Information Security News mailing list archives
After site shutdown, EPA seeps back onto the Net
From: William Knowles <wk () C4I ORG>
Date: Wed, 9 Aug 2000 17:36:42 -0500
http://www.gcn.com/vol19_no22/news/2572-1.html August 7, 2000 With a new firewall, stronger management and restoration criteria, 80 percent of site is back online By Christopher J. Dorobek GCN Staff Nearly five months after the Environmental Protection Agency had to sever its connection with the Internet due to security concerns, the agency is taking information assurance more seriously, the EPAs information technology security chief says. But EPA must institutionalize security practices to avoid a serious breach, said George A. Bonina, director of EPAs Information Security Staff, who joined the agency in January. EPA shut down its Internet connection in February after an audit by the General Accounting Office found serious security problems [GCN, March 6, Page 1]. Only 80 percent of EPAs systems are again providing Internet links, Bonina said. Systems that are still offline are more complex to effectively secure. They include those that support dial-up connections and passive outbound File Transfer Protocol services, he said. Since the shutdown, EPA has worked to change its attitude toward security, he said. The agency used to consider all information available unless there was a specific reason it should not be public, he said. Now, information must be considered secure unless officials determine it should be made public, he said recently during a presentation to the Federal Webmasters Forum in Washington. We were not asleep at the switch, Bonina said. The agency had conducted risk assessments and implemented advisories from the CERT Coordination Center at Carnegie Mellon University, he said. EPA had also installed strong security for its mainframe environment and had created private networks for confidential business information. The agency had a firewall between its public access servers and the rest of the EPA network, and it had planned to install a more robust firewall and an intrusion detection system, he said. In fact, after GAO conducted the in-depth audit of the agencys security practices, it told the EPA that the agency had an effective security plan on paper, Bonina said. It wasnt until GAO conducted penetration tests that the holes became apparent. The EPAs problems developed because technological changes surpassed the agencys ability to secure its data, he said. The agencys business has changed since the 1970s and 1980s, when EPA focused on implementing and enforcing environmental laws. In the late 1980s and early 1990s, the agency began giving the public access to environmental information. The Emergency Planning and Community Right-To-Know Act required EPA to publish information about toxic releases. The theory was that if the data were available publicly, companies would be more likely to cut toxic releases. The result has been a dramatic reduction in the amount of toxic material being released into the environment, Bonina said. Changes in EPAs business practices mirrored the evolution of its IT shop. From the 1970s until 1990, the agency used comparatively secure mainframes, essentially forming a virtual private network, he said. In the early 1990s, EPA started the transition to a client-server architecture. The agency has nearly 2,000 servers around the country, many of them at EPAs National Computing Center in Research Triangle Park, N.C. EPA joined the Internet arena in the mid-1990s, making its information accessible to anyone in the world. EPA officials expected the results of the GAO audit to be bleak, but the findings were severe, Bonina said. GAO auditors easily gained root access to EPAs network. GAO said EPA had ineffective perimeter defenses, inadequate system access controls, weak network and operating system controls, poor password protections, and weak security planning and risk assessment. Down she goes EPA decided to disconnect the agency from the Internet, Bonina said. EPA quickly set out to put its new firewall in place. At the same time, the agency established clear criteria for restoring service: protect its confidential business information, meet financial and legal obligations, restore employee productivity, and re-establish public access. EPAs senior management identified the highest priority systems and services, and the IT staff focused on that list. The agency also implemented more stringent management practices for passwords and server administration, and established a formal risk assessment process, he said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- After site shutdown, EPA seeps back onto the Net William Knowles (Aug 10)