Full Disclosure mailing list archives
Interesting reading-Government MAC systems under fire
From: "Randall M" <randallm () fidmail com>
Date: Fri, 25 Nov 2005 19:37:39 -0600
Hi friends, There is a very interesting development with the Department Of Interior and its Security compliance. The Secretary and Inspector General of the DOI are at odds on this issue. After the report of the lack of security as demonstrated by pen-testing came out, a court order came ordering that the systems be removed from the internet. Later, the Secretary through an Appeals court stayed the order asking the Office of Management and Budget to clarify what the compliances are and for a "clearer definition of adequate security." Now, if that argument is not by itself interesting, what the systems are used for is the real story. They hold all the data for and about Indian Trust payments for the oil, land, and other natural resources owed to some 500,00 Indians. The Tribes have filed a lawsuit for mismanagement of the funds that are valued in the multiple billions. I have included here a snippet of how SANs newsletter posted this (also included the DHS's report on FEMA. databases). Then if your interested in further reading see the link to the Indian Trust website. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY --Dept. of Interior Asks OMB for FISMA Compliance Clarification (23/21 November 2005) Department of the Interior (DOI) secretary Gale Norton has asked the Office of Management and Budget (OMB) to clarify its interpretations of the requirements for compliance with the Federal Information Security Management Act (FISMA). DOI inspector general Earl Devaney's penetration testing reportedly found that DOI networks were vulnerable to both internal and external unauthorized access. The report concluded that DOI is not in compliance with FISMA. DOI CIO Hord Tipton maintains Devaney's interpretation of FISMA compliance exceeds basic requirements as reflected in his answers in the FY 2005 reporting template. Mr. Tipton also says the report does not take into consideration improvements made during the year that came as a direct result of the IG's testing. Ms. Norton maintains that her department meets FISMA requirements and has asked OMB for a "clearer definition of adequate security." http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2& story.id=37643 http://www.fcw.com/article91521-11-21-05-Web [Editor's Note (Schultz): Penetration testing performed by competent and fully authorized individuals and organizations can be very beneficial. At the same time, however, I hate to see the results of penetration tests used in the way they apparently have been in the case of the Department of the Interior. Penetration tests should never in and of themselves be used as the sole evidence for the adequacy of security; they should instead be considered part of a complete set of findings that include among other things security reviews and vulnerability assessments. (Paller): Gene's criticism is accurate but doesn't go far enough. People who rely on penetration testing as their primary method of deciding whether systems are vulnerable to cyber attacks are either misinformed or lacking in competence.] --DHS Inspector General: FEMA Core Databases are Not Secure (21 November 2005) According to a report from Department of Homeland Security (DHS) Inspector General Richard L. Skinner, the Federal Emergency Management Agency (FEMA) has not implemented sufficient security safeguards to protect its core databases. The report acknowledges FEMA has made IT security improvements, such as the development of a contingency plan. FEMA officials agree with the majority of the findings and are taking action. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story .id=37600 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::: The following web site gives the views from the Tribe and lawyers involved in the case. See the right side: http://www.indiantrust.com/ :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::: In one of the articles the Inspector General states clearly that "his" pen-testers were able to move around and even manipulate files. The "editorial" section from SANS give the opinion that "Penetration tests should never in and of themselves be used as the sole evidence for the adequacy of security". I'm sorry, but when such an issue involves billions of dollars and a "pen-tester" can move around the systems with no problem I think that suffices as somewhat of a sole evidence needed! I also cannot help but think that this "full disclosure" could be read by the wrong person and a different penetration is eminent. Some of you on this list have dealt with Government systems and probably know and understand the Inspector Generals plea. Thank You Randall M ===================== "You too can have your very own Computer!" Note: Side effects include: Blue screens; interrupt violation; illegal operations; remote code exploitations; virus and malware infestations; and other unknown vulnerabilities. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Interesting reading-Government MAC systems under fire Randall M (Nov 25)
- Re: Interesting reading-Government MAC systems under fire Valdis . Kletnieks (Nov 25)