State's systems are vulnerable

How State can
improve security

Provide a central management point and continuing processes to
coordinate security measures.
Write risk assessment procedures.
Write comprehensive security policies.
Increase user awareness about security.
Monitor the effectiveness of security policies and controls.

The State Department’s unclassified automated information systems can easily fall
prey to terrorists or thieves, the General Accounting Office said.

“Our penetration tests revealed that State’s sensitive but unclassified
information systems can be easily accessed by unauthorized users who in turn can read,
delete, modify or steal sensitive information on State’s operations,” the report

GAO auditors did not only gain access to sensitive information, but they could also
have performed system administration actions, the GAO said.

The penetration test revealed that hackers, both inside and outside of State, could
take advantage of security weaknesses to “commit terrorism or obtain financial
gain,” the report said.

A State Department spokesman, speaking on condition of anonymity, acknowledged that
State’s information systems have security weaknesses, but insisted that the
department is fixing the problems.

“We believe we have corrected some of the problems in the report, and we’re
working to correct other problems,” he said.

He did not specify which problems had been corrected.

State received both classified and unclassified versions of the GAO report and
submitted a written reply for the public version. State officials said in the reply that
they are creating a Security Infrastructure Working Group to improve security.

State officials also agreed to formalize and document risk management decisions, revise
the provisions in the Foreign Affairs Manual that deal with information security and
evaluate security controls on the most significant networks.

Although State has some projects under way to improve security, “it does not have
a security program that allows State officials to comprehensively manage the risks
associated with the department’s operations,” the GAO said.

During the penetration tests, GAO auditors accessed State’s networks with dial-up
connections through modems. They then could have modified or deleted data, shut down
services, downloaded data or monitored network traffic such as e-mail, the report said.

The GAO auditors also said State’s internal network controls were inadequate. For
example, auditors gained administrator-level access to host systems through different
operating systems including Unix and Microsoft Windows NT.

Finally, the audit showed that the building’s access was easy because employee
awareness of security issues was weak.

Auditors entered many State buildings and facilities without required passwords, the
report said. They then freely searched unattended areas for users’ account
information and active terminal sessions.

During a tour of one facility, auditors found an unattended computer logged onto a LAN.
In another area, a user’s identification and password were taped to a computer
monitor. Using the employee’s password, an auditor downloaded a file that contained a
password list.

In an unlocked area, auditors found an unattended PC and gained supervisor-level access
to a State system. They could have added or deleted users, implemented unauthorized
programs or eliminated audit trails, the GAO said.

Although GAO gave the department adequate grades for its Internet security, the office
warned that expanded Internet use could create new security risks, because State had not
yet formed a policy to address external connectivity.

The report faulted top management for not supporting the creation of a sound security

“Currently, State’s top managers are not demonstrating the commitment
necessary to practice good security,” the report said.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected