SoylentNews is people
SoylentNews
A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service.
A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American bureaucrats fail to meet even basic security requirements.
To produce this damning dossiers[sic], the Senate's Permanent Subcommittee on Investigations pored over a decade of findings from inspector-general-led probes into information security practices within the Department of Homeland Security, State Department, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.
Of those eight organizations, seven were found to be unable to adequately protect personally identifiable information stored on their systems, six were unable to properly patch their systems against security threats, five were in violation of IT asset inventory-keeping requirements, and all eight were using either hardware or software that had been retired by the vendor and was no longer supported.
"Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today," the report noted.
"The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government's failure to meet basic cybersecurity standards to protect sensitive data."
(Score: 2) by bzipitidoo on Wednesday June 26 2019, @09:39PM (1 child)
Annoying is inherently unreasonable.
People will deal with the annoyance in ways that can lessen security even more. Or, if they can't, the organization will simply not work as efficiently. To use a car analogy, everyone would be a lot safer if the speed limit everywhere was only 20mph.
Forced password changes every 2 or 3 month is a great example of fake security. The original idea behind that was to spoil brute force attempts to hack in. The thinking was that if it takes a year to try all possible passwords, changing the password every 60 days forces an attacker to start over. It was really an idiotic bandage to work around those sorts of systems that can't support reasonably strong passwords, such as systems that have a maximum password length of 8 characters. Another weakness was allowing hundreds of login attempts every second. These systems get pressed into service anyway, with the users expected to jump through hoops to make up for the bad security. With such terrible systems long gone, the primary reason for forced password rolling was gone, but the "security" practice keeps on being pushed on users, just because.
(Score: 2) by HiThere on Wednesday June 26 2019, @11:29PM
Yeah, those are unreasonable. But *some* annoyance is unavoidable. You lock your car, and need to keep track of the keys. The problem with locking screens isn't that it's slightly annoying, it's that it's too annoying. I've seen hospitals deal with this using magnetic (I think) fobs. Just a swipe and the screen turns on again. That's too weak for a real logon, but just reactivating after you've stepped away for awhile it's probably good. It doesn't seem to slow them down much. Not nearly as much as a password, which also isn't really good security. "Correct horse battery staple" is much better than most of them.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.