[ISN] Reports: DHS, IRS Databases At Risk

From: InfoSec News <alerts_at_private>
Date: Mon, 11 Jul 2011 03:42:23 -0700 (MST)

By Ericka Chickowski
Contributing Writer
Dark Reading
July 08, 2011

Some of the federal government's most critical agencies are falling down 
on database security with misconfigurations, vulnerabilities, and a lack 
of best practices, putting sensitive citizen and defense information at 
risk as a result, new government audits show. Just this week, the Office 
of the Inspector General (IG) found that the Department of Homeland 
Security (DHS) -- the agency in charge of ensuring Federal Information 
Security Management Act (FISMA) compliance among all government agencies 
-- itself has a number of critical shortcomings within its database 

The new report (PDF) highlighted database security deficiencies within 
the protected critical infrastructure information (PCII) system data 
stores, with weaknesses in both the Automated Critical Asset Management 
System (ACAMS) and the Linking Encrypted Network System (LENS) that put 
PCII data at risk. Some of the problems highlighted in the report 
included a failure to follow the rule of least privilege, a lack of 
communication among personnel to decide who was in charge of locking 
down the database, and a number of redacted configuration 

"We all have this sense of concern that develops when the people 
responsible for keeping us secure are not keeping themselves secure," 
says John Verry, principal consultant for Pivot Point Security. "I would 
be hesitant to make an assertion about something I am not directly 
familiar with -- we haven't done work for DHS, and they may have picked 
the one database that was wildly insecure. But typically what we find 
[when] we do enterprisewide database security assessments is that if one 
database is relatively insecure, most of them will be, and if one 
database tends to be reasonably secure, most of them will be."

The DHS isn't the only agency under fire from auditors. A recent report 
(PDF) from the Treasury Inspector General for Tax Administration (TIGTA) 
found that the IRS has some serious problems with the security of nearly 
all of its 2,200 databases. Even though the agency has spent $1.1 
million on database security tools recently, it has not completed the 
implementation of tools and requisite best practices to make them 


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery
Network, Cisco Switches, SAS 70 Type II Datacenter.
Find peace of mind, Defend your Critical Infrastructure.
Received on Mon Jul 11 2011 - 03:42:23 PDT

This archive was generated by hypermail 2.2.0 : Mon Jul 11 2011 - 03:47:51 PDT