DHS CyberSecurity Misses 1085 Holes On Own Network 86
Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."
i've seen nessus reports (Score:4, Interesting)
unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.
Re:i've seen nessus reports (Score:3, Interesting)
Exactly. Just running Nessus does not a proper security audit make.
DHS runs Security checks all the time (Score:3, Interesting)
The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.
I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.
Re:if you read the actual report pdf (Score:2, Interesting)
Yes actually I do this quaterly.
We divide the vulnerabilities in 3 category.
OS patching.
OS Hardening.
Application Patching.
By doing this you can focus to the root cause of the issues. System owners, Application owners. It's a nice 2 page report with colours. they love it.
Administrators who care and are not tied up in red tape tend to really shine in these reports.
Another thing to realise is that in a corporate production environment, nothing will ever be 100% secure 100% of the time.
Re:no this is what you get with outsourced IT VA (Score:1, Interesting)
It could also have been a family member that got her the job. This being VA, the two might not be mutually exclusive.
Re:Idiots (Score:2, Interesting)