DHS CyberSecurity Misses 1085 Holes On Own Network

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

It's shit like this

[tsalmark]

It's shit like this that needs to make it to main stream media. To show how messed up the fear mongering side of the Government really is.

bureaucracy maybe?

[metalmaster]

Its possible that even IT drones that work in bureaucracy have to deal with the red tape. A good number of these holes might have been fixed by installing the "latest" version of software. At most of the companies i have worked with software installs have to be vetted by corporate suits that would rather play golf.

Im not going to defend software that simply requires an update. Stuff that needs a fresh install or a new software package altogether can be a pain in the ass.

Re:Idiots

[mcgrew]

No, its that DHS has nothing to do with true security. Their job is security theater, as evidenced at any airport. The Armed Forces and National Guard are there for the real security.

DHS is a waste of good tax money. It should be spent on infrastructure.

Re:no this is what you get with outsourced IT VA

[Hylandr]

I have done work with the government and had to participate in this scanning before bringing new hardware aboard a military facility.

Their scanning software requires remote access to the registry from a central scanning computer and looks for every "recommended" patch, setting, or configuration and throws a flag for every non-compliant instance it finds. The list of recommended settings are often security theatre regimen or disastrously harmful to performance. But someone convinced congressman Y,Y,Z that this setting was imperative to have enabled or disabled.

Performance was so horrible we had to disable the scanner's access in order to perform our demonstration.

- Dan. .

Re:FUD

[crypticwun]

Actually, reading the report tells me that the problems were almost certainly Windows desktop systems lacking a cohesive patch management solution. Also, if you read further the IG even states that as of the time this report was published all the problems were already remediated including acquisition and deployment of a "software management" solution. Further, the IG claims that NCSD is not following FISMA. NSCD is not a legally recognized entity (agency) under statute, so that means *DHS* is the responsible party for FISMA reporting. FINALLY, US-CERT != the troubled network. US-CERT uses that network, but has no control over the operations of that network. Both the IG and Wired go out of their way to NOT make the distinction on that.

Just like the old saying

[Thyamine]

Something about the carpenter's house or the cobbler's kids have no shoes. I work for a computer support company, and this happens to us and everyone else. Backups/patches/etc don't get tended to unless someone up the chain knows how important they are and makes it get done. Even then it's hard to keep on top of _everything_ unless you really have people dedicated to it. It's no surprise, and I don't think it's any reason to be angry. It just shows that they need to get better organized about it like everyone does..

Re:Idiots

[Bigjeff5]

It's almost like "The Ministry of Truth" in Orwell's 1984 - it was the propaganda machine for the government, and therefor was responsible for spreading lies far and wide.

DHS is similar, though not exactly a polar opposite of what its Orwellian name would suggest. It spreads the feeling of security without securing anything. The guys who are actually doing anything to prevent terrorist attacks are folks like the CIA and FBI. DHS doesn't do shit.

For example, I know a guy who accidentally brought a box cutter in his carry-on at least half a dozen times when he was flying. It wasn't until he found it in the bottom of his bag that he realized it was there and removed it. That's the same damn weapon the 19 hijackers all used, yet here at least six of them would have gotten though.

And yet we have to take our shoes off, just in case someone put a bomb in our shoes. Give me a break.

Re:i've seen nessus reports

[qwijibo]

Running Nessus produces numbers. Those numbers are then the metrics which management uses to judge how well people are doing their jobs. Lower numbers are always good and higher numbers are always bad.

Comprehension of what the numbers represent, or if they're accurate, is not really relevant from a management perspective. If you show that your numbers are small and keep getting smaller, then any security vulnerability can't be your fault, because the magic number machine says your compliant. It's the same thinking that says anyone who got a free virus scanner installed on their computer when they bought it 7 years ago is intrinsically safe.

Tools like Nessus can be useful from a technical perspective, but far more often are used for political reasons.