DHS CyberSecurity Misses 1085 Holes On Own Network

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

Idiots

[Zeek40]

This is why the government always ends up hiring contractors to do the jobs they already pay their own staff to do.

Re:Idiots

[Neil+Watson]

More likely this is what happens an organization does not have processes for execution and validation. Regardless of whether they are contractors of FT's if no one audits their work this can happen.

Re:Idiots

[mcgrew]

No, its that DHS has nothing to do with true security. Their job is security theater, as evidenced at any airport. The Armed Forces and National Guard are there for the real security.

DHS is a waste of good tax money. It should be spent on infrastructure.

Re:Idiots

[spamking]

They can transfer the risk all they want, but they are still ultimately responsible.

Re:Idiots

[Bigjeff5]

It's almost like "The Ministry of Truth" in Orwell's 1984 - it was the propaganda machine for the government, and therefor was responsible for spreading lies far and wide.

DHS is similar, though not exactly a polar opposite of what its Orwellian name would suggest. It spreads the feeling of security without securing anything. The guys who are actually doing anything to prevent terrorist attacks are folks like the CIA and FBI. DHS doesn't do shit.

For example, I know a guy who accidentally brought a box cutter in his carry-on at least half a dozen times when he was flying. It wasn't until he found it in the bottom of his bag that he realized it was there and removed it. That's the same damn weapon the 19 hijackers all used, yet here at least six of them would have gotten though.

And yet we have to take our shoes off, just in case someone put a bomb in our shoes. Give me a break.

Re:Idiots

[Locutus]

The DHS was Bush's jobs program. I thought it should have been called the "New Central Central Intelligence Agency".

LoB

Re:Idiots

[hesaigo999ca]

They should fire everyone IT related in Virginia for this offense, and replace them with more competent individuals.

Re:Idiots

[ChiRaven]

One correction. The DHS LOCAL affiliates, the county Emergency management agencies, usually do a pretty good job of mobilizing local resources (like the Red Cross, etc.) to respond to local situations like tornados and minor flooding. These are the LOCAL groups that are affiliated with FEMA, which is under DHS. They get overloaded when there is a major emergency and the federal people have to take over, but in a local situation these people do a tremendous job.

Re:Idiots

[timeOday]

this is what happens an organization does not have processes for execution and validation

They do, or this story wouldn't exist. The DHS audited its own systems and this is what they found. If they were a company, they would just quietly fix the problem (or not) and move on. Since it's government, they self-report and we get the daily anti-government whine.

Re:Idiots

[Ex-MislTech]

"Adobe Acrobat, Sun’s Java and some Microsoft applications."

I think you did not read the article, but that is common isn't it ???

Re:Idiots

[inanet]

I wonder how well the audit was done? I have seen really poor security audits done by professional auditing companies in the past that just showed the lack of ability with the auditors, as an example we got the following from an audit on a few unix boxes: "Security risk - High: Telnet not disabled" "Security risk - High: SSH passwords don't expire" "Security risk - High: FTP not disabled" our response? - no risk, telnet not installed. port not open. - no risk, ftp not installed. port not open. - ssh uses a key mechanism. passwords are invalid in all cases. basically they had a script they ran that would check to see if things like ftp and telnet had been disabled, and if the correct password expiry was set, they had no idea that you could configure a system that didn't actually _have_ ftp or telnet installed, or that you could set up ssh in such a way that a password was never any good. I just mention this, even though its great to hate on security - govt. depts. you never know how good the actually auditing is, there is a saying that those that can, do, those that can't audit* * this may not actually be the saying. I'm just saying.

Re:Idiots

[BlindRobin]

Hiring contractors by the government does not increase efficiency, competence or quality, it just pushes more money into different places and muddies things up even more. In my experience, the contractors (with whom I have had contact) hired by the various USGOV agencies and their departments are marginally competent leeches whose ability to acquire contracts has more to do with relationships that have little to do with actually accomplishing their stated mission. While I haven't worked in Washington since 2005, I doubt that this has changed.

It's shit like this

[tsalmark]

It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.

Re:It's shit like this

[slick7]

It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.

Exposing the inadequacies of the government will just result in more "National Security" obfuscation. The more holes in security equates in more money to fill those holes. It's only a matter of time until Haliburton gets involved.
The powers that be have no intention of letting their senior bosses know the truth. They will throw more money at it until some major incident occurs and it airs on "60 Minutes", at which time the incompetence will be swept under the rug. When the issue becomes so tangled with corporate wrangling, senate hearings, an actual loss of security, DHS will just go dark, thereby allowing the matter to be taken up as an internal affair. In the meantime, security hole exploitation will become the raison de guerre.(excuse my french)

Do as I say...

[Arrepiadd]

... not as I do.

bureaucracy maybe?

[metalmaster]

Its possible that even IT drones that work in bureaucracy have to deal with the red tape. A good number of these holes might have been fixed by installing the "latest" version of software. At most of the companies i have worked with software installs have to be vetted by corporate suits that would rather play golf.

Im not going to defend software that simply requires an update. Stuff that needs a fresh install or a new software package altogether can be a pain in the ass.

Re:bureaucracy maybe?

[Neil+Watson]

At some organizations it can take months to get schedule and get approval for patching. When someone claims the business needs a service to be available all of the time it's difficult to find a business level advocate for patching.

no this is what you get with outsourced IT VA

[Joe+The+Dragon]

no this is what you get with outsourced IT The state of VA went with Northrop Grumman that did not work that good.

DItch Windows

[jdigriz]

Well, obviously they need to run some instances of Windows for research and testing purposes to protect the public, but you'd think the organization devoted to cybersecurity would run something with fewer targeted attacks designed especially for it.

Re:DItch Windows

[AHuxley]

One big honeypot to see what is been used?
If some new tool works well with 'secure' MS, the US can use them too around the world.
The endless contractor cash supply is cute too.

i've seen nessus reports

[mrzaph0d]

unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.

Re:i've seen nessus reports

[SocialEngineer]

Exactly. Just running Nessus does not a proper security audit make.

Re:i've seen nessus reports

[nicolas.kassis]

Yup. nessus isn't magical, unless you instruct it to use the vulnerability and attack the host (no suggested) then you can never be certain the vulnerability exists.

Re:i've seen nessus reports

[Larryish]

Very wise you are.

Re:i've seen nessus reports

[Bigjeff5]

Well considering it was a failed audit, and not just a failed scan, I'm sure they know what they are doing.

Re:i've seen nessus reports

[qwijibo]

Running Nessus produces numbers. Those numbers are then the metrics which management uses to judge how well people are doing their jobs. Lower numbers are always good and higher numbers are always bad.

Comprehension of what the numbers represent, or if they're accurate, is not really relevant from a management perspective. If you show that your numbers are small and keep getting smaller, then any security vulnerability can't be your fault, because the magic number machine says your compliant. It's the same thinking that says anyone who got a free virus scanner installed on their computer when they bought it 7 years ago is intrinsically safe.

Tools like Nessus can be useful from a technical perspective, but far more often are used for political reasons.

Re:i've seen nessus reports

[carp3_noct3m]

It should be noted that there are various certifications which any company hiring vulnerability assessment should look for, many of them cover in depth how to properly use Nessus, Saint, etc.

Re:no this is what you get with outsourced IT VA

[erroneus]

This is exactly correct. They would rather hire contractors who CLAIM they will do things so that they can fire them later when they don't do it. If they actually hire good people, they have additional egg on their faces when things don't go right and the blame game is even harder to sort out. This is all about blame shifting and the appearance of easy "correction." Having worked for DHS for a couple of years, I saw a lot of rather disgusting and disturbing things about the way they hire contractors and then don't oversee their activities. When security screeners were being hired, I witnessed an 18 year old girl being hired as a supervisor and this was her VERY FIRST JOB. She had absolutely zero employment experience and was hired on in a leadership role. Nothing explains this adequately. They had contractors doing the hiring and staffing for that operation and it didn't work out so well. I heard that somewhere between 20 and 25% of the people initially hired didn't pass the background check and were subsequently let go more than a year later so I got to see the process repeat itself AGAIN where they used contractors to do another round of mass hiring and staffing. They never learn.

Obvious solution to this..

[Lakitu]

We need to create a Department of Department of Homeland Security Security immediately.

Re:Meh...

[Neil+Watson]

Very true. I've seen auditors report that users default Umask was incorrectly set. When you try to explain that any user can set any Umask they want so why bother they stare at you like you just told them the Sun was blue.

Re:no this is what you get with outsourced IT VA

[Divide+By+Zero]

Commonwealth of Virginia != Department of Homeland Security.

This is an entirely different issue. The Virginia thing was a waste of money and an added frustration which, as anyone who's been to Virginia DMV can tell you, is NOT necessary.

What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

While it's very difficult to keep out an experienced, dedicated attacker, you could at least shore up the defenses enough to keep the /b/tards and script kiddies out.

I think it speaks more to the tools available

[joeflies]

Managing configuration for one box is easy. Sometimes managing configuration for multiples of the same box is doable. But managing configuration for a large scale multi-vendor deployment is a headache that nobody solves particularly well, and the tools for checking the various things (patch level, logs, configuration scanning, etc) typically all come from different security vendors and those don't work together either.

Acrobat, Java, and Microsoft

[MrTripps]

The article says most of the flaws were unpatched installations of Java, Acrobat, and Windows. When new patches for those come out every week it is easy to let that slip without some sort of patch management tool. I wonder what they used other then WSUS.

Re:Acrobat, Java, and Microsoft

[idiotnot]

A thousand times this.

But, then, I suppose the people who wrote TFA, or are commenting here, don't have a single unpatched copy of Acrobat Reader or JRE around. Am I right?

Cluestick time: while there's problems in government IT, I can guarantee you that many, many large corporations would have fared worse on a similar audit.

Re:Acrobat, Java, and Microsoft

[mcgrew]

Indeed. I guess the day before yesterday was Patch Tuesday, because as soon as I got home from work and turned my netbook on it said there were "critical updates".

Last night I got another one for Adobe's PDF viewer. Then BitTorrent asked me if I wanted to update it.

I rebooted that thing more in the last two days than I have since I bought it in April. At least BT didn't need a reboot. It was annoying, because I'm trying to DL and try Kubantu with BT and seed my novel and Mandriva with it, and all that rebooting cut into my uplodaing and downloading and beer drinking.

FUD

[setrops]

The lack of details in the paper makes it so that it is impossible to know exactly what they found. Scanners such as Nessus, Foundstone, Languard are really noisy and can report normal system operation as a high vulnerability irregardless of system configuration.

Something like telnet will be a high, but put the proper mitigation such as access list, 2 factor authentication and you can show it as a medium or low.

It's all subjective.

Re:FUD

[crypticwun]

Actually, reading the report tells me that the problems were almost certainly Windows desktop systems lacking a cohesive patch management solution. Also, if you read further the IG even states that as of the time this report was published all the problems were already remediated including acquisition and deployment of a "software management" solution. Further, the IG claims that NCSD is not following FISMA. NSCD is not a legally recognized entity (agency) under statute, so that means *DHS* is the responsible party for FISMA reporting. FINALLY, US-CERT != the troubled network. US-CERT uses that network, but has no control over the operations of that network. Both the IG and Wired go out of their way to NOT make the distinction on that.

obvious

[slick7]

This looks like a job for Kevin Mitnick...naaah.

Security?

[Caradoc]

So the Department of Homeland Security's network security measures are approximately equivalent to the security measures on the border between Mexico and the United States.

I am Jack's Complete Lack of Surprise.

The Department of Homeland Security's primary mission is not "security." Its mission is "training the public to be properly responsive to idiotic demands from the Federal Government."

Re:Security?

[flynns]

Heh, that was the first thing I thought of when I read this: "I am Jack's complete lack of surprise."

Which, of course, made me go here.

Re:no this is what you get with outsourced IT VA

[Hylandr]

I have done work with the government and had to participate in this scanning before bringing new hardware aboard a military facility.

Their scanning software requires remote access to the registry from a central scanning computer and looks for every "recommended" patch, setting, or configuration and throws a flag for every non-compliant instance it finds. The list of recommended settings are often security theatre regimen or disastrously harmful to performance. But someone convinced congressman Y,Y,Z that this setting was imperative to have enabled or disabled.

Performance was so horrible we had to disable the scanner's access in order to perform our demonstration.

- Dan. .

Re:if you read the actual report pdf

[flydpnkrtn]

you find the most grotesque microsoft powerpoint like data crap: a half page picture that is a pie chart with two sectons (figure 4, page 9 in the pdf)
Anyone who would put together such a bs piece of eye candy isn't competant to pound sand down a rathole, even if they do use their spellchecker

Have you ever briefed such a report to management? Management wants to see the 'bottom line' type of information, not piles of information packed into slides.

Pie charts are common on these types of high level reports... remember that managers are looking at this. To get into the nitty gritty and fix vulnerabilities (or invalidate scan findings if they're false positives) the Information Assurance techs would look at the actual Nessus scan findings, not the pretty pie chart (that's for management).

Grain of salt

[Spazmania]

Take it with a grain of salt. The security scan was checklist-based, taking no account of the context. Worse, it's was based on version to database matches, utterly failing to account for backported security patches and similar protections that render specific vulnerabilities moot.

I have no personal knowledge of this specific case. But I've seen it enough times to know what this report really means.

Re:no this is what you get with outsourced IT VA

[human-cyborg]

What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

?!? Where are you getting this analogy from? ?!?

Can't you think of an appropriate car-themed analogy?

Taken with a grain of salt....

[Kalidor]

Several years ago I was working at a company hired to do a similar outside audit, who ... was in turn of course hired to fix the situation.

I was handed a Nessus by the fellow who did the audit that pointed out several servers were missing critical windows patches in the audit the week before ... and to please go out and patch them. Small problem when I arrived on site ... servers were running Debian. So Nessus might be a great auditing tool, but any report is only as good as the people that ran the tool.

misleading

[Lord+Ender]

With Nessus, the "high" severity results are the only ones that really matter. And even then they sometimes don't. For example: "you are using a version of PHP with a security hole in one of the API calls your programs might use" is high, but it isn't a real vulnerability unless you actually use that specific call.

Just like the old saying

[Thyamine]

Something about the carpenter's house or the cobbler's kids have no shoes. I work for a computer support company, and this happens to us and everyone else. Backups/patches/etc don't get tended to unless someone up the chain knows how important they are and makes it get done. Even then it's hard to keep on top of _everything_ unless you really have people dedicated to it. It's no surprise, and I don't think it's any reason to be angry. It just shows that they need to get better organized about it like everyone does..

DHS runs Security checks all the time

[realsilly]

The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.

I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.

1085 high vulnerabilities...

[idcard_1]

across 174 MOE computers scanned of 202 unique vulnerabilities... which comes out to be about 6.2356 vulnerabilities per computer.

Re:no this is what you get with outsourced IT VA

[Paracelcus]

"18 year old girl being hired as a supervisor and this was her VERY FIRST JOB"

I guess if I was getting my pole waxed by an 18 year old girl, I'd give her any job she wanted too!

Re:Quick!

[Paracelcus]

Listen! they're coming up the driveway, out the back door! ;-)...

Re:Meh...

[qwijibo]

I gave up on trying to educate auditors. They often have the logical reasoning capability of a brick, without the value of being a building material. Compliance auditing is about reducing a complex set of circumstances and requirements into simple numbers. Comprehension of the underlying issues is not a job requirement.

The reason why that's a checklist item is that 99+% of users are have access to, but not knowledge required to set a umask, therefore making your point moot.

My recent favorite audit vulnerability was mode 644 on wtmpx. If someone has an account on a system (which is already limited to legitimate need anyway), I'm not deeply concerned if they can find out who has recently logged into the server. In fact, I'd rather that simple troubleshooting be done by unprivileged users, some of which fall into the 99+%, rather than requiring they get root access to look at harmless information.

The best part is when one compliance program says that SSHD should have PermitRootLogin=No, but another group needs it to be Yes to allow all of the root passwords to be centrally managed to meet some other compliance requirement.

Re:no this is what you get with outsourced IT VA

[AnAdventurer]

Yup, I too was hired by DHS via a contractor. My UA was hot for Benzo (I was in the middle of a messy divorce, but had no script), I told the Dr at the physical and they passed me through. I left for the same reason you mention. No rhyme or reason for speciality hires. Myself and another highly qualified co-worker applied for a IED detection instructor position and it was awarded to a 55+ year old woman who had probably never seen an explosive in her life. I left a few weeks later. My co-worker lasted a few more months until he threw in the towel and moved into private security.

Re:Idiots and real Idiots, Reality Check!

[OldHawk777]

The government always ends up hiring contractors, this is why the jobs are already contractors, because .Gov/.Mil/.Com C*O/management get to blame-storm the contractors, the contractors can blame-storm each other, and the public thinks civil servants can't do the job. I know a few .Gov IT/Services folks and they know security basics very well, but they cannot interfere with the contractors doing a questionable job, until post-audit or post-incident.

Go discover how many contractors are on the .gov/.mil payroll. Are contractors more competent? Well from this incident and many others, I suspect, the answer is NO!

Re:Idiots - The guys who are actually....

[OldHawk777]

The folks who are actually collecting big paychecks are well certified, qualified, legitimized... and they got BM (business management) degrees.

Also, DHS provides many more big paychecks for the DC, Virginia, and Maryland .gov+.mil+.com money pit.

If you are unemployable, move to the DC, Virginia, and Maryland area where more .gov+.mil+.com easy-jobs move every year. They need janitors and maids. The other jobs are for family and friends of family; Hence, an 18yo woman can be a fully certified, qualified, legitimized... boss (eventually with a business management).

Re:It's shit like this gooooooood

[OldHawk777]

Gooooooood is either god or good with too many "o".

Haliburton can really help with obscurity security, I'm sure.

Re:bureaucracy maybe? So...

[OldHawk777]

C*O/Business management is about the same in .com as in .gov/.mil? Limit to 0.6666... average for both suffering the technology peter-principle, then I agree.

Re:if you read the actual report pdf

[setrops]

Yes actually I do this quaterly.

We divide the vulnerabilities in 3 category.

OS patching.
OS Hardening.
Application Patching.

By doing this you can focus to the root cause of the issues. System owners, Application owners. It's a nice 2 page report with colours. they love it.

Administrators who care and are not tied up in red tape tend to really shine in these reports.

Another thing to realise is that in a corporate production environment, nothing will ever be 100% secure 100% of the time.

Re:I think, Excuses...

[OldHawk777]

Excuses are a major security problem.

In fact, excuses cause major security problems.

No, I am not saying fire the person, because shit happens. Unless the person is the problem looking for excuses for all the shit happening.

Re:no this is what you get with outsourced IT VA

It could also have been a family member that got her the job. This being VA, the two might not be mutually exclusive.

In other news...

[Type44Q]

DHS CyberSecurity Misses 1085 Holes On Own Network

In other news, bears found to shit in woods. News at eleven!

Re:no this is what you get with outsourced IT VA

[random+coward]

"This is all about blame shifting and the appearance of easy 'correction.'"


Congratulations! You just gave the best definition of what a bureaucracy is!

Dept of Holy Security

[NSN+A392-99-964-5927]

Not to be cynical here... well yes I am... what do you expect from a COFEE http://www.microsoft.com/industry/government/solutions/cofee/default.aspx drinking and Donuts eating https://www.dunkindonuts.com/ lazy system admins. Some people who work for the DHS cannot be bothered and are still trying to figure out the FBI's Carnivore, swiftly changed to code named Magic Latern.... "You rub it and a Genie pops out with 3 wishes".

Re:Meh...

[Rubinstien]

The most ludicrous (on multiple levels) I have had to deal with was an audit by one of our customers flagging our software for SQL injection, simply because the 'Defects Addressed' section of the release notes contained the text of an ODBC error administrators may have seen in the server log in prior releases, that had now been fixed. They would absolutely not allow the software into production until this 'critical vulnerability' in the static HTML release notes had been fixed. The scripts that spell-check our release notes now flag 'ODBC', and suggest that this acronym be replaced with the HTML numeric entities . This lets us pass the audit. I wonder how many real SQL injection vulnerabilities get passed over by this audit software because the output is encoded in some way?

Re:no this is what you get with outsourced IT VA

[Divide+By+Zero]

I don't know that what you experienced is quite what the article's talking about.

I'm not at DHS-OIG, but in reading their report, it looks to me like it's a pen test or internal vulnerability scan, not an inventory of what patches they have installed. Nessus exists to find actual holes, not just see what patches you had installed compared to FDCC. The report said a Nessus scan found 202 high-risk security holes (as well as 338 medium- and low-risk) in 1085 instances on 174 computers, not just missing patches for systems that aren't actual vulnerabilities.

I'd like to be able to see the report that says exactly what the holes are, but I suspect that that level of detail is probably classified. Given the other findings and recommendations in the report, I'd be inclined to believe that there are real problems and not just a few missing patches.

I hate security theater as much as anybody, but I think this vulnerability scan might be serving a worthwhile purpose.