DHS CyberSecurity Misses 1085 Holes On Own Network

Tootech writes "In a case of 'physician, heal thyself,' the agency — which forms the operational arm of DHS's National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes. 'The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on computer systems located in Virginia,' reads the report from assistant inspector general Frank Deffer."

i've seen nessus reports

[mrzaph0d]

unless the people running the scans are experts in setting up and configuring nessus for scanning, i wouldn't assume every one of those is a true vulnerability.

Re:i've seen nessus reports

[SocialEngineer]

Exactly. Just running Nessus does not a proper security audit make.

DHS runs Security checks all the time

[realsilly]

The Govt. runs security scans on all of their systesm all of the time. They are using tools that are designed to help them make their security tighter and more difficult to hack, and they are improving this all the time. As new security tools come to market they evaluate them just like any corporation. And before they let new applications on their networks, and before any releases upgrades are performed they check security on those applications. All security issues identified must be addressed before applications are put on their systems.

I would have like to have seen a comparison of our Governments security run against some of the Banks and Wallstreet system that hold our financial data. I would suspect you'll find as many or more on the public sector as you will on Govt. sector systems.

Re:if you read the actual report pdf

[setrops]

Yes actually I do this quaterly.

We divide the vulnerabilities in 3 category.

OS patching.
OS Hardening.
Application Patching.

By doing this you can focus to the root cause of the issues. System owners, Application owners. It's a nice 2 page report with colours. they love it.

Administrators who care and are not tied up in red tape tend to really shine in these reports.

Another thing to realise is that in a corporate production environment, nothing will ever be 100% secure 100% of the time.

Re:no this is what you get with outsourced IT VA

[Anonymous Coward]

It could also have been a family member that got her the job. This being VA, the two might not be mutually exclusive.

Re:Idiots

[inanet]

I wonder how well the audit was done? I have seen really poor security audits done by professional auditing companies in the past that just showed the lack of ability with the auditors, as an example we got the following from an audit on a few unix boxes: "Security risk - High: Telnet not disabled" "Security risk - High: SSH passwords don't expire" "Security risk - High: FTP not disabled" our response? - no risk, telnet not installed. port not open. - no risk, ftp not installed. port not open. - ssh uses a key mechanism. passwords are invalid in all cases. basically they had a script they ran that would check to see if things like ftp and telnet had been disabled, and if the correct password expiry was set, they had no idea that you could configure a system that didn't actually _have_ ftp or telnet installed, or that you could set up ssh in such a way that a password was never any good. I just mention this, even though its great to hate on security - govt. depts. you never know how good the actually auditing is, there is a saying that those that can, do, those that can't audit* * this may not actually be the saying. I'm just saying.