back to article Audit finds Department of Homeland Security's security is insecure

The United States' Department of Homeland Security could do more to keep its IT systems secure, a government report has found. In an agency-wide audit titled "Evaluation of DHS' Information Security Program for Fiscal Year 2017" (PDF), the DHS's watchdog, the Office of Inspector General (OIG), concluded that DHS "could protect …

  1. Anonymous Coward
    Anonymous Coward

    The DHS is insecure?

    BWA HAHAhahahahahahahahahahahahahahahhahhahahahhahahhahahahha...

    Next you'll be claiming the internal revenue service is bad at math, the department of fish & game is bad at tracking animals, or that the government doesn't spy on us!

    Oh wait... Fuck!

    1. Mahhn

      Re: The DHS is insecure?

      Fish & Game, may be the best run agency the gov has. And the least amount of management :) Coincidence? I think not.

  2. elDog

    When the fox runs the hen house

    The last thing the current administration wants is to limit places to penetrate. I could get cute and talk about Putin Positive Penetration Points vs. Trump Trying to Tango.

    While the governments have been taken over by the crooks, the plebes are getting screwed. Over and over.

    1. Bob Dole (tm)
      Facepalm

      Re: When the fox runs the hen house

      I hope you understand that government has always been the place that successful criminals go to play a bigger game.

      1. Anonymous Coward
        Anonymous Coward

        Re: Where Criminals go

        And lest we forget that in Trumpistan, those criminals are mostly lawyers.

        A lawyer once said to me, " A lawyer who goes into politics will most certainly vote to enact laws that make more work for other lawyers rather than the other way around". For once he didn't charge me for that advice.(sic)

    2. Ole Juul

      Re: When the fox runs the hen house

      "The last thing the current administration wants is to limit places to penetrate."

      Joking aside, I think you nailed it. The more "attacks" they can report, the better for their propaganda machine.

    3. mutin

      Re: When the fox runs the hen house

      Not exactly right. I worked for US government for total around 7 years starting around 2003.. And it was ALWAYS like that. The most devastating in security were Obama's initiatives. First - misunderstanding that InfoSec is not IT. In general the government does not has separate line of security management reporting to upper manager. For instance, for long time it was Federal CIO position and it was NO position of a security manager. At the end of 2016 (!) they finally got something like Director but reporting to Federal CIO. It means security does not have its own budget and does not hire by its understanding who they need.

      1. tom dial Silver badge

        Re: When the fox runs the hen house

        I can comment only on the Department of Defense and, in fact, only on one medium sized civilian agency within it. By around 2005 we had a CIO who was increasingly picky about security, and from well before that we had a chain of Information System Security Managers, Information System Security Officers, and Terminal Area Security Officers, the last an additional duty, responsible for various aspects of information assurance. Titles and specific duties changed some over the years, but as a group they were generally responsible for authorizing access and ensuring that system managers and administrators implemented the increasingly bulky set of directives and instructions, applied patches, and verified compliance with the periodically updated Security Technical Implementation Guidelines, another large set of documents, one for each OS and major service. Ultimately, they reported to the CIO who, in my agency also was the CISO.

        There was not a separate budget for information assurance, but that was not the problem so much as an overall shortage of funding and staffing, combined with increasing workload to take care of the steady tightening of standards.

    4. tom dial Silver badge

      Re: When the fox runs the hen house

      It might be worth mentioning in connection with the numerous swipes here at Trump is that he ordered this audit, and similar ones across the government, as one of his early official acts. As I remember it, The Register reported quite negatively and dismissively upon that directive, as did a likely majority of those who commented on the article. He may have done quite a few things worthy of opposition, but this was not one of them.

  3. beep54
    Meh

    Boy, am I surprised

    said no one.

  4. Mark 85 Silver badge

    Just amazing but then their response wasn't:: and intends to address the concerns raised by the end of September, 2018.

    In our world, address means to identify and fix. In government, it means have meetings, write a report with action items, hold more meetings to discuss the action items, ad nauseum ad infinitum. So in a few more years, they'll look again and start over.

  5. Anonymous Coward
    Anonymous Coward

    Who Guards the Guards ?

    because they're obviously not doing a very good job of it.

  6. John Smith 19 Gold badge
    Unhappy

    Not impressive. But then again if you're a sysadmin how would *your* company fair ?

    Seriously.

    Would you do better? Everyone thinks they should, would would you? Do you?

    My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.

    But that's hard. As always it might never happen.

    Like good DR planning, implementation and testing.

    1. Geronimo!

      Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?

      I could've replaced DHS with the name of my current customer ... and it'd be spot on.

    2. handleoclast

      Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?

      My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.

      SCAP.

      Official pronunciation "Ess-CAP" or "Ess See Ay Pee." I think those pronunciations are C-RAP and use the forbidden (and obvious) pronunciation.

      That quibble aside, if you're not using SCAP, why not? OpenSCAP on Linux, a Microsoft embraced and extended abomination of it on Windows. A checklist of all known problems you should disable/neuter (e.g., sendmail, NFS) and automation to check they stay disabled/neutered. And you can customize the ruleset where circumstances demand it, such as not complaining about a web server and an email server on the same host (having one host for each minimizes the size of the attack surface, but small hosting providers may choose to live with that risk).

      Why rely on your experience and memory to tell you what to disable/neuter/check when SCAP can do it for you? And keep checking that nobody has slyly installed/enabled something they shouldn't. It's not even pets vs cows territory, it makes sense for pets too.

      1. tom dial Silver badge

        Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?

        DISA, and probably DHS as well, has been using SCAP for some years. At my last contact, it told you a lot about what was wrong, but it didn't fix it. And as noted, but a bit more bluntly, the things it found last month and you fixed will be replaced by new findings (some identical to older ones) by the next scan.

    3. Alistair
      Windows

      Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?

      @ John Smith 19

      My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.

      This... absolutely this, followed on with logging of events that alter the automated process defined settings. And logging that gets monitored and alerts generated.

      The above however, eliminate the need for the 2000 raw untrained admins, and increase both the value and cost of the 20 well experienced and trained admins needed to set this up. I don't need a gut feeling on it. I've seen how well it can roll out when done that way, however beancounters and outsourcers would be out of jobs if it was the standard, and C suite types with MBA's and no tech (like certain political appointees running around asking for FM crypto) knowledge would also end up out of jobs.

    4. mutin

      Re: Not impressive. But then again if you're a sysadmin how would *your* company fair ?

      You are right. Chaos is the security status including the US. I worked for a company which required HIPAA compliance. They never were besides of my best efforts. They reported to DHHS that compliant every year basically giving false statements. The best compliance level was when I finally left - around 15%. The reason - I was only one who understood what the security means, and was reporting to the long line of IT management. They simply ignored whatever I said or did exactly what I recommended not to do..

  7. Anonymous Coward
    Anonymous Coward

    DHS as a honeypot.

    This bear prefers marmalade sandwiches.

  8. tiggity Silver badge

    Confused

    "Among the issues identified were:

    Exchange folders were indexed in cache mode, which means user emails could be accessed if the machine was compromised."

    Whats the reason to run "off the shelf" exchange instead of running their own hardened email system (and clients - given a lot of attacks are via email)

    Custom solution is PITA, but there's enough different US "security services" for something half decent to be created and used by them all (similar applies to hardened OS creation and various other tools)

    1. HereIAmJH

      Re: Confused

      Custom solution is PITA, but there's enough different US "security services" for something half decent to be created and used by them all (similar applies to hardened OS creation and various other tools)

      Smaller government. While the cynic in me hears 'fewer government employees, more contracts for my friends', do you really want the government re-inventing the wheel when a COTS package will do? Of course, they are a large enough customer they could pay Microsoft for a locked down version of Exchange, but then people would be ranting about $10k hammers and $50k toilet seats. IE. why does the gov't pay more for an Exchange seat than what I can get one for down at Best Buy.

      I do have to wonder though why government agencies are putting sensitive data on public cloud services. They are certainly large enough to launch and support a US Gov't internal cloud. Then again, I posed the same question to upper management of the company I work for, considering we already have huge datacenters and are a national service provider. I suspect it has the same root causes as Shadow IT.

  9. Aodhhan

    Be careful about calling the kettle black.

    ...just saying.

  10. Marty McFly Silver badge
    Meh

    Shrug

    Doesn't sound like their security is worse off than any other organization out there. A quick Google search shows DHS has 229k employees. If we assume each one has a PC, 64 insecure systems is actually a really small percentage. Yes, it only takes one to allow an attack, but it does seem the vast majority of systems are up to par.

    1. Mahhn

      Re: Shrug

      As much as I like to bash gov for dumbs stuff, you are correct.

      1. Robert Helpmann??
        Childcatcher

        Re: Shrug

        Here's where it gets interesting to me. I was hired on almost three years ago to help during a surge action geared to get Coast Guard up to speed. The then-most-recent audit had revealed a lot of similar crap and CG was worst of the Agency in overall score. I had a great time getting my portion of things up to current levels. Basically, I was told to ask permission and then do it within a given time regardless. I got to work on a few side projects that saved a lot of money. It was a wonderful experience. When I left, pretty much everything was up to then-acceptable levels.

        Two years later, they are back in the same hole. Security is a moving target. It requires constant and ongoing work. This is the biggest challenge: keeping everything up to date. There is not and never will be a static state to achieve in this area.

        There are many challenges specific to different agencies. In the case of the USCG, one of them is that many of their systems are at sea at a given time. This is not an excuse, however, for not maintaining a strong security stance. That is on leadership and those holding the purse strings. I have seen this exact cycle play out over and over again, which is a shame. It is very simple at least in big strokes to describe the antidote: always be prepared. Don't slack off once compliance has been achieved. Keep everything patched and up to date. How ironic that the USCG motto is "Semper Paratus" given their lack of readiness.

        1. John Smith 19 Gold badge
          Unhappy

          "Two years later, they are back in the same hole. "

          It would seem they have never heard the phrase "It's a process, not an event."

          IE Something you set up to happen repeatedly

          What's really depressing is there is nothing that's either profound or new about this observation.

          It's just getting people to do that's such a PITA.

    2. mutin

      Re: Shrug

      We simply do not have complete information concerning the audit. They may audited just a part of entire department

      Concerning the number - US government rile is "fix ALL new vulnerabilities within a month or less and report ALL which cannot be fixed". So, should be "0" by US government rules. Also please consider who lives within DC and works for the government. Got it? People with adequate security experience do not exist within DC boarders. The government a couple years back estimated that it needs 30,000 security professional.

  11. mutin

    No leadership - no security.

    I commented on a few posts. Now are my 10 cents.

    It was never a time when US government agencies had good security. May be CIA and NSA. But others, including DoD, are affected by internal politics. IT never wanted independent security management. However, CIO will never be good CSO, and first of all because there is ONE budget for everything. Only at the end of 2016 OMB got Director of Security, which still reports to Federal CIO. The worse case was Obama ruling. His first CIO nearly escaped jail right in the beginning of his job. But having absolutely no knowledge or experience in security this Guy Vivek Kundra initiated with Obama blessing federal "Cloud First" program. He had no clue about cloud security, NIST had no related documents and nether anybody in the government, but they started and started with moving in "cloud" NASA. NASA got OIG assessment in the same way as DHS and found disastrous situation.

    So, what should we expect from US government concerning security when they do not have independent leader even in perspective? A couple of years ago US government estimated that they need 30,000 REAL security professionals. Where could they get them? Inside DC boarders? There are no security pros living in DC ... Come and see.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021