DHS CyberSecurity Misses 1085 Holes On Own Network

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

Idiots

[Zeek40]

This is why the government always ends up hiring contractors to do the jobs they already pay their own staff to do.

Re:no this is what you get with outsourced IT VA

[erroneus]

This is exactly correct. They would rather hire contractors who CLAIM they will do things so that they can fire them later when they don't do it. If they actually hire good people, they have additional egg on their faces when things don't go right and the blame game is even harder to sort out. This is all about blame shifting and the appearance of easy "correction." Having worked for DHS for a couple of years, I saw a lot of rather disgusting and disturbing things about the way they hire contractors and then don't oversee their activities. When security screeners were being hired, I witnessed an 18 year old girl being hired as a supervisor and this was her VERY FIRST JOB. She had absolutely zero employment experience and was hired on in a leadership role. Nothing explains this adequately. They had contractors doing the hiring and staffing for that operation and it didn't work out so well. I heard that somewhere between 20 and 25% of the people initially hired didn't pass the background check and were subsequently let go more than a year later so I got to see the process repeat itself AGAIN where they used contractors to do another round of mass hiring and staffing. They never learn.

Re:no this is what you get with outsourced IT VA

[Divide By Zero]

Commonwealth of Virginia != Department of Homeland Security.

This is an entirely different issue. The Virginia thing was a waste of money and an added frustration which, as anyone who's been to Virginia DMV can tell you, is NOT necessary.

What we're looking at here is the one Cabinet-level department specifically charged with maintaining IT infrastructure getting nailed by their IG for having a security profile slightly better than your average baby's candy protection perimeter.

While it's very difficult to keep out an experienced, dedicated attacker, you could at least shore up the defenses enough to keep the /b/tards and script kiddies out.

Acrobat, Java, and Microsoft

[MrTripps]

The article says most of the flaws were unpatched installations of Java, Acrobat, and Windows. When new patches for those come out every week it is easy to let that slip without some sort of patch management tool. I wonder what they used other then WSUS.

Grain of salt

[Spazmania]

Take it with a grain of salt. The security scan was checklist-based, taking no account of the context. Worse, it's was based on version to database matches, utterly failing to account for backported security patches and similar protections that render specific vulnerabilities moot.

I have no personal knowledge of this specific case. But I've seen it enough times to know what this report really means.

Re:no this is what you get with outsourced IT VA

[Paracelcus]

"18 year old girl being hired as a supervisor and this was her VERY FIRST JOB"

I guess if I was getting my pole waxed by an 18 year old girl, I'd give her any job she wanted too!