Forgot your password?
typodupeerror
Software Government IT Technology

DHS CyberSecurity Misses 1085 Holes On Own Network 86

Posted by CmdrTaco
from the do-as-i-say dept.
Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."
This discussion has been archived. No new comments can be posted.

DHS CyberSecurity Misses 1085 Holes On Own Network

Comments Filter:
  • by mrzaph0d (25646) <zaph0d.curztech@com> on Thursday September 09, 2010 @09:49AM (#33520650) Homepage

    unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.

  • by SocialEngineer (673690) <invertedpanda@g[ ]l.com ['mai' in gap]> on Thursday September 09, 2010 @09:52AM (#33520706) Homepage

    Exactly. Just running Nessus does not a proper security audit make.

  • by realsilly (186931) on Thursday September 09, 2010 @11:36AM (#33522618)

    The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.

    I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.

  • by setrops (101212) on Thursday September 09, 2010 @02:53PM (#33525778)

    Yes actually I do this quaterly.

    We divide the vulnerabilities in 3 category.

    OS patching.
    OS Hardening.
    Application Patching.

    By doing this you can focus to the root cause of the issues. System owners, Application owners. It's a nice 2 page report with colours. they love it.

    Administrators who care and are not tied up in red tape tend to really shine in these reports.

    Another thing to realise is that in a corporate production environment, nothing will ever be 100% secure 100% of the time.

  • by Anonymous Coward on Thursday September 09, 2010 @03:35PM (#33526398)

    It could also have been a family member that got her the job. This being VA, the two might not be mutually exclusive.

  • Re:Idiots (Score:2, Interesting)

    by inanet (1033718) on Thursday September 09, 2010 @06:15PM (#33528120)
    I wonder how well the audit was done? I have seen really poor security audits done by professional auditing companies in the past that just showed the lack of ability with the auditors, as an example we got the following from an audit on a few unix boxes: "Security risk - High: Telnet not disabled" "Security risk - High: SSH passwords don't expire" "Security risk - High: FTP not disabled" our response? - no risk, telnet not installed. port not open. - no risk, ftp not installed. port not open. - ssh uses a key mechanism. passwords are invalid in all cases. basically they had a script they ran that would check to see if things like ftp and telnet had been disabled, and if the correct password expiry was set, they had no idea that you could configure a system that didn't actually _have_ ftp or telnet installed, or that you could set up ssh in such a way that a password was never any good. I just mention this, even though its great to hate on security - govt. depts. you never know how good the actually auditing is, there is a saying that those that can, do, those that can't audit* * this may not actually be the saying. I'm just saying.

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...