no, it's like a bunch of independent fiefdoms, all squabbling and finger pointing until they get caught with their pants down.
There's the problem. If you've been watching the government or worked in it or for it, for any amount of time, you know that it's fiefdoms. Have a big fiefdom, you get budget, personnel, and power. If the fiefdom has good press.. it gets more. If it's a necessary (for the people of the country) and not on the A-list, it may get smaller.
Biting the hand that feeds IT © 1998–2020