SoylentNews is people
SoylentNews
A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service.
A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American bureaucrats fail to meet even basic security requirements.
To produce this damning dossiers[sic], the Senate's Permanent Subcommittee on Investigations pored over a decade of findings from inspector-general-led probes into information security practices within the Department of Homeland Security, State Department, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.
Of those eight organizations, seven were found to be unable to adequately protect personally identifiable information stored on their systems, six were unable to properly patch their systems against security threats, five were in violation of IT asset inventory-keeping requirements, and all eight were using either hardware or software that had been retired by the vendor and was no longer supported.
"Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today," the report noted.
"The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government's failure to meet basic cybersecurity standards to protect sensitive data."
(Score: 5, Interesting) by Anonymous Coward on Wednesday June 26 2019, @11:57AM (13 children)
In my agency, IT is pretty much all outsourced to contractors. They're lowest-bid contractors who generally have two concerns: Making as much money as possible, and ass covering.
As such, we end up with bone-headed and non-sensical IT policies that almost demand poor security behavior. I have an agency-issued MacBook (for some non-Windows software we use) and a Windows desktop. We've been told, in no uncertain terms, that we're supposed to use OneDrive for file storage and sharing, or use the shared network drives. However, shortly after deployment, they announced that OneDrive was being blocked on the internal (encrypted) Wi-Fi. The shared network drives have never been accessible through the Wi-Fi. So if you want to get a file from desktop to laptop, or vice versa, you have to find a USB disk of some sort, which is ridiculously inconvenient, or use Google Drive, which is not blocked on either the wired or wireless network. Guess which is more common. The e-mail policy for personal devices is equally stupid; either install MobileIron, which can't be installed on rooted devices and allows them to wipe your device at a whim and set password requirements, or you can access it via webmail in the browser. Again, guess which is more common.
The password reset policy is worse. I created a high-quality password that should be secure as long as it's not stolen. But every 60 (or 90, depending on the system) days, the password is supposed to be changed. So instead of having the single secure password, every 60 (or 90) days I append a different string of numbers and symbols to the end of my otherwise-secure password, because you're not supposed to write it down, and you're not allowed to reuse passwords. To make it possible to remember, that's the only way. And I still wind up needing password resets fairly regularly since systems have different requirements and timeouts, and for log-ins that do get shared across systems, it is possible to set passwords that contain certain symbols and find yourself locked out of systems that don't handle those symbols properly as input. (The percent sign got me in trouble a few months ago and required a reset from the service center, as I could set it, but not change it.)
They force upgrades upon us, then when things break, it takes forever to get them fixed. I got a new desktop system in January, as my old system was running out of space and I needed more RAM. Old system had Windows 10, new system has Windows 10. But in the process, VirtualBox stopped working, despite me warning them that it had stopped working when I was upgraded from Windows 7 to 10 months earlier, which had also taken several months to be resolved. It's on the approved software list, so IT supports it, but it is now June and it still doesn't work. I'm doing the aspect of my job that requires Linux on my home Linux computer. Wonder how secure they would consider that to be? But otherwise, it wouldn't get done. I send notes regularly asking for updates only to be greeted with silence; the only thing I ever hear is a monthly request about whether or not the ticket can be closed. And that's not even the worst case; a co-worker needed MatLab installed on a computer, waited 14 months (!) for it, again received monthly requests to close the ticket, only for the ticket to be ultimately closed without her approval and without resolution. New ticket, took several more months, then it was finally installed--and by then it was an outdated version.
We have dull, silly training sessions for cyber-security that are often riddled with mistakes and typos. They require Flash, that paragon of security, and the "knowledge check" section is almost always something stupid, like knowing what specific word was used on a specific slide of the presentation, when it's the larger security CONCEPTS that should be important. The questions that actually are conceptual are usually so simple that even without going through the slides, it should be obvious. (Why yes, the guy who asks you for your password to a secure system is probably doing something wrong.) And we've had phishing exercises and the like a few times, but they have a bad habit of sending legitimate e-mails that look like phishing e-mails but actually aren't. I forward those to the security people as we're supposed to, and then get back a reply that, oh yeah, that e-mail is fine, why did you send it to us? Won't surprise me when a bunch of people in the agency actually get phished because of it.
My agency is pretty technical and many people generally know how to be secure. But IT policy doesn't promote security; it promotes being able to blame the customer (us) when something goes wrong. If I were in charge, I'd ban contracting for IT in my agency.
(Score: 4, Insightful) by Anonymous Coward on Wednesday June 26 2019, @03:38PM (1 child)
First, thanks for sharing an being so open about what you do and your role. It's more than understandable why you're posting as AC. You're correct that the whole aspect of contracting reduces things to lowest common denominators - it always does.
But simultaneously you describe exactly why the policies have to be reduced to child level and must be determininstic 'do this, don't do that' rules: If it gets in your way, you do whatever you feel you need to in order to work whether it has been approved or not. You junk the framework that has been established by a group about how to do things safely, and instead trust in your own knowledge and equipment. On an individual basis this is fine and not a problem. In a group environment, however, it is a disaster and a breach waiting to happen. One problem is that not all government employees are as knowledgeable, smart, cautious, or conscientious as you are. Another is people who think they are as smart, cautious, and conscientious as you but are not.
IT policy does blame the customer when something goes wrong when the customer has provably deviated from the policy and something happens. You may be dinged for deviating from it because your management knows that there are statistics waiting to happen. "But otherwise, it wouldn't get done," is a poor excuse. DON'T DO IT, THEN. and when they come to you and ask you why it's not done have all your tickets and contacts with the department stating when you reported it, how, and how you followed up and it wasn't done. You are contacting your helpdesk or resource daily and documenting that, aren't you? Oh, you're not? Why not? Why are you not talking to your manager on a daily basis in a documentable form about your issue?
(Score: 2) by shortscreen on Wednesday June 26 2019, @09:14PM
Not sure if this applies to AC's situation, but in a scenario where the standard procedure for dealing with some problem is to report it to another person who also isn't directly responsible for the matter or can't address it because they lack the authority/capability, a likely outcome is that person 2 starts shooting the messenger and person 1 then doesn't bother reporting problems anymore. This is especially true if person 2 is a manager who likes having yes-men around better than having to listen to inconvenient truths.
(Score: 4, Interesting) by JoeMerchant on Wednesday June 26 2019, @04:26PM (6 children)
For a while, I worked for a private company that got security consulting from the local FBI office. The two most memorable/visible aspects of this were:
1) One of the IT guys sneaking around the office and planting (harmless) malware on everybody's desktop anytime they walked away from their console without locking the screen. Sure, it's an object lesson, but the office door locks and has a full time receptionist making sure that only permitted people come in (total headcount around 20), so... is it all that important to protect us from us?
2) One week after a security briefing on "info fishers," a guy shows up outta nowhere wearing a pink polo shirt walking a chihuahua (no grass for 100 yards, or on our level of the building), and he starts obviously trying to pump us for obscure technical information about our product with "casual questions..." Everything he was asking was in some publicly available tech sheets somewhere, but the guy was an obvious plant - and we passed that test.
Maybe they did other things that actually helped, invisibly... none that I was ever aware of, though.
🌻🌻 [google.com]
(Score: 2) by HiThere on Wednesday June 26 2019, @05:18PM (4 children)
It's annoying, but that thing about locking your computer screen every time you step away *is* reasonable. Perhaps you just needed an easier way to unlock it. That's one thing a key-fob or fingerprint reader might actually be good for. (Not as a primary log-in, but just to unlock the screen.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @06:31PM
Heck, I've worked someplace where the biggest threat was from backstabbing cow-orkers. Locking a screen is a good idea, but it sucks when people become nazis about it.
key-fob or fingerprint reader? You KNOW higher ups will insist on using those as primary means of security because everyone does it in the movies.
(Score: 2) by JoeMerchant on Wednesday June 26 2019, @08:10PM
I do try to do it here (different place, much more relaxed culture), but the truth of the matter is: I don't have anything on my PC that 20 other developers also have access to - it's basically a terminal into the source repository and a collection of tools to manipulate that source.
I suppose if I also left my e-mail open they might get into my HR kind of stuff, but...
🌻🌻 [google.com]
(Score: 2) by bzipitidoo on Wednesday June 26 2019, @09:39PM (1 child)
Annoying is inherently unreasonable.
People will deal with the annoyance in ways that can lessen security even more. Or, if they can't, the organization will simply not work as efficiently. To use a car analogy, everyone would be a lot safer if the speed limit everywhere was only 20mph.
Forced password changes every 2 or 3 month is a great example of fake security. The original idea behind that was to spoil brute force attempts to hack in. The thinking was that if it takes a year to try all possible passwords, changing the password every 60 days forces an attacker to start over. It was really an idiotic bandage to work around those sorts of systems that can't support reasonably strong passwords, such as systems that have a maximum password length of 8 characters. Another weakness was allowing hundreds of login attempts every second. These systems get pressed into service anyway, with the users expected to jump through hoops to make up for the bad security. With such terrible systems long gone, the primary reason for forced password rolling was gone, but the "security" practice keeps on being pushed on users, just because.
(Score: 2) by HiThere on Wednesday June 26 2019, @11:29PM
Yeah, those are unreasonable. But *some* annoyance is unavoidable. You lock your car, and need to keep track of the keys. The problem with locking screens isn't that it's slightly annoying, it's that it's too annoying. I've seen hospitals deal with this using magnetic (I think) fobs. Just a swipe and the screen turns on again. That's too weak for a real logon, but just reactivating after you've stepped away for awhile it's probably good. It doesn't seem to slow them down much. Not nearly as much as a password, which also isn't really good security. "Correct horse battery staple" is much better than most of them.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 26 2019, @07:58PM
It's called an "insider threat."
Imagine HR had your personal profile open on their computer (with you name, address, SSN, salary history, medical status, etc) on their screen, and then they walk away. Then Stanley Gossip, who hates you and whom hate in return, happens to walk by and see it. How would you feel?
And that's not even counting what could happen if you are logged onto a server with root access and walk away.
Sure you "know and trust the 20 people in your office." Attackers don't walk around with black hats, though. If your neighbor was $500k in debt and willing to do anything to get out of it, would you know?
(Score: 1, Insightful) by Anonymous Coward on Wednesday June 26 2019, @06:45PM (1 child)
Working from home on a system they probably did not approve of? You gave them a lot of rope for them to hang you there.
The right way to handle delayed support desk requests is to run it up the chain of command. Make sure the support idiots and your manager are both constantly aware that there is a problem that is causing work not to get done, which means money lost or deadlines not met and that it will be there fault, not yours.
I had to do that when support idiots had to replace my machines motherboard, and a copy protected piece of software refused to run because it was now "pirated" on a "different" computer, and of course the software vendor was a complete shitfuck about it. I think they had to pull the original motherboard out of the trash, repair it somehow, and put it back in.
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @10:37PM
I think I was a bit unclear. I *am* approved to telework and am authorized to work on these things at home, my point was intended to be that my computer at home is likely to be considered less secure than a system under the control of my agency.
I also feel I should not have to provide my agency with resources that my agency's IT department should be providing me. It's inconvenient to have to go home to work on these tasks when I should be able to do them at my desk at the office.
(Score: 0) by Anonymous Coward on Wednesday June 26 2019, @07:41PM (1 child)
Does no one consider connecting directly to the wired Ethernet as an option? Any device used for REAL work should be able to do that.
Handing your files over to some "cloud" host is just epically retarded, even if you think the stuff is encrypted and they promise to not look at it. Personally I don't trust wifi so I can see why they don't allow access to anything other than web.
(Score: 0) by Anonymous Coward on Thursday June 27 2019, @08:58PM
Didn't Apple get rid of all sockets on their laptops, like, years ago?