Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Wednesday June 26 2019, @09:50AM   Printer-friendly
from the ¯\_(ツ)_/¯ dept.

Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards

A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service.

A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American bureaucrats fail to meet even basic security requirements.

To produce this damning dossiers[sic], the Senate's Permanent Subcommittee on Investigations pored over a decade of findings from inspector-general-led probes into information security practices within the Department of Homeland Security, State Department, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.

Of those eight organizations, seven were found to be unable to adequately protect personally identifiable information stored on their systems, six were unable to properly patch their systems against security threats, five were in violation of IT asset inventory-keeping requirements, and all eight were using either hardware or software that had been retired by the vendor and was no longer supported.

"Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today," the report noted.

"The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government's failure to meet basic cybersecurity standards to protect sensitive data."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by JoeMerchant on Wednesday June 26 2019, @02:30PM (5 children)

    by JoeMerchant (3937) on Wednesday June 26 2019, @02:30PM (#860093)

    Most government departments can't afford that sort of thing.

    More like: won't bother to afford... but, the end result is the same.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by RS3 on Wednesday June 26 2019, @03:49PM (4 children)

    by RS3 (6367) on Wednesday June 26 2019, @03:49PM (#860124)

    Most government departments can't afford that sort of thing.

    More like: won't bother to afford... but, the end result is the same.

    Yeah, that's crazy talk. The cost of not doing security correctly is much higher.

    • (Score: 2) by JoeMerchant on Wednesday June 26 2019, @04:17PM

      by JoeMerchant (3937) on Wednesday June 26 2019, @04:17PM (#860135)

      The cost of not doing security correctly is much higher.

      Talk about crazy talk: what's going to go wrong between now and 4pm (when the Govt. office closes and I get my ass outta here) if I don't follow some dumb security protocol?

      Now, if I don't get at least one case file off my desk by 3:30pm, my boss might make me stay late, and that would be a serious bummer.

      --
      🌻🌻 [google.com]
    • (Score: 4, Interesting) by Anonymous Coward on Wednesday June 26 2019, @04:29PM (2 children)

      by Anonymous Coward on Wednesday June 26 2019, @04:29PM (#860148)

      The cost of not doing computer security "correctly" is usually very close to zero, because usually nothing goes wrong. And when things do go wrong the fallout is usually not all that expensive to deal with. This is evidenced by the very article we are discussing: apparently in the US public service hardly anyone bothers and things really don't seem to be going horribly wrong as a result of that.

      Now sometimes a lot of costs are externalized ("oops, sorry, we leaked detailed personal information of half a billion people, we'll try to do better next time but really you'll all forget this all happened in a couple weeks anyway"). So in some cases the party screwing up doesn't have to costs and therefore has no incentive to really avoid screwups. Tragedy of the commons and all that.

      On the other hand, instituting "computer security" policies are usually very expensive to do, mainly because these costs are usually multiplied across all your staff while not giving a level of protection commensurate with the costs involved.

      • (Score: 2) by RS3 on Thursday June 27 2019, @03:33AM (1 child)

        by RS3 (6367) on Thursday June 27 2019, @03:33AM (#860383)

        The cost of not doing computer security "correctly" is usually very close to zero, because usually nothing goes wrong.

        Seems a bit obvious, no? Like leaving your house or car unlocked and nobody disturbs it. My point is: that one time someone does come along and rob you blind, you'll wonder if you had locked it, maybe they would have left you alone and moved on?

        On the other hand, instituting "computer security" policies are usually very expensive to do, mainly because these costs are usually multiplied across all your staff while not giving a level of protection commensurate with the costs involved.

        Vague statement. And sorry, I hate when people criticize like I just did, but you're making obvious statements that aren't delivering useful information. Enforcing a 12-character minimum password is not costly at all, but results in significantly greater security than a 6-character password.

        • (Score: 0) by Anonymous Coward on Thursday June 27 2019, @11:20AM

          by Anonymous Coward on Thursday June 27 2019, @11:20AM (#860471)

          Enforcing a 12-character minimum password is not costly at all, but results in significantly greater security than a 6-character password.

          What happens is lots of people will write that 12 character password below where they wrote their 6 character password.

          And most of the rest will tend to make more password reset requests which makes it easier for someone to successfully fake a password reset request.

          Hurray for significantly greater security.

          Well maybe you're living in a different part of the world from me where that won't happen.