Audit finds Department of Homeland Security's security is insecure The United States' Department of Homeland Security could do more to keep its IT systems secure, a government report has found. In an agency-wide audit titled "Evaluation of DHS' Information Security Program for Fiscal Year 2017" (PDF), the DHS's watchdog, the Office of Inspector General (OIG), concluded that DHS "could protect …
The last thing the current administration wants is to limit places to penetrate. I could get cute and talk about Putin Positive Penetration Points vs. Trump Trying to Tango.
While the governments have been taken over by the crooks, the plebes are getting screwed. Over and over.
And lest we forget that in Trumpistan, those criminals are mostly lawyers.
A lawyer once said to me, " A lawyer who goes into politics will most certainly vote to enact laws that make more work for other lawyers rather than the other way around". For once he didn't charge me for that advice.(sic)
Not exactly right. I worked for US government for total around 7 years starting around 2003.. And it was ALWAYS like that. The most devastating in security were Obama's initiatives. First - misunderstanding that InfoSec is not IT. In general the government does not has separate line of security management reporting to upper manager. For instance, for long time it was Federal CIO position and it was NO position of a security manager. At the end of 2016 (!) they finally got something like Director but reporting to Federal CIO. It means security does not have its own budget and does not hire by its understanding who they need.
I can comment only on the Department of Defense and, in fact, only on one medium sized civilian agency within it. By around 2005 we had a CIO who was increasingly picky about security, and from well before that we had a chain of Information System Security Managers, Information System Security Officers, and Terminal Area Security Officers, the last an additional duty, responsible for various aspects of information assurance. Titles and specific duties changed some over the years, but as a group they were generally responsible for authorizing access and ensuring that system managers and administrators implemented the increasingly bulky set of directives and instructions, applied patches, and verified compliance with the periodically updated Security Technical Implementation Guidelines, another large set of documents, one for each OS and major service. Ultimately, they reported to the CIO who, in my agency also was the CISO.
There was not a separate budget for information assurance, but that was not the problem so much as an overall shortage of funding and staffing, combined with increasing workload to take care of the steady tightening of standards.
It might be worth mentioning in connection with the numerous swipes here at Trump is that he ordered this audit, and similar ones across the government, as one of his early official acts. As I remember it, The Register reported quite negatively and dismissively upon that directive, as did a likely majority of those who commented on the article. He may have done quite a few things worthy of opposition, but this was not one of them.
Just amazing but then their response wasn't:: and intends to address the concerns raised by the end of September, 2018.
In our world, address means to identify and fix. In government, it means have meetings, write a report with action items, hold more meetings to discuss the action items, ad nauseum ad infinitum. So in a few more years, they'll look again and start over.
Seriously.
Would you do better? Everyone thinks they should, would would you? Do you?
My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.
But that's hard. As always it might never happen.
Like good DR planning, implementation and testing.
My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.
SCAP.
Official pronunciation "Ess-CAP" or "Ess See Ay Pee." I think those pronunciations are C-RAP and use the forbidden (and obvious) pronunciation.
That quibble aside, if you're not using SCAP, why not? OpenSCAP on Linux, a Microsoft embraced and extended abomination of it on Windows. A checklist of all known problems you should disable/neuter (e.g., sendmail, NFS) and automation to check they stay disabled/neutered. And you can customize the ruleset where circumstances demand it, such as not complaining about a web server and an email server on the same host (having one host for each minimizes the size of the attack surface, but small hosting providers may choose to live with that risk).
Why rely on your experience and memory to tell you what to disable/neuter/check when SCAP can do it for you? And keep checking that nobody has slyly installed/enabled something they shouldn't. It's not even pets vs cows territory, it makes sense for pets too.
DISA, and probably DHS as well, has been using SCAP for some years. At my last contact, it told you a lot about what was wrong, but it didn't fix it. And as noted, but a bit more bluntly, the things it found last month and you fixed will be replaced by new findings (some identical to older ones) by the next scan.
@ John Smith 19
My gut tells me a lot of it's about setting up a process (and the automation to support it) so it's so easy to do the right thing it gets done.
This... absolutely this, followed on with logging of events that alter the automated process defined settings. And logging that gets monitored and alerts generated.
The above however, eliminate the need for the 2000 raw untrained admins, and increase both the value and cost of the 20 well experienced and trained admins needed to set this up. I don't need a gut feeling on it. I've seen how well it can roll out when done that way, however beancounters and outsourcers would be out of jobs if it was the standard, and C suite types with MBA's and no tech (like certain political appointees running around asking for FM crypto) knowledge would also end up out of jobs.
You are right. Chaos is the security status including the US. I worked for a company which required HIPAA compliance. They never were besides of my best efforts. They reported to DHHS that compliant every year basically giving false statements. The best compliance level was when I finally left - around 15%. The reason - I was only one who understood what the security means, and was reporting to the long line of IT management. They simply ignored whatever I said or did exactly what I recommended not to do..
"Among the issues identified were:
Exchange folders were indexed in cache mode, which means user emails could be accessed if the machine was compromised."
Whats the reason to run "off the shelf" exchange instead of running their own hardened email system (and clients - given a lot of attacks are via email)
Custom solution is PITA, but there's enough different US "security services" for something half decent to be created and used by them all (similar applies to hardened OS creation and various other tools)
Custom solution is PITA, but there's enough different US "security services" for something half decent to be created and used by them all (similar applies to hardened OS creation and various other tools)
Smaller government. While the cynic in me hears 'fewer government employees, more contracts for my friends', do you really want the government re-inventing the wheel when a COTS package will do? Of course, they are a large enough customer they could pay Microsoft for a locked down version of Exchange, but then people would be ranting about $10k hammers and $50k toilet seats. IE. why does the gov't pay more for an Exchange seat than what I can get one for down at Best Buy.
I do have to wonder though why government agencies are putting sensitive data on public cloud services. They are certainly large enough to launch and support a US Gov't internal cloud. Then again, I posed the same question to upper management of the company I work for, considering we already have huge datacenters and are a national service provider. I suspect it has the same root causes as Shadow IT.
Doesn't sound like their security is worse off than any other organization out there. A quick Google search shows DHS has 229k employees. If we assume each one has a PC, 64 insecure systems is actually a really small percentage. Yes, it only takes one to allow an attack, but it does seem the vast majority of systems are up to par.
Here's where it gets interesting to me. I was hired on almost three years ago to help during a surge action geared to get Coast Guard up to speed. The then-most-recent audit had revealed a lot of similar crap and CG was worst of the Agency in overall score. I had a great time getting my portion of things up to current levels. Basically, I was told to ask permission and then do it within a given time regardless. I got to work on a few side projects that saved a lot of money. It was a wonderful experience. When I left, pretty much everything was up to then-acceptable levels.
Two years later, they are back in the same hole. Security is a moving target. It requires constant and ongoing work. This is the biggest challenge: keeping everything up to date. There is not and never will be a static state to achieve in this area.
There are many challenges specific to different agencies. In the case of the USCG, one of them is that many of their systems are at sea at a given time. This is not an excuse, however, for not maintaining a strong security stance. That is on leadership and those holding the purse strings. I have seen this exact cycle play out over and over again, which is a shame. It is very simple at least in big strokes to describe the antidote: always be prepared. Don't slack off once compliance has been achieved. Keep everything patched and up to date. How ironic that the USCG motto is "Semper Paratus" given their lack of readiness.
It would seem they have never heard the phrase "It's a process, not an event."
IE Something you set up to happen repeatedly
What's really depressing is there is nothing that's either profound or new about this observation.
It's just getting people to do that's such a PITA.
We simply do not have complete information concerning the audit. They may audited just a part of entire department
Concerning the number - US government rile is "fix ALL new vulnerabilities within a month or less and report ALL which cannot be fixed". So, should be "0" by US government rules. Also please consider who lives within DC and works for the government. Got it? People with adequate security experience do not exist within DC boarders. The government a couple years back estimated that it needs 30,000 security professional.
I commented on a few posts. Now are my 10 cents.
It was never a time when US government agencies had good security. May be CIA and NSA. But others, including DoD, are affected by internal politics. IT never wanted independent security management. However, CIO will never be good CSO, and first of all because there is ONE budget for everything. Only at the end of 2016 OMB got Director of Security, which still reports to Federal CIO. The worse case was Obama ruling. His first CIO nearly escaped jail right in the beginning of his job. But having absolutely no knowledge or experience in security this Guy Vivek Kundra initiated with Obama blessing federal "Cloud First" program. He had no clue about cloud security, NIST had no related documents and nether anybody in the government, but they started and started with moving in "cloud" NASA. NASA got OIG assessment in the same way as DHS and found disastrous situation.
So, what should we expect from US government concerning security when they do not have independent leader even in perspective? A couple of years ago US government estimated that they need 30,000 REAL security professionals. Where could they get them? Inside DC boarders? There are no security pros living in DC ... Come and see.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
