State Dept. computers open to hackers — report

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtontimes.com/news/2014/jan/16/state-dept-computers-open-hackers-report/

A day after a bipartisan Senate report faulted the State Department for
security lapses the deadly attacks in Benghazi, an investigation from a
federal watchdog has found that the agency’s computer systems have
inadequate security and could easily be breached.

In a redacted letter made public Thursday, the State Department’s inspector
general said there were “significant and recurring weaknesses” with
cybersecurity, noting that the agency is often a target from hackers in
criminal and terrorist organizations.

“The department is responsible for preserving and protecting classified
information vital to the preservation of national security in high risk
environments across the globe,” the IG’s report said, but added that
officials have yet to “correct many of the existing significant
deficiencies thereby leading to continuing undue risk in the management of
information.”

The IG has been warning the department of the problems since 2011, but
inspectors say little has been done. The watchdog declared computer
security a “significant deficiency,” one of the highest and most urgent
markers the government uses to track issues.

Most of the exact specifics on what’s not working are still classified over
concerns that the vulnerabilities could be exploited.

Although officials have expressed a desire to correct the problems, the
department’s internal watchdog said there has been little action and
currently no written guidelines or documented strategy for improving
security.

In a response to investigators, the State Department's Management Control
Steering Committee said a plan to fix the vulnerabilities is already under
consideration, and should be ready by the end of the month.

“The committee takes the reported weaknesses very seriously,” said MCSC
Chairman James Millette. “The committee believes that our efforts over the
coming year will advance the department’s information security posture.”

Department Inspector General Steve Linick said his office was still
concerned that the agency’s own personnel would be the ones testing whether
cybersecurity was improving, calling it an issue of “independence and
perceived independence.” Instead, an outside organization such as the
National Security Agency should evaluate whether changes were actually
effective, he said.

It’s not only Benghazi-style attacks that could result from breaches in
information. The State Department handles millions of dollars from things
like visa fees, making it a prime target for theft. And passport
applications means that agency computers often contain reams of personal
information on U.S. citizens.

The inspector general also raised the possibility of an Edward Snowden-like
leak from inside the agency if it does not get tighter control of who is
accessing its systems. Currently there are more than 6,300 system
administrators that investigators said have wide access to computer systems
and databases, the watchdog said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.