|Monitor the effectiveness of security policies and controls.|
The State Departments unclassified automated information systems can easily fall
prey to terrorists or thieves, the General Accounting Office said.
Our penetration tests revealed that States sensitive but unclassified
information systems can be easily accessed by unauthorized users who in turn can read,
delete, modify or steal sensitive information on States operations, the report
GAO auditors did not only gain access to sensitive information, but they could also
have performed system administration actions, the GAO said.
The penetration test revealed that hackers, both inside and outside of State, could
take advantage of security weaknesses to commit terrorism or obtain financial
gain, the report said.
A State Department spokesman, speaking on condition of anonymity, acknowledged that
States information systems have security weaknesses, but insisted that the
department is fixing the problems.
We believe we have corrected some of the problems in the report, and were
working to correct other problems, he said.
He did not specify which problems had been corrected.
State received both classified and unclassified versions of the GAO report and
submitted a written reply for the public version. State officials said in the reply that
they are creating a Security Infrastructure Working Group to improve security.
State officials also agreed to formalize and document risk management decisions, revise
the provisions in the Foreign Affairs Manual that deal with information security and
evaluate security controls on the most significant networks.
Although State has some projects under way to improve security, it does not have
a security program that allows State officials to comprehensively manage the risks
associated with the departments operations, the GAO said.
During the penetration tests, GAO auditors accessed States networks with dial-up
connections through modems. They then could have modified or deleted data, shut down
services, downloaded data or monitored network traffic such as e-mail, the report said.
The GAO auditors also said States internal network controls were inadequate. For
example, auditors gained administrator-level access to host systems through different
operating systems including Unix and Microsoft Windows NT.
Finally, the audit showed that the buildings access was easy because employee
awareness of security issues was weak.
Auditors entered many State buildings and facilities without required passwords, the
report said. They then freely searched unattended areas for users account
information and active terminal sessions.
During a tour of one facility, auditors found an unattended computer logged onto a LAN.
In another area, a users identification and password were taped to a computer
monitor. Using the employees password, an auditor downloaded a file that contained a
In an unlocked area, auditors found an unattended PC and gained supervisor-level access
to a State system. They could have added or deleted users, implemented unauthorized
programs or eliminated audit trails, the GAO said.
Although GAO gave the department adequate grades for its Internet security, the office
warned that expanded Internet use could create new security risks, because State had not
yet formed a policy to address external connectivity.
The report faulted top management for not supporting the creation of a sound security
Currently, States top managers are not demonstrating the commitment
necessary to practice good security, the report said.