SoylentNews is people
SoylentNews
A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service.
A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American bureaucrats fail to meet even basic security requirements.
To produce this damning dossiers[sic], the Senate's Permanent Subcommittee on Investigations pored over a decade of findings from inspector-general-led probes into information security practices within the Department of Homeland Security, State Department, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.
Of those eight organizations, seven were found to be unable to adequately protect personally identifiable information stored on their systems, six were unable to properly patch their systems against security threats, five were in violation of IT asset inventory-keeping requirements, and all eight were using either hardware or software that had been retired by the vendor and was no longer supported.
"Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today," the report noted.
"The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government's failure to meet basic cybersecurity standards to protect sensitive data."
(Score: 5, Insightful) by MostCynical on Wednesday June 26 2019, @10:16AM (8 children)
Normal people suck at computer security. It gets in the way of 'doing stuff'.
Federal employees are normal ("average"? YMMV) people. Why should they be any better are protecting data that anyone else, just because they work for the government?
Some companies run courses with follow-up testing, where phishing emails are sent to employees, and how they react means they either get more training or a 'thank you' pop up (or nothing, if they don't find or use the 'flag as phishing" button)
Most government departments can't afford that sort of thing. If a breach occurs, the government is under-writing them anyway!
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @11:00AM
When I worked for them all you had to do to reset the password of someone was know their name.
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @02:23PM
And managed by ordinary human beings, too.
Just declaring a top-down mandate that "we're going to follow security best practices, now" does virtually nothing.
You can drive security practices into a workplace culture, but it's like any other cultural shift, and government workers/organizations don't have the most stellar track record as a group who makes the best efforts to excel at their jobs.
🌻🌻 [google.com]
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @02:30PM (5 children)
More like: won't bother to afford... but, the end result is the same.
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday June 26 2019, @03:49PM (4 children)
Yeah, that's crazy talk. The cost of not doing security correctly is much higher.
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @04:17PM
Talk about crazy talk: what's going to go wrong between now and 4pm (when the Govt. office closes and I get my ass outta here) if I don't follow some dumb security protocol?
Now, if I don't get at least one case file off my desk by 3:30pm, my boss might make me stay late, and that would be a serious bummer.
🌻🌻 [google.com]
(Score: 4, Interesting) by Anonymous Coward on Wednesday June 26 2019, @04:29PM (2 children)
The cost of not doing computer security "correctly" is usually very close to zero, because usually nothing goes wrong. And when things do go wrong the fallout is usually not all that expensive to deal with. This is evidenced by the very article we are discussing: apparently in the US public service hardly anyone bothers and things really don't seem to be going horribly wrong as a result of that.
Now sometimes a lot of costs are externalized ("oops, sorry, we leaked detailed personal information of half a billion people, we'll try to do better next time but really you'll all forget this all happened in a couple weeks anyway"). So in some cases the party screwing up doesn't have to costs and therefore has no incentive to really avoid screwups. Tragedy of the commons and all that.
On the other hand, instituting "computer security" policies are usually very expensive to do, mainly because these costs are usually multiplied across all your staff while not giving a level of protection commensurate with the costs involved.
(Score: 2) by RS3 on Thursday June 27 2019, @03:33AM (1 child)
Seems a bit obvious, no? Like leaving your house or car unlocked and nobody disturbs it. My point is: that one time someone does come along and rob you blind, you'll wonder if you had locked it, maybe they would have left you alone and moved on?
Vague statement. And sorry, I hate when people criticize like I just did, but you're making obvious statements that aren't delivering useful information. Enforcing a 12-character minimum password is not costly at all, but results in significantly greater security than a 6-character password.
(Score: 0) by Anonymous Coward on Thursday June 27 2019, @11:20AM
What happens is lots of people will write that 12 character password below where they wrote their 6 character password.
And most of the rest will tend to make more password reset requests which makes it easier for someone to successfully fake a password reset request.
Hurray for significantly greater security.
Well maybe you're living in a different part of the world from me where that won't happen.