[ISN] Commerce rapped on infosec lapses

From: InfoSec News (isnat_private)
Date: Mon Aug 06 2001 - 01:16:42 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, August 1, 2001"

    Forwarded by: William Knowles <wkat_private>
    By Colleen OHara 
    Aug. 6, 2001 
    Lawmakers took the Commerce Department to task at an Aug. 3 hearing
    after auditors testified they found numerous information security
    lapses on agency systems.
    During an investigation into security practices at seven Commerce
    organizations, "hackers" from the General Accounting Office were able
    to gain unauthorized access to systems and read, modify and delete
    sensitive economic, personnel and business data.
    Among the data at risk is information related to national security,
    missile technology and biological warfare residing on systems at the
    Bureau of Export Administration.
    Intruders could disrupt mission-critical systems without being
    detected, said Robert Dacey, director of information security issues
    at GAO, in testimony before the House Energy and Commerce Committees
    Subcommittee on Oversight and Investigations.
    In one case, GAO investigators gained access to a system only to find
    that a Russian hacker had been there already, without the knowledge of
    Commerce managers.
    "In short, the department simply has no idea whether its sensitive
    systems are being or have been compromised a totally unacceptable
    situation," said subcommittee chairman Rep. James Greenwood.
    GAO also found that many systems could be accessed without passwords
    or were unprotected and that a user on one bureaus network could
    change the configuration of other bureaus network controls via the
    Internet, Dacey said.
    Commerce Inspector General Johnnie Frazier said internal audits found
    similar security holes, but better cooperation should help plug them.
    Last month, the IGs office signed a memorandum of agreement with the
    Office of the Chief Information Officer and the Office of Security to
    share responsibility on Commerces information technology security
    Samuel Bodman, deputy secretary at Commerce, said the problem is more
    a matter of "management and priorities" and is being addressed.
    Already, the secretary has given the department CIO authority to guide
    bureau security plans, he said.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 03:29:29 PDT