Recently I commented on the Homeland Security and Governmental Affairs Minority Committee of the US Senate’s report about the security of government agencies. (You can get a PDF copy here.) The earlier post was about the use of default passwords at government agencies. There are some other troubling items in the report and I wanted to share a few of them with you.
I recently taught Learning Tree Course 468, System and Network Security Introduction and some of the participants commented about some of these in other situations so this seemed like a good time to discuss them here.
First, “Independent auditors physically inspected offices and found passwords written down on desks,…” Really? Still? I’ve talked about secure software solutions before and even before that in mid-2012. Every time I teach the security course I stress that auditors know most or all the places passwords are likely to be written down. (Before I learned much about security I thought I was clever placing them in an envelope under a desk drawer. Ha! I have learned a lot since then.) Lesson: don’t write passwords down. Use a good, secure tool to keep them safe and use a good password for that tool. If necessary, get the tool approved by the appropriate department or agency first, of course.
Second, some computers had anti-virus software whose databases were years out-of-date. Look, anti-virus software is great stuff. It may not be perfect, but it is necessary. It is also of limited value if the database is so old that it cannot catch any viruses discovered or released in the last couple of years! Keep those subscriptions current. End of story.
Third, some sensitive data was unencrypted or encrypted weakly. Confidentiality is a principle we discuss at length in Course 468. We talk about how encryption works and how to use it. We even use some encryption software to encrypt files and share them on a server. This is very important stuff. Sensitive data should be encrypted. Even military-grade encryption is not that difficult to deploy these days. If they don’t have them these agencies need policies showing what needs to be encrypted and how. And someone needs to check to ensure it is before an external auditor finds out it isn’t.
There is a lot to learn from the report and I suggest you read it. My goal for that suggestion is not to highlight what agencies have done what wrong, but rather so we can learn what is important so we can secure our systems and networks more fully. That’s the goal of the security class, too.