Hired hacker invades VA

[William Knowles <wk () C4I ORG>]

http://www.fcw.com/fcw/articles/2000/0918/web-va-09-21-00.asp

BY Judi Hasson
09/21/2000

A private security company hired by the Department of Veterans Affairs
inspector general broke into VA computer systems to show that the
agency needs to work harder on securing sensitive data, according to
testimony delivered to Congress today.

The audit, by PricewaterhouseCoopers, found numerous weaknesses in the
firewalls at the Veterans Benefits Administration and the Veterans
Health Administration, where confidential health and benefits records
are stored.

"The security problems VA faces are serious," said Rep. Corinne Brown
(D-Fla.), ranking member on House VA Committees Oversight and
Investigations Subcommittee. "They represent an open door to the U.S.
Treasury."

In testimony prepared for delivery to subcommittee, assistant IG
Michael Slachta Jr. said the holes in the VAs security system make the
agencys programs and financial data "vulnerable to destruction,
manipulation and fraud," Slachta said.

Among the weaknesses, he said:

* Passwords were not changed often enough, and words were used that
  could be easily guessed.

* Physical security at the main computer room was inadequate.

* New employees were not properly trained.

Security problems continue to exist because the VA has not implemented
an integrated security management program, and the VHA has not
effectively managed computer security at its medical facilities,
according to Joel Willemssen, director of the civil agencies
information systems at the General Accounting Office.

"Financial transaction data and personal information on veterans
medical records continued to face increased risk of inadvertent or
deliberate misuse, fraudulent use, improper disclosure or
destruction," Willemssen said in his prepared testimony.

However, "It wasnt all bad news," VBA chief information officer K.
Adair Martinez said during the hearing today, "There were two [real]
hacking attacks last week on the VBA system, and they were both
detected and prevented."

This is not the first time that the VA has been criticized for lax
security. For several years, Congress has complained that the VA has
not taken the right steps to protect electronic data and failed to
properly track the more than $1 billion it spends each year on
technology a requirement of the 1996 Clinger-Cohen Act.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".