Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS CyberSecurity Misses 1085 Holes On Own Network

Posted by CmdrTaco on from the do-as-i-say dept.

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

20 of 86 comments (clear)

  1. Idiots by Zeek40 · · Score: 2, Informative

    This is why the government always ends up hiring contractors to do the jobs they already pay their own staff to do.

    1. Re:Idiots by mcgrew · · Score: 5, Insightful

      No, its that DHS has nothing to do with true security. Their job is security theater, as evidenced at any airport. The Armed Forces and National Guard are there for the real security.

      DHS is a waste of good tax money. It should be spent on infrastructure.

      --
      Free Martian Whores!
    2. Re:Idiots by Bigjeff5 · · Score: 2, Insightful

      It's almost like "The Ministry of Truth" in Orwell's 1984 - it was the propaganda machine for the government, and therefor was responsible for spreading lies far and wide.

      DHS is similar, though not exactly a polar opposite of what its Orwellian name would suggest. It spreads the feeling of security without securing anything. The guys who are actually doing anything to prevent terrorist attacks are folks like the CIA and FBI. DHS doesn't do shit.

      For example, I know a guy who accidentally brought a box cutter in his carry-on at least half a dozen times when he was flying. It wasn't until he found it in the bottom of his bag that he realized it was there and removed it. That's the same damn weapon the 19 hijackers all used, yet here at least six of them would have gotten though.

      And yet we have to take our shoes off, just in case someone put a bomb in our shoes. Give me a break.

      --
      Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    3. Re:Idiots by inanet · · Score: 2, Interesting

      I wonder how well the audit was done? I have seen really poor security audits done by professional auditing companies in the past that just showed the lack of ability with the auditors, as an example we got the following from an audit on a few unix boxes: "Security risk - High: Telnet not disabled" "Security risk - High: SSH passwords don't expire" "Security risk - High: FTP not disabled" our response? - no risk, telnet not installed. port not open. - no risk, ftp not installed. port not open. - ssh uses a key mechanism. passwords are invalid in all cases. basically they had a script they ran that would check to see if things like ftp and telnet had been disabled, and if the correct password expiry was set, they had no idea that you could configure a system that didn't actually _have_ ftp or telnet installed, or that you could set up ssh in such a way that a password was never any good. I just mention this, even though its great to hate on security - govt. depts. you never know how good the actually auditing is, there is a saying that those that can, do, those that can't audit* * this may not actually be the saying. I'm just saying.

      --
      "This is my Sig. there are many like it but this one is mine."
  2. It's shit like this by tsalmark · · Score: 2, Insightful

    It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.

  3. bureaucracy maybe? by metalmaster · · Score: 2, Insightful

    Its possible that even IT drones that work in bureaucracy have to deal with the red tape. A good number of these holes might have been fixed by installing the "latest" version of software. At most of the companies i have worked with software installs have to be vetted by corporate suits that would rather play golf.

    Im not going to defend software that simply requires an update. Stuff that needs a fresh install or a new software package altogether can be a pain in the ass.

  4. i've seen nessus reports by mrzaph0d · · Score: 4, Interesting

    unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.

    --
    this is just a placeholder till i send back my real sig from the future.
    1. Re:i've seen nessus reports by SocialEngineer · · Score: 2, Interesting

      Exactly. Just running Nessus does not a proper security audit make.

      --
      "Better to be vulgar than non-existent" -Bev Henson
    2. Re:i've seen nessus reports by qwijibo · · Score: 2, Insightful

      Running Nessus produces numbers. Those numbers are then the metrics which management uses to judge how well people are doing their jobs. Lower numbers are always good and higher numbers are always bad.

      Comprehension of what the numbers represent, or if they're accurate, is not really relevant from a management perspective. If you show that your numbers are small and keep getting smaller, then any security vulnerability can't be your fault, because the magic number machine says your compliant. It's the same thinking that says anyone who got a free virus scanner installed on their computer when they bought it 7 years ago is intrinsically safe.

      Tools like Nessus can be useful from a technical perspective, but far more often are used for political reasons.

  5. Re:no this is what you get with outsourced IT VA by erroneus · · Score: 5, Informative

    This is exactly correct. They would rather hire contractors who CLAIM they will do things so that they can fire them later when they don't do it. If they actually hire good people, they have additional egg on their faces when things don't go right and the blame game is even harder to sort out. This is all about blame shifting and the appearance of easy "correction." Having worked for DHS for a couple of years, I saw a lot of rather disgusting and disturbing things about the way they hire contractors and then don't oversee their activities. When security screeners were being hired, I witnessed an 18 year old girl being hired as a supervisor and this was her VERY FIRST JOB. She had absolutely zero employment experience and was hired on in a leadership role. Nothing explains this adequately. They had contractors doing the hiring and staffing for that operation and it didn't work out so well. I heard that somewhere between 20 and 25% of the people initially hired didn't pass the background check and were subsequently let go more than a year later so I got to see the process repeat itself AGAIN where they used contractors to do another round of mass hiring and staffing. They never learn.

  6. Obvious solution to this.. by Lakitu · · Score: 4, Funny

    We need to create a Department of Department of Homeland Security Security immediately.

  7. Re:no this is what you get with outsourced IT VA by Divide+By+Zero · · Score: 4, Informative
    Commonwealth of Virginia != Department of Homeland Security.

    This is an entirely different issue. The Virginia thing was a waste of money and an added frustration which, as anyone who's been to Virginia DMV can tell you, is NOT necessary.

    What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

    While it's very difficult to keep out an experienced, dedicated attacker, you could at least shore up the defenses enough to keep the /b/tards and script kiddies out.

    --
    Dare to Hope. Prepare to be Disappointed.
  8. Acrobat, Java, and Microsoft by MrTripps · · Score: 2, Informative

    The article says most of the flaws were unpatched installations of Java, Acrobat, and Windows. When new patches for those come out every week it is easy to let that slip without some sort of patch management tool. I wonder what they used other then WSUS.

    --
    "I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
  9. obvious by slick7 · · Score: 2, Funny

    This looks like a job for Kevin Mitnick...naaah.

    --
    The mind conceives, the body achieves, the spirit manifests.
  10. Re:no this is what you get with outsourced IT VA by Hylandr · · Score: 2, Insightful

    I have done work with the government and had to participate in this scanning before bringing new hardware aboard a military facility.

    Their scanning software requires remote access to the registry from a central scanning computer and looks for every "recommended" patch, setting, or configuration and throws a flag for every non-compliant instance it finds. The list of recommended settings are often security theatre regimen or disastrously harmful to performance. But someone convinced congressman Y,Y,Z that this setting was imperative to have enabled or disabled.

    Performance was so horrible we had to disable the scanner's access in order to perform our demonstration.

    - Dan. .

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
  11. Re:FUD by crypticwun · · Score: 2, Insightful

    Actually, reading the report tells me that the problems were almost certainly Windows desktop systems lacking a cohesive patch management solution. Also, if you read further the IG even states that as of the time this report was published all the problems were already remediated including acquisition and deployment of a "software management" solution. Further, the IG claims that NCSD is not following FISMA. NSCD is not a legally recognized entity (agency) under statute, so that means *DHS* is the responsible party for FISMA reporting. FINALLY, US-CERT != the troubled network. US-CERT uses that network, but has no control over the operations of that network. Both the IG and Wired go out of their way to NOT make the distinction on that.

  12. Grain of salt by Spazmania · · Score: 4, Informative

    Take it with a grain of salt. The security scan was checklist-based, taking no account of the context. Worse, it's was based on version to database matches, utterly failing to account for backported security patches and similar protections that render specific vulnerabilities moot.

    I have no personal knowledge of this specific case. But I've seen it enough times to know what this report really means.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  13. Just like the old saying by Thyamine · · Score: 2, Insightful

    Something about the carpenter's house or the cobbler's kids have no shoes. I work for a computer support company, and this happens to us and everyone else. Backups/patches/etc don't get tended to unless someone up the chain knows how important they are and makes it get done. Even then it's hard to keep on top of _everything_ unless you really have people dedicated to it. It's no surprise, and I don't think it's any reason to be angry. It just shows that they need to get better organized about it like everyone does..

    --
    I will shred my adversaries. Pull their eyes out just enough to turn them towards their mewing, mutilated faces. Illyria
  14. DHS runs Security checks all the time by realsilly · · Score: 2, Interesting

    The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.

    I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.

    --
    Life takes interesting turns, but the most interest is when you're off the beaten path.
  15. Re:if you read the actual report pdf by setrops · · Score: 2, Interesting

    Yes actually I do this quaterly.

    We divide the vulnerabilities in 3 category.

    OS patching.
    OS Hardening.
    Application Patching.

    By doing this you can focus to the root cause of the issues. System owners, Application owners. It's a nice 2 page report with colours. they love it.

    Administrators who care and are not tied up in red tape tend to really shine in these reports.

    Another thing to realise is that in a corporate production environment, nothing will ever be 100% secure 100% of the time.