[ISN] GAO faults Army Corps security

From: InfoSec News (isnat_private)
Date: Wed Jun 12 2002 - 01:02:09 PDT

  • Next message: InfoSec News: "RE: [ISN] Old code in Windows is security threat"

    Forwarded from: William Knowles <wkat_private>
    By Dan Caterinicchia 
    June 11, 2002
    The Army Corps of Engineers has made great strides in managing its
    computer systems since a scathing 1999 review by the General
    Accounting Office, but the agency still has numerous security
    shortcomings, according to a new GAO report.
    "Information Security: Corps of Engineers Making Improvements, but
    Weaknesses Continue," released June 10, details a number of computer
    security issues that the Army Corps must address, including:
    * Controlling access to critical systems and data.
    * Developing adequate system software controls to protect programs and
      sensitive files.
    * Documenting software changes.
    * Securing networks.
    "These vulnerabilities warrant management's attention to decrease the
    risk of inappropriate disclosure and modification of data and
    programs, misuse of or damage to computer resources, or disruption of
    critical operations," according to the report. "Such vulnerabilities
    also increase risks to other Department of Defense networks and
    systems to which the corps' network is linked."
    The audit, which was conducted from January through October 2001,
    found that the Army Corps had not maintained accurate records of users
    who were granted access to the Corps of Engineers Financial Management
    System (CEFMS).
    "The weaknesses that we identified...placed the Corps' computer
    resources, programs and files at risk from inappropriate disclosure of
    financial and sensitive data and programs, modification of data,
    misuse of or damage to computer resources, or disruption of critical
    operations," according to the report.
    Additional tests also revealed problems with the smart cards that
    store users' electronic signatures for use with CEFMS. In some cases,
    smart cards were not under the sole control of an individual
    cardholder, an audit found, and "as a result, authentication controls
    were not effective to provide reasonable assurance that users'
    electronic signatures are valid."
    The GAO report said the primary reason for the Army Corps' computer
    control weaknesses was that officials had not fully developed and
    implemented a comprehensive security management program.
    In a May 20 letter responding to a draft copy of the report, Lt. Gen.  
    Robert Flowers, commander of the Army Corps, said the agency has
    already taken corrective action on 11 past recommendations and has
    developed an action plan to correct all but 12 of the remaining
    recommendations by Sept. 30, 2002. He added that the remaining 12
    recommendations would be completed in fiscal 2003 or beyond.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 03:39:01 PDT