DHS CyberSecurity Misses 1085 Holes On Own Network 86
Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."
It's shit like this (Score:3, Insightful)
bureaucracy maybe? (Score:2, Insightful)
Im not going to defend software that simply requires an update. Stuff that needs a fresh install or a new software package altogether can be a pain in the ass.
Re:Idiots (Score:5, Insightful)
No, its that DHS has nothing to do with true security. Their job is security theater, as evidenced at any airport. The Armed Forces and National Guard are there for the real security.
DHS is a waste of good tax money. It should be spent on infrastructure.
Re:no this is what you get with outsourced IT VA (Score:2, Insightful)
Their scanning software requires remote access to the registry from a central scanning computer and looks for every "recommended" patch, setting, or configuration and throws a flag for every non-compliant instance it finds. The list of recommended settings are often security theatre regimen or disastrously harmful to performance. But someone convinced congressman Y,Y,Z that this setting was imperative to have enabled or disabled.
Performance was so horrible we had to disable the scanner's access in order to perform our demonstration.
- Dan. .
Re:FUD (Score:2, Insightful)
Just like the old saying (Score:3, Insightful)
Re:Idiots (Score:3, Insightful)
It's almost like "The Ministry of Truth" in Orwell's 1984 - it was the propaganda machine for the government, and therefor was responsible for spreading lies far and wide.
DHS is similar, though not exactly a polar opposite of what its Orwellian name would suggest. It spreads the feeling of security without securing anything. The guys who are actually doing anything to prevent terrorist attacks are folks like the CIA and FBI. DHS doesn't do shit.
For example, I know a guy who accidentally brought a box cutter in his carry-on at least half a dozen times when he was flying. It wasn't until he found it in the bottom of his bag that he realized it was there and removed it. That's the same damn weapon the 19 hijackers all used, yet here at least six of them would have gotten though.
And yet we have to take our shoes off, just in case someone put a bomb in our shoes. Give me a break.
Re:i've seen nessus reports (Score:3, Insightful)
Running Nessus produces numbers. Those numbers are then the metrics which management uses to judge how well people are doing their jobs. Lower numbers are always good and higher numbers are always bad.
Comprehension of what the numbers represent, or if they're accurate, is not really relevant from a management perspective. If you show that your numbers are small and keep getting smaller, then any security vulnerability can't be your fault, because the magic number machine says your compliant. It's the same thinking that says anyone who got a free virus scanner installed on their computer when they bought it 7 years ago is intrinsically safe.
Tools like Nessus can be useful from a technical perspective, but far more often are used for political reasons.