Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security United States

Govt. Report Slams FBI's Internal Network Security 70

Posted by CowboyNeal from the uncle-sam's-open-doors dept.
An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."
This discussion has been archived. No new comments can be posted.

Govt. Report Slams FBI's Internal Network Security More

Govt. Report Slams FBI's Internal Network Security

Comments Filter:

  • Re:Windows ? (Score:4, Insightful)

    by Anonymous Coward on Friday May 25, 2007 @03:38AM (#19266657)
    In most cases, yes.

    However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.

    At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.

    They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.

    Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!

  • Reviewed? (Score:3, Insightful)

    by palemantle ( 1007299 ) on Friday May 25, 2007 @03:47AM (#19266725)
    From TFA: "The bureau, which had the opportunity to review the GAO's findings before publication" ...

    I wonder what "review" means in this context? Read through? Edit? Sanitize?

  • Re:Holy Crap! (Score:3, Insightful)

    by Aoreias ( 721149 ) on Friday May 25, 2007 @04:26AM (#19266907)
    Obviously not all the government is bad at computer security. Clearly the GAO had to know what 'right' is to be able to criticize the FBI for not having adequate security measures.

    It's not that the government is filled with people that don't have a clue, but rather that the technically able people usually get frustrated by bureaucracy, politics, and poor management.

  • A kopek to get in, a rouble to get out (Score:3, Insightful)

    by Archtech ( 159117 ) on Friday May 25, 2007 @06:08AM (#19267437)
    'I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)'

    Carefully, though. You might end up penetrating Guantanamo.

  • Fallacy when dealing with government IT security (Score:3, Insightful)

    by Opportunist ( 166417 ) on Friday May 25, 2007 @07:54AM (#19267923)
    IT-Security is not handled by the technical department when it comes to the feds. It's handled by the legal department.

    Then again, that's how many companies deal with it, too. Don't you dare to steal, or we sue you into oblivion.

    The fallacy about that is that you first of all have to find the culprit. Or, rather, you first of all have to find out that something went missing. The problem about data theft is that you don't immediately notice it. It's not like your door is broken down and your belongings searched, with your family heirlooms missing. All your data is still there, and you won't even know someone went through your stuff before it's too late.

    And those people should be trusted with my information?

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday May 25, 2007 @08:20AM (#19268083)
    Comment removed based on user account deletion

  • Good. Government transparency is great. (Score:3, Insightful)

    by dj42 ( 765300 ) on Friday May 25, 2007 @08:51AM (#19268399) Journal
    We need more gov't transparency. Appointing stooges to the DOJ to fire the noncompliant, limiting free-speech, obfuscating information to the journalists, and distrusting the American public to the point of borderline treason, I would hope that somewhere, somehow, eventually true, honest, and open people get hold of information that will shed light on the gov't actions in the last 6 years. /Woops... *removes tin foil hat, jumps in the ocean, swims, far*.

  • Re:Fallacy when dealing with government IT securit (Score:3, Insightful)

    by brennz ( 715237 ) on Friday May 25, 2007 @09:23AM (#19268753)
    This is incorrect.

    The FBI, likes all other government agencies, has a CIO with an office of security under him responsible for securing their IT systems.

    http://www.fbi.gov/hq/ocio/ocio_home.htm [fbi.gov]

  • The FBI is computer-challenged (Score:2, Insightful)

    by grandpa-geek ( 981017 ) on Friday May 25, 2007 @09:59AM (#19269221)
    The fact that the FBI is computer-challenged has been known for years. It goes well beyond information security.

    When the police were investigating the DC area sniper case, the FBI brought in a computer system to help coordinate the leads. They wound up having everybody looking for a "white box truck", while there was an overlooked report about a blue Chevvy. The snipers' vehicle turned out to be the blue Chevvy. IIRC, the FBI's computer system didn't help much in actually catching the snipers.

    Some years ago the chief of FBI information security turned out to be a spy for the Soviet Union. There wasn't anyone at the FBI who knew enough about computers or information security to realize that he was compromising them.

    A major FBI system development was one of the huge systems canceled in the 1990's because it wasn't properly managed and became impossible to complete.

    I suppose geeks don't meet image the FBI wants for its people. Computer-illiterates do. That's the way things go there.

  • Yeah well, you know how it goes, theory X mgmt (Score:2, Insightful)

    by br0d ( 765028 ) on Friday May 25, 2007 @11:41AM (#19270753) Homepage
    No stock price to piss off shareholders, who beat up on a board of directors. No CEO for them to beat on, so he can then beat up on his CIO, who then beats up on directors who beat up on team leads, who work hard to create tight solutions. Money is generally a better motivator than standards compliance.

Slashdot Top Deals

I have hardly ever known a mathematician who was capable of reasoning. -- Plato

Close