I ended up working a lot this week. Stupid day job interfering with my other activities. However, I wanted to comment on two stories highlighting why our government doesn't have a clue when it comes to information security. The training and education for federal employees must really suck when it comes to information security. And to think conspiracy theorists say the same government was responsible for 9/11, which would have taken an unprecedented orchestration of information security and employee secrecy. The government can't even keep Dick Armitage quiet about Valerie Plame.
First, there is this story that appears early last week in the Washington Post: Border Computers Vulnerable to Attack.
Congress has allocated $1.7 billion for the system since 2002. But in a congressional report to be released today and obtained by The Washington Post, Homeland Security officials said that many vulnerabilities exist throughout the network and the computer stations used at 400 airports, seaports and land crossings. These vulnerabilities could, in turn, spread the risk of cyber-attacks or data losses to some of the government's most sensitive security databases, the officials said.
"Weaknesses existed in all control areas and computing device types reviewed," the Government Accountability Office reported. It called on DHS to "immediately address" problems to avert potentially crippling disruptions or the misidentification of drug smugglers, terrorists and felons trying to enter the country.
"These weaknesses collectively increase the risk that unauthorized individuals could read, copy, delete, add, and modify sensitive information," investigators said.
Ah, the proverbial tax dollars at work. It's staggering how little attention is paid by the government when it comes to secure system. It's inexcusable, but something that is not reported with the same media fervor as Valerie Plame, Gitmo, or Abu Graib.
The other story reflects the poor training and outright negligence of federal government security policies and procedures: IRS employees fall for faux password scam.
TIGTA auditors used social-engineering methods to survey the degree of compliance with data security. Posing as help-desk representatives, they called IRS line employees, including managers and contractors, and asked for their assistance to correct a computer problem. They requested that the employee provide a user name and temporarily change his or her password to one TIGTA callers suggested.
TIGTA test callers convinced 61 of the 102 employees to comply with the requests. Only eight of the 102 employees in the sample contacted the appropriate offices to report or validate the test calls, the report said. The sample employees were from across IRS’ business units and geographic regions.
“We conclude employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work,” said Michael Phillips, TIGTA’s deputy inspector general for audit.
It's ironic how the IRS is proof that we don't get our money's worth out of tax dollars.
Popularity: 1% [?]
Unrest by Parkway Drive