Feds Own Cybersecurity Efforts Are A Joke: Employees Have 'Gone Rogue' To Avoid 'Ineptitude' Of IT Staff
from the get-your-house-in-order dept
One of the key parts of the various cybersecurity bills that have been pushed over the past few years is the idea that the federal government would help the private sector better protect against attacks. Of course, for that to makes sense, you'd think that the federal government would have its own "cybersecurity" house in order. However, a report from the Senate shows what even it describes as "ineptitude" by various government agencies. Pick your agency and you'll find problems. Let's take a look at Homeland Security, one of the agencies that has been vying for control of the federal cybersecurity budget. Turns out that DHS's own cybersecurity team repeatedly failed to install basic security updates for easy targets of hackers like Microsoft applications and Java (tip: if you're using Java, you're probably not secure). As the report notes, this is "the sort of basic security measure just about any American with a computer has performed." But not DHS cybersecurity employees!What else? Well, just in DHS, there were the following problems:
Sensitive databases protected by weak or default passwords. At NPPD, which oversees DHS’s cybersecurity programs, the IG found multiple accounts protected by weak passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster deployment readiness and generates other reports accessing Personally Identifying Information (PII), the IG found accounts protected by “default” passwords, and improperly configured password controls.Oh, and then there's the following concerning our good friends at ICE, Immigrations and Customs Enforcement, the group that styles themselves as Hollywood's personal police force:
Computers controlling physical access to DHS facilities whose antivirus software was out of date. Twelve of the 14 computer servers the IG checked in 2012 had anti-virus definitions most recently updated in August 2011. Several of the servers also lacked patches to critical software components.
To take just one example, weaknesses found in the office of the Chief Information Officer for ICE included 10 passwords written down, 15 FOUO (For Official Use Only) documents left out, three keys, six unlocked laptops-- even two credit cards left out.Moving on to the Nuclear Regulatory Commission. Here things are so bad that the report notes that NRC employees believe their own IT staff is "inept" and they've "gone rogue."
Perceived ineptitude of NRC technology experts. There is such “a general lack of confidence” in the NRC’s information technology division that NRC offices have effectively gone rogue–by buying and deploying their own computers and networks without the knowledge or involvement of the department’s so-called IT experts. Such “shadow IT” systems “can introduce security risks when unsupported hardware and software are not subject to the same security measures that are applied to supported technologies,” the NRC Inspector General reported in December 2013.And this has resulted in a bunch of problems, such as storing sensitive data on unsecured shared drives, including the details of the NRC's cybersecurity programs. Also on an unsecured shared drive? A commissioner's passport photo, credit card image, home address and phone number. The NRC also failed to report security breaches:
How often does the NRC lose track of or accidentally expose sensitive information to possible release? The NRC can't say, because it has no official process for reporting such breaches.Moving on to everyone's favorite government agency: the IRS. The report notes that every year the GAO finds 100 cybersecurity weaknesses in IRS systems, and the IRS fixes half of them. Then the GAO does another audit... and finds another 100 problems with the IRS's cybersecurity. Among the problems? Failure to encrypt sensitive data. Failure to fix known vulnerabilities. And, the ever popular weak passwords:
Examples of easily-guessed passwords are a person’s username or real name, the word “password,” the agency’s name, or simple keyboard patterns (e.g., “qwerty”), according to the National Institute of Standards and Technology. In some cases, IRS users had not changed their passwords in nearly two years. As a result someone might gain unauthorized access to taxpayers’ personal information and it “would be virtually undetectable,” potentially for years. GAO has cited IRS for allowing old, weak passwords in every one of its reports on IRS’ information security for the past six years.How about an organization like the SEC, who deals with tons of sensitive information? Apparently, they're so careless and cavalier about this stuff they used personal email accounts, unencrypted information and often used unsecured open WiFi connections -- including once at "a convention of computer hackers."
Team members transmitted sensitive non-public information about major financial institutions using their personal e-mail accounts. They used unencrypted laptops to store sensitive information, in violation of SEC policy--and contravening their own advice to the stock exchanges. Their laptops also lacked antivirus software. The laptops contained “vulnerability assessments and maps and networking diagrams of how to hack into the exchanges,” according to one SEC official.And yet these folks claim they can help secure everyone else's computers?
The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits. They also appeared to have connected laptops containing sensitive information to unprotected wi-fi networks at public locations like hotels--in at least one reported case, at a convention of computer hackers.
Filed Under: cybersecurity, dhs, federal government, homeland security, irs, nrc, sec, senate