Information Security News mailing list archives
Report Slams D.C. Agency's Computer Security Practices
From: InfoSec News <isn () C4I ORG>
Date: Thu, 1 Feb 2001 01:53:54 -0600
http://www.newsbytes.com/news/01/161323.html By Brian Krebs, Newsbytes WASHINGTON, D.C., U.S.A., 31 Jan 2001, 7:02 PM CST Computer systems at more than 60 agencies in the District of Columbia remain at risk because of shoddy computer security practices at the DC Department of Public Works, the General Accounting Office (GAO) said today. In a comprehensive audit of security practices at the department released today, the GAO found that the District had not adequately limited computer access granted to employees. The report also said the District had improperly managed the majority of its employees' user IDs and passwords, and failed to maintain software controls or sufficiently protect its networks and other computer systems from unauthorized use. The review centered on computer security controls for agencies that manage the District of Columbia's $31 million Highway Trust Fund, and details computer security weaknesses at the DC Department of Public Works, the office of the District's chief financial officer and the chief technology officer. Specifically, the GAO report found that all of more than 4,300 active user IDs granted to department employees allowed access to more than 20 system software libraries, which can be used to bypass network security controls. "Serious and pervasive computer security weaknesses place the fund and other district financial, payroll, personnel, and tax information at risk of inadvertent or deliberate misuse and unauthorized alteration or destruction without detection," the GAO said. The GAO added that the security control problems also affected the District's ability to prevent or detect unauthorized changes to fund and other District financial information, including payroll records. The GAO noted that because the Department of Public Works is interconnected with so many other District agencies, the security problems were not limited to the DPW alone. While the department relies in part on its own local area network for online connectivity, the agency also makes use of the District's wide area network, which connects to other District organizations like the Metropolitan Police Dept., the District General Hospital, and the DC public school system. Altogether, the District's wide area network serves about 30 sites, which support approximately 60 district agencies. To make matters, worse, the GAO said, the District installed intrusion detection systems on only two of its 22 wide area network access points. Richard Smith, a computer security expert and chief technology officer for the Denver-based Privacy Foundation, said while wide area networks are popular among cash-strapped government agencies, they are only as strong as their weakest link. "There is a certain economy of scale in putting things together under one roof, where they can share IT and security staff," Smith said. "But in most cases, the biggest threat to computer security comes not from outside hackers but from those within the organization itself. So the more access points you have by tying these networks together, the more likely an insider from one organization can break through security in another." Last year, the inspector general for the Department of Veteran's Affairs prosecuted three Veterans Benefits Association employees for embezzling nearly $1.3 million. By exploiting computer security weaknesses similar to those at found in today's GAO report, the VA employees had created false identities and wrote themselves checks for more than $60,000 apiece. While today's report found no direct evidence of financial impropriety, the GAO warned that continued weak security controls could invited such activity. In a written response to the report, the District's Chief Technology Officer essentially agreed with the GAO's findings and said the District had developed an "action plan" to correct all security weaknesses by April 2002. For more information on the GAO's report, visit: http://www.gao.gov/new.items/d01155.pdf ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Report Slams D.C. Agency's Computer Security Practices InfoSec News (Feb 01)