Tuesday, February 12, 2013

Oooops... FCC invests $10M in new network security but leaves backdoor unlocked

In light of yesterdays announcement that the Department of Energy will be spending $20,000,000 to develop advanced cybersecurity tools (following a hack in which personal information of several hundred employees was leaked, although the two aren't necessarily related) I found this article, on Ars Technica, regarding the FCC's implementation of their cybersecurity upgrade rather amusing.


a Government Accountability Office audit of the project, released publicly last week, found that the FCC essentially dumped that $10 million in a hole. The ESN effort failed to properly implement the fixes, and it left software and systems put in place misconfigured—even failing to take advantage of all the features of the malware protection the commission had selected, leaving its workstations still vulnerable to attack. In fact, the full extent of the problems is so bad the GAO's entire findings have been restricted to limited distribution.
"As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information," the report concluded. And much of the work done to deploy the security system must be redone before the FCC's systems approach anything resembling the security goals set for the project.

From the article it appears that the contractors just slapped stuff in place and there was no validation period or acceptance testing and certainly nothing resembling Pen Testing.   Seriously people, come on! This type of thing is one of the reasons so many people are leery of government spending.  It is never done wisely.

Regarding the DoE hack, I don't think they have positively identified culprits.  I read over the previous weekend that Anonymous had claimed credit, but not being on the secret mailing list I can't conform that.  The Department of Energy itself seems to be leaning towards China but at least one security experts seems skeptical.    I would say especially in light of the audit which found DoE wasn't adequately patching their systems.

The President is supposed to be releasing a national cybersecurity plan tomorrow.  Maybe it will provide some baseline best practices that everyone can aim for but I am not particularly hopeful.








No comments: