Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 16 submissions in the queue.
posted by Fnord666 on Tuesday June 20 2017, @06:43PM   Printer-friendly
from the do-as-I-say dept.

Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws.

It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector General report, first obtained by the New York Times, finds everything from unsecured servers to a lack of two-factor authentication.

The formerly-classified review (PDF) was instigated after Snowden exfiltrated his million-and-a-half files from August 2012 to May 2013.

"NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms" under its "Secure-the-net" initiative, the report says.

Data centre access is supposed to be governed by two-person access controls, the report notes, and the rollout of 2FA to "all high-risk users" was incomplete at the time of writing.

The agency had too many users with admin privileges, the report continues, they're insufficiently monitored, and the NSA had not cut the number of agents authorised to carry out data transfers.

Giving the NSA more funding could probably fix it.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by JoeMerchant on Tuesday June 20 2017, @07:07PM (1 child)

    by JoeMerchant (3937) on Tuesday June 20 2017, @07:07PM (#528659)

    Presumably, these NSA types do stuff with the data on their servers, so keeping that information accessible is also important to enabling them to perform their job functions.

    Of course, it can be made incrementally more secure by making the data incrementally less accessible... 2FA shouldn't be an onerous thing, but really reducing the number of admins and enforcing 2 person access controls will make more work for the existing (presumably not expanding) headcount...

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Wednesday June 21 2017, @06:03AM

    by Anonymous Coward on Wednesday June 21 2017, @06:03AM (#528908)

    They have SELinux, and supposedly a Windows equivalent available for all their M$ systems....

    So why wasn't this in use on servers across their network?

    How much of this is NSA personnel's fault and how much of it is subcontractors? There should be documentation to make it clear who was doing what to all these systems, and this should have a *LOT* of scrutiny placed on it. If it was contractors responsible for these insecure servers, then it might be time to permanently expel the current contractor companies and all their executive level staff, with any lower level personnel who might subcontract under a new company put on probation with their work verified, audited, and documented by ACTUAL NSA personnel until such time as they can be considered trustworthy again (If not for some possible institutional knowledge I would just say ban *ALL* subcontractors, and bring everything back in-house. Subcontracting your intelligence activities at *ANY* level of government is a HORRIBLE HORRIBLE idea. The sole reason to do so is plausible deniability by using intelligence assets which cannot be directly tied to your government.)