Govt. Report Slams FBI's Internal Network Security 70
An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."
Common Knowledge (Score:5, Informative)
Pipe Dream: what's the cost? (Score:3, Informative)
Specifically, FBI did not consistently
(1) configure network devices and services securely to prevent unauthorized insider access;
(2) identify and authenticate users to prevent unauthorized access;
(3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate;
(4) apply strong encryption techniques to protect sensitive data on its networks;
(5) log, audit, or monitor security-related events;
(6) protect the physical security of its network; and
(7) patch key servers and workstations in a timely manner.
Insider attack is always a risk, full solutions against it are 1) Impossible 2) Infinitely costly (see 1)
I work in Financial Services a lot - these solutions aren't necessarily all implemented that strongly, the limitation is cost. Without seeing a costing plan for the above utopian remediation I'm not so sure it is needed. I'm not saying the FBI are necessarily good - just that the report language is too general/pipe dreamish to know.
Holy Crap! (Score:5, Funny)
Re: (Score:3, Insightful)
It's not that the government is filled with people that don't have a clue, but rather that the technically able people usually get frustrated by bureaucracy, politics, and poor management.
Re: (Score:1)
Hold on There Cowboy (Score:2)
Keep in mind the audit and disclosure is probably politically motivated. Maybe the FBI wants a bigger IT budget? Maybe the head of another agency wants to discredit the FBI? I can tell you from experience, this is more likely rather than plain old incompetence.
The GAO looks like they are doing their job, but that's about it. Having set up NIST compliant LAN and desktops. I promise you they are not _that_ secure. It's better than a default windows desktop, but not remarkable.
Re: (Score:2)
Good... (Score:5, Funny)
Re: (Score:1)
Re: (Score:1)
Windows ? (Score:1, Funny)
Re:Windows ? (Score:5, Interesting)
That said... I have a suit, a hat with FBI on it, and a plane ticket. Anyone want to join me in a little penetration "testing"?
A kopek to get in, a rouble to get out (Score:3, Insightful)
Carefully, though. You might end up penetrating Guantanamo.
Re: (Score:1, Funny)
Re: (Score:2)
Re: (Score:1, Funny)
Nice pick-up line! Mind if I borrow it?
Re:Windows ? (Score:4, Insightful)
However I doubt FBI security is as good as DISA (they handle information security for the military). They have a PKI (public key infrastructure) CAC (control access card) system for authenticating users wherever they go (logging into computers, opening doors, etc). Whether this is better than more traditional systems is another topic of debate, as very few people (as in, none of the users) really understand how PKI works.
At the absolute minimum the FBI needs at least some sort of two-factor authentication with a OTP (one time password) generator. Relying on Active Directory security with Windows passwords is an absolute joke, especially when you are reusing those passwords over and over in many different systems. Even if you aren't reusing passwords between systems, users won't remember 20 different case sensitive passwords all containing 12 random characters each. Which is most likely why the FBI might not be using high security on their networks - the usability suffers in a big way.
They would really need to rebuild the IT infrastructure from the ground up with added security in mind. Everyone would need to be retrained on the use of PKI/OTP/2-factor-auth/etc and other DISA-like security used in more secure environments. Especially with a Windows platform these changes would be expensive... but the FBI has never had problems spending money on IT/software (*wink*) so I don't see what is holding them back.
Also notice the use of 10 million acronyms above... the FBI is getting NOTHING without adding at least 450 new acronyms to their vocabulary. That is government IT for you!
Re:Windows ? (Score:5, Interesting)
CAC cards are used, but terminal servers and websites for teleworking still allow username/password.
Blackberries get CAC card readers for encrypted email, while flash drives and external hard drives are thrown into purses and bags.
Remote computers co-located at contractor facilities STILL store LM hashes and don't have the physical security of a DoD office.
EVERYONE writes down passwords because they have a dozen passwords to keep track of and each one is kept very similar to the next.
Most users would not think twice about freely giving their password in a social engineering attack because IT here has gotten everyone in the habit of handing out their password to IT to "make things easier."
Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.
Don't even get me started on how the systems are managed. No folder redirection, no user storage on servers. Everyone stores their data on the local hard drive, and because they are local admins they put it anywhere. I've seen a guy storing his documents in c:\windows\system32.
Re: (Score:2)
Re: (Score:2)
I can give you some insight into how much better things are here than your experiences have shown.
Thank you for the qualifier "SOME federal agencies". Such may be the case, but not where I work - the IRS.
No access to our networks comes in from outside except via encrypted VPN. The phrase "website for teleworking" isn't in our vocabulary.
Re: (Score:1)
Re: (Score:2)
Everyone is a local administrator, so google toolbars and instant messaging programs pop up here and there. The creative users block group policy.
I work for state government and these two items take place where I work. When I moved to where I am now (higher position and pay), I found out those
Not all agencies... (Score:1)
CAC cards are used, but terminal servers and websites for teleworking still allow username/password.
We use CAC cards for the unclass syste
Re: (Score:1)
"To measure is to know."
"If you can not measure it, you can not improve it."
-Lord Kelvin [zapatopi.net]
Re: (Score:2)
How about this: When a person gets an ID for one of these systems, they have to submit a series of 20 personal photos. Every time they log in, the system puts up five of the pictures. The user has to sort them by date taken to successfully log in.
Re: (Score:1)
Re: (Score:1)
Obligatory... (Score:4, Funny)
Perhaps they are unpatched due to a misunderstanding with the RIAA when they agreed not to be pirates?
Reviewed? (Score:3, Insightful)
I wonder what "review" means in this context? Read through? Edit? Sanitize?
Re: (Score:2)
Government oversight reports for the uninitiated (Score:2)
Who needs good prevention... (Score:5, Interesting)
After all, crime fighting stats don't rise for not catching these who didn't manage to break law, because it was too difficult.
Good thinking, Sherlock. (Score:3, Funny)
Who needs good intrusion prevention when you can arrest anyone AFTER they broke in?
Well, it might be nice if you want to ACTUALLY CATCH THEM! How are you supposed to do that when they overwrite your files?
Oh, I see, you don't care if the arrested is actually guilty. I'll be quit now. Forget I said anything. You guys are doing great, keep up the good work and help yourself to some real Wow software or something. Bye.
Re: (Score:2)
Re: (Score:1)
Try:
In Soviet FBI, bad guy is YOU!
FBI's Internal Network Security Problem (Score:1)
I can already see the next /. on this story (Score:2, Funny)
Nobody knows who done the attack, but the FBI said it was a swift and tactical raid, everyone dead, and one bin on fire with what appears to be a report from the remains, the title read FB... nal.. ty, thats all that could be read at the time.
Fallacy when dealing with government IT security (Score:3, Insightful)
Then again, that's how many companies deal with it, too. Don't you dare to steal, or we sue you into oblivion.
The fallacy about that is that you first of all have to find the culprit. Or, rather, you first of all have to find out that something went missing. The problem about data theft is that you don't immediately notice it. It's not like your door is broken down and your belongings searched, with your family heirlooms missing. All your data is still there, and you won't even know someone went through your stuff before it's too late.
And those people should be trusted with my information?
Re:Fallacy when dealing with government IT securit (Score:3, Insightful)
The FBI, likes all other government agencies, has a CIO with an office of security under him responsible for securing their IT systems.
http://www.fbi.gov/hq/ocio/ocio_home.htm [fbi.gov]
Re: (Score:2)
FBI Blames Broken DB for FBI Breaking Laws (Score:3, Informative)
Since, as usual, no one at Bush's FBI has suffered after disclosure of this destructive abuse, the excuse will of course multiply in popularity.
Funny how Bush Gang "mistakes" always seem to benefit Bush, though his gang claims it's all just accident and happenstance. Random distributions that always favor Bush must be "miracles".
Comment removed (Score:5, Insightful)
Re:BAd old FBI (Score:1)
Then you wonder where all our money goes to when they say we have to increase our taxes due to lack of money for our federal budget
When did the name change? (Score:2)
The name changed... (Score:2)
Good. Government transparency is great. (Score:3, Insightful)
The FBI is computer-challenged (Score:2, Insightful)
When the police were investigating the DC area sniper case, the FBI brought in a computer system to help coordinate the leads. They wound up having everybody looking for a "white box truck", while there was an overlooked report about a blue Chevvy. The snipers' vehicle turned out to be the blue Chevvy. IIRC, the FBI's computer system didn't help much in actually catching the snipers.
Some years
Yeah well, you know how it goes, theory X mgmt (Score:2, Insightful)
FBI IT Restructuring Problems (Score:3, Interesting)
Some years ago, the FAA began a restructuring effort in order to modernize its infrastructure and get rid of unmaintainable, decades old equipment. Each time they put a set of requirements out for bid and selected a vendor, lawsuits and political lobbying ensued. The FAA's systems are a big (and lucrative) enough target for every two-bit vendor with political connections that no selection of Vendor A over Vendor B was allowed to stand without the losing party either taking the decision to court or creating trouble in various congressional appropriations committees. Worse yet, suggestions that they (the FAA) build something in-house was answered with threats from industry lobbyists to get their funding cut so severely, they would barely have the money for normal operations.
The FBI is in a similar position. Particularly following 9/11 and the subsequent application of practically unlimited anti-terrorism funds, the vultures are circling. Having read some of the articles relating to the FBI's troubles, many of the players look to be the same ones that suckled on the FAA's tit for years.
More Tsar's! (Score:2)
It seems a shame to re-invent the wheel for the FBI. I thought Jamie Gorelick's wall was properly and completely smashed post 9/11?
You'd think they could have one of the boys from Virginia over for lunch for a proper "you frikkin' idiots"-ing. Note: I expect that there are plenty of line techs who