How secure is the
Data on government databases? Does the government have any recognised testing
that is carried out on a regular basis?
Do we need a
grading system in the UK as they do in the US.?
The reason I ask,
is that the US federal departments have just failed to
show that any data they have is beyond the hackers.
information security “embarrassing” and “dangerous“, Rep.
James R. Langevin (D-RI) lashed out at federal departments including State,
Commerce and Homeland security for lax practices and serious breaches.
The comments came
at a hearing of the Committee on Homeland Security's subcommittee on emerging
threats, cybersecurity and science and technology, to discuss recent high-level
security breaches in government, at which representatives of State, Commerce
and the Government Accountability Office testified.
failing grades by both Departments of Commerce and State under the FISMA assessment. FISMA stands for the federal information
security management act of 2002. See background information via the National Institute
of Standards and Technology here.
cited a hack into Commerce systems using a rootkit last October, and a June
2006 penetration of State Department systems which used social engineering and
a zero-day exploit of Microsoft Word to gain access.
Langevin said, tried to downplay the incidents saying no classified systems
were compromised. Langevin said that because the departments failed their FISMA
assessments and have failed to inventory all of their systems, “they can't
know for certain that these incidents don't involved classified systems.”
About DHS, which
received a D on its FISMA assessment–the first time since 2003 DHS did not
receive an F–Langevin said he was “disappointed and troubled” with
the departments progress in securing cyberspace. “I don't know how the
department thinks it's going to lead this nation in securing cyberspace when it
can't even secure its own networks.”
director of research Alan Paller, who attended the hearing, said that
government officials are finally saying publicly what many have known all
along: Their systems are insecure and put the nation at risk. “The State
and Commerce Department penetrations are the tiniest tip of the iceberg,”
Paller also noted
that participants at the hearing said the FISMA was a bad assessment system
that measured the wrong things, and that receiving a grade of A wouldn't make
any of the participants at the hearing believe they were necessarily secure.
demonstrated the remarkable consistency between corporate and government
problems with information security. The zero-day exploits and rootkits are the
biggest issues private companies are dealing with right now. Two zero-day
exploits have been discovered in the past month, and some speculate that
rootkits may have been used in the breach of TJX, the biggest data leakage case in history
to date. Indeed, the Commerce department's failure to pinpoint the time when
hackers first gained access mirrors TJX's confusion over origins of access, which is usually
a sign the hackers were able to conceal their activity through the use of a
rootkit, a basic tool for economic hackers.
In their fiscal
year 2006 financial statement audit reports, 21 of 24 agencies indicated that
they had significant weaknesses in information security controls. As shown by
reports by GAO and agency inspectors general (IG), the weaknesses persist in
major categories of controls—including, for example, access controls, which
ensure that only authorized individuals can read, alter, or delete data, and
configuration management controls, which provide assurance that only authorized
software programs are implemented.
An underlying cause for these weaknesses is
that agencies have not yet fully implemented agency wide information security
programs, which provide the framework for ensuring that risks are understood
and that effective controls are selected and properly implemented. Until
agencies effectively and fully implement agency wide information security
programs, federal data and systems will not be adequately safeguarded to
prevent unauthorized use, disclosure, and modification.
cited issues with intelligence sharing between departments over vulnerabilities
concluded his opening statement with words that are becoming more common both
in government and business when it comes to information security: “We don't know the scope of our
networks. We don't know who's inside our networks. We don't know what
information has been stolen.” (source).
So before we
embark on giving the UK government our most personal of details
with the ID card scheme and ePassports, perhaps a very public health check
might be in order.
Destroying Britain from the inside out.