Report Slams D.C. Agency's Computer Security Practices

[InfoSec News <isn () C4I ORG>]

http://www.newsbytes.com/news/01/161323.html

By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
31 Jan 2001, 7:02 PM CST

Computer systems at more than 60 agencies in the District of Columbia
remain at risk because of shoddy computer security practices at the DC
Department of Public Works, the General Accounting Office (GAO) said
today.

In a comprehensive audit of security practices at the department
released today, the GAO found that the District had not adequately
limited computer access granted to employees. The report also said the
District had improperly managed the majority of its employees' user
IDs and passwords, and failed to maintain software controls or
sufficiently protect its networks and other computer systems from
unauthorized use.

The review centered on computer security controls for agencies that
manage the District of Columbia's $31 million Highway Trust Fund, and
details computer security weaknesses at the DC Department of Public
Works, the office of the District's chief financial officer and the
chief technology officer.

Specifically, the GAO report found that all of more than 4,300 active
user IDs granted to department employees allowed access to more than
20 system software libraries, which can be used to bypass network
security controls.

"Serious and pervasive computer security weaknesses place the fund and
other district financial, payroll, personnel, and tax information at
risk of inadvertent or deliberate misuse and unauthorized alteration
or destruction without detection," the GAO said.

The GAO added that the security control problems also affected the
District's ability to prevent or detect unauthorized changes to fund
and other District financial information, including payroll records.

The GAO noted that because the Department of Public Works is
interconnected with so many other District agencies, the security
problems were not limited to the DPW alone. While the department
relies in part on its own local area network for online connectivity,
the agency also makes use of the District's wide area network, which
connects to other District organizations like the Metropolitan Police
Dept., the District General Hospital, and the DC public school system.
Altogether, the District's wide area network serves about 30 sites,
which support approximately 60 district agencies.

To make matters, worse, the GAO said, the District installed intrusion
detection systems on only two of its 22 wide area network access
points.

Richard Smith, a computer security expert and chief technology officer
for the Denver-based Privacy Foundation, said while wide area networks
are popular among cash-strapped government agencies, they are only as
strong as their weakest link.

"There is a certain economy of scale in putting things together under
one roof, where they can share IT and security staff," Smith said.
"But in most cases, the biggest threat to computer security comes not
from outside hackers but from those within the organization itself. So
the more access points you have by tying these networks together, the
more likely an insider from one organization can break through
security in another."

Last year, the inspector general for the Department of Veteran's
Affairs prosecuted three Veterans Benefits Association employees for
embezzling nearly $1.3 million. By exploiting computer security
weaknesses similar to those at found in today's GAO report, the VA
employees had created false identities and wrote themselves checks for
more than $60,000 apiece.

While today's report found no direct evidence of financial
impropriety, the GAO warned that continued weak security controls
could invited such activity.

In a written response to the report, the District's Chief Technology
Officer essentially agreed with the GAO's findings and said the
District had developed an "action plan" to correct all security
weaknesses by April 2002.

For more information on the GAO's report, visit:
http://www.gao.gov/new.items/d01155.pdf

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".