State's systems are vulnerable

GAO:
How State can
improve security



Provide a central management point and continuing processes to
coordinate security measures.
Write risk assessment procedures.
Write comprehensive security policies.
Increase user awareness about security.
Monitor the effectiveness of security policies and controls.







The State Department’s unclassified automated information systems can easily fall
prey to terrorists or thieves, the General Accounting Office said.


“Our penetration tests revealed that State’s sensitive but unclassified
information systems can be easily accessed by unauthorized users who in turn can read,
delete, modify or steal sensitive information on State’s operations,” the report
said.


GAO auditors did not only gain access to sensitive information, but they could also
have performed system administration actions, the GAO said.


The penetration test revealed that hackers, both inside and outside of State, could
take advantage of security weaknesses to “commit terrorism or obtain financial
gain,” the report said.


A State Department spokesman, speaking on condition of anonymity, acknowledged that
State’s information systems have security weaknesses, but insisted that the
department is fixing the problems.


“We believe we have corrected some of the problems in the report, and we’re
working to correct other problems,” he said.


He did not specify which problems had been corrected.


State received both classified and unclassified versions of the GAO report and
submitted a written reply for the public version. State officials said in the reply that
they are creating a Security Infrastructure Working Group to improve security.


State officials also agreed to formalize and document risk management decisions, revise
the provisions in the Foreign Affairs Manual that deal with information security and
evaluate security controls on the most significant networks.


Although State has some projects under way to improve security, “it does not have
a security program that allows State officials to comprehensively manage the risks
associated with the department’s operations,” the GAO said.


During the penetration tests, GAO auditors accessed State’s networks with dial-up
connections through modems. They then could have modified or deleted data, shut down
services, downloaded data or monitored network traffic such as e-mail, the report said.


The GAO auditors also said State’s internal network controls were inadequate. For
example, auditors gained administrator-level access to host systems through different
operating systems including Unix and Microsoft Windows NT.


Finally, the audit showed that the building’s access was easy because employee
awareness of security issues was weak.


Auditors entered many State buildings and facilities without required passwords, the
report said. They then freely searched unattended areas for users’ account
information and active terminal sessions.


During a tour of one facility, auditors found an unattended computer logged onto a LAN.
In another area, a user’s identification and password were taped to a computer
monitor. Using the employee’s password, an auditor downloaded a file that contained a
password list.


In an unlocked area, auditors found an unattended PC and gained supervisor-level access
to a State system. They could have added or deleted users, implemented unauthorized
programs or eliminated audit trails, the GAO said.


Although GAO gave the department adequate grades for its Internet security, the office
warned that expanded Internet use could create new security risks, because State had not
yet formed a policy to address external connectivity.


The report faulted top management for not supporting the creation of a sound security
policy.


“Currently, State’s top managers are not demonstrating the commitment
necessary to practice good security,” the report said.

inside gcn

  • cloud environment

    Microsoft brings Azure Stack to Government Cloud

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above