DHS CyberSecurity Misses 1085 Holes On Own Network

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

i've seen nessus reports

[mrzaph0d]

unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.

Re:no this is what you get with outsourced IT VA

[erroneus]

This is exactly correct. They would rather hire contractors who CLAIM they will do things so that they can fire them later when they don't do it. If they actually hire good people, they have additional egg on their faces when things don't go right and the blame game is even harder to sort out. This is all about blame shifting and the appearance of easy "correction." Having worked for DHS for a couple of years, I saw a lot of rather disgusting and disturbing things about the way they hire contractors and then don't oversee their activities. When security screeners were being hired, I witnessed an 18 year old girl being hired as a supervisor and this was her VERY FIRST JOB. She had absolutely zero employment experience and was hired on in a leadership role. Nothing explains this adequately. They had contractors doing the hiring and staffing for that operation and it didn't work out so well. I heard that somewhere between 20 and 25% of the people initially hired didn't pass the background check and were subsequently let go more than a year later so I got to see the process repeat itself AGAIN where they used contractors to do another round of mass hiring and staffing. They never learn.

Obvious solution to this..

[Lakitu]

We need to create a Department of Department of Homeland Security Security immediately.

Re:no this is what you get with outsourced IT VA

[Divide+By+Zero]

Commonwealth of Virginia != Department of Homeland Security.

This is an entirely different issue. The Virginia thing was a waste of money and an added frustration which, as anyone who's been to Virginia DMV can tell you, is NOT necessary.

What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

While it's very difficult to keep out an experienced, dedicated attacker, you could at least shore up the defenses enough to keep the /b/tards and script kiddies out.

Re:Idiots

[mcgrew]

No, its that DHS has nothing to do with true security. Their job is security theater, as evidenced at any airport. The Armed Forces and National Guard are there for the real security.

DHS is a waste of good tax money. It should be spent on infrastructure.

Grain of salt

[Spazmania]

Take it with a grain of salt. The security scan was checklist-based, taking no account of the context. Worse, it's was based on version to database matches, utterly failing to account for backported security patches and similar protections that render specific vulnerabilities moot.

I have no personal knowledge of this specific case. But I've seen it enough times to know what this report really means.