[ISN] Networks ill-prepared for hackers, terrorists

From: InfoSec News (isnat_private)
Date: Fri Apr 19 2002 - 01:55:51 PDT

  • Next message: InfoSec News: "[ISN] UK plc reamed online"

    Andrew McIntosh
    National Post
    April 17, 2002
    OTTAWA - The government is failing to strengthen security measures for
    its computer systems and networks across all departments, exposing
    critical government infrastructure to cyber attacks by thrill-seeking
    hackers and terrorists, the Auditor-General warned yesterday.
    If steps are not taken to fix problems fast, it could undermine the
    federal government's much-vaunted effort to connect Canadians to the
    Web and provide credible online government Internet services, Sheila
    Fraser says.
    "Cyber threats are real and can do significant damage," she wrote.  
    "They can impair information assets and disrupt business operations.  
    Some incidents result in lost productivity; others can lead to a loss
    of consumer confidence, a tarnished reputation and loss of
    credibility, to outright fraud."
    In a special audit tabled in her annual report to Parliament, the
    Auditor-General paints a picture of a slow-moving bureaucracy in a
    state of denial about the threats posed by hackers, and inaction on
    the computer security front.
    Auditors embarked on a series of "vulnerability assessments" of
    government computer systems.
    They conducted what they called "war dialling" tests of government
    phone lines and checked 260 separate government systems for possible
    One third of the systems checked contained vulnerabilities that "could
    allow the systems to be readily compromised by a targeted cyber
    attack," the audit found.
    In one case, they found a system with no password for its
    administrator, "allowing any Internet user to gain access to the
    In another case, a government system was so weak it could allow a
    hacker to install software "to attack other systems on the Internet"  
    and make it appear that the attacks "were initiated by the
    The government knows the threat is real, Ms. Fraser added.
    In the summer of 1999, federal officials studied security measures for
    Internet sites and computer systems involving six of its own
    Officials learned that hackers triggered 80,000 alarms and, upon
    further investigation, officials discovered 500 attempts by hackers to
    penetrate government computers, "many using automated tools."
    Ms. Fraser said that given the increased threat posed by possible
    cyber attacks and the devastation they can be expected to cause, she
    expected government oversight of computer security initiatives would
    have been strengthened.
    "However, this has not been the case," she wrote.
    The government adopted a data security policy in 1994 that required
    all departments to have security specialists from the Royal Canadian
    Mounted Police review their system security measures at least once
    every five years and more frequently for systems storing top secret
    Yet 85% of the departments that are subject to the policy failed to
    So, the government adopted a new computer security policy in 2002: the
    RCMP is no longer responsible for security reviews and there is no
    longer a requirement that states the minimum frequency for security
    The government has pledged to complete a new report on the
    "effectiveness of its computer security policies across all
    departments by 2004.
    "In our view," Ms. Fraser wrote, "a report is needed sooner."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 05:37:44 PDT