Slashdot Mirror

← Back to Stories (view on slashdot.org)

Govt. Report Slams FBI's Internal Network Security

Posted by CowboyNeal on from the uncle-sam's-open-doors dept.

An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."

2 of 70 comments (clear)

  1. Re:Windows ? by Anonymous Coward · · Score: 4, Insightful

    In most cases, yes.

    However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.

    At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.

    They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.

    Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!

  2. Good old FBI by MikeRT · · Score: 4, Insightful

    Things like this bring to mind my dad's grumbling about them. He was a Customs special agent, and used to grumble about how the FBI spent more of its time posing in front of the camera as though it were the hottest shit in the federal law enforcement world, than doing good casework. The FBI are camera hounds compared to the other agencies. They are a highly dysfunctional agency, and 9-11 proved that. Three of their offices noticed serious warning signs about Islamic activity in the US, but didn't work together because of rivalry and turf. Sounds more like a group of federalized local cops if you ask me...

    This comes not long after the FBI blew $500M on a series of hardware and software upgrades. Is anyone surprised that this agency can't get its act together by now?