SoylentNews

US Government Staff Wildly Oblivious to Basic Computer, Info Security Safeguards

posted by chromas on Wednesday June 26 2019, @09:50AM   
from the ¯\_(ツ)_/¯ dept.

upstart writes for Bytram:

Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards

A US Senate probe has once again outlined the woeful state of computer and information security within Uncle Sam's civil service.

A committee report (PDF) examining a decade of internal audits this week concluded that outdated systems, unpatched software, and weak data protection are so widespread that it's clear American bureaucrats fail to meet even basic security requirements.

To produce this damning dossiers[sic], the Senate's Permanent Subcommittee on Investigations pored over a decade of findings from inspector-general-led probes into information security practices within the Department of Homeland Security, State Department, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.

Of those eight organizations, seven were found to be unable to adequately protect personally identifiable information stored on their systems, six were unable to properly patch their systems against security threats, five were in violation of IT asset inventory-keeping requirements, and all eight were using either hardware or software that had been retired by the vendor and was no longer supported.

"Despite major data breaches like OPM, the federal government remains unprepared to confront the dynamic cyber threats of today," the report noted.

"The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government's failure to meet basic cybersecurity standards to protect sensitive data."

---

Original Submission

• Re:obvious? Re:obvious? (Score: 2) by RS3 on Thursday June 27 2019, @03:33AM (1 child)

  by RS3 (6367) on Thursday June 27 2019, @03:33AM (#860383)

  The cost of not doing computer security "correctly" is usually very close to zero, because usually nothing goes wrong.

  Seems a bit obvious, no? Like leaving your house or car unlocked and nobody disturbs it. My point is: that one time someone does come along and rob you blind, you'll wonder if you had locked it, maybe they would have left you alone and moved on?

  On the other hand, instituting "computer security" policies are usually very expensive to do, mainly because these costs are usually multiplied across all your staff while not giving a level of protection commensurate with the costs involved.

  Vague statement. And sorry, I hate when people criticize like I just did, but you're making obvious statements that aren't delivering useful information. Enforcing a 12-character minimum password is not costly at all, but results in significantly greater security than a 6-character password.

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:obvious? (Score: 0) by Anonymous Coward on Thursday June 27 2019, @11:20AM

  by Anonymous Coward on Thursday June 27 2019, @11:20AM (#860471)

  Enforcing a 12-character minimum password is not costly at all, but results in significantly greater security than a 6-character password.

  What happens is lots of people will write that 12 character password below where they wrote their 6 character password.

  And most of the rest will tend to make more password reset requests which makes it easier for someone to successfully fake a password reset request.

  Hurray for significantly greater security.

  Well maybe you're living in a different part of the world from me where that won't happen.

  Parent