Govt. Report Slams FBI's Internal Network Security

An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."

Re:Windows ?

[Architect_sasyr]

All windows bashing aside, does it matter? Internal Network Security could be lacking because rather than installing and configuring sudo half the team is given the root passwords to su with.

That said... I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"? ;)

Who needs good prevention...

[SharpFang]

Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.

Re:Windows ?

[Lord_Frederick]

I've worked for private companies, local government and federal government. IT in some federal agencies is very scary.

CAC cards are used, but terminal servers and websites for teleworking still allow username/password.

Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.

Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.

EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.

Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."

Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.

Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.

FBI IT Restructuring Problems

[PPH]

The stories about the FBI's ongoing IT restructuring troubles have been covered extensively in the industry news over the past few years. Having been involved in similar work for another (in)famous gov't agency, the problems look all too familiar.

Some years ago, the FAA began a restructuring effort in order to modernize its infrastructure and get rid of unmaintainable, decades old equipment. Each time they put a set of requirements out for bid and selected a vendor, lawsuits and political lobbying ensued. The FAA's systems are a big (and lucrative) enough target for every two-bit vendor with political connections that no selection of Vendor A over Vendor B was allowed to stand without the losing party either taking the decision to court or creating trouble in various congressional appropriations committees. Worse yet, suggestions that they (the FAA) build something in-house was answered with threats from industry lobbyists to get their funding cut so severely, they would barely have the money for normal operations.

The FBI is in a similar position. Particularly following 9/11 and the subsequent application of practically unlimited anti-terrorism funds, the vultures are circling. Having read some of the articles relating to the FBI's troubles, many of the players look to be the same ones that suckled on the FAA's tit for years.