Just a few days ago as I write this, February 4th to be specific, the Homeland Security and Governmental Affairs Minority Committee of the US Senate released a report about the security of government agencies. You can get a PDF copy here. The report, called The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure isn’t long at 19 pages, but it does have some interesting tidbits.
One paragraph really struck me:
Sensitive databases protected by weak or default passwords.
At NPPD, which oversees DHS’s cybersecurity programs, the IG found multiple accounts protected by weak passwords. For FEMA’s Enterprise Data Warehouse, which handles reports on FEMA’s disaster deployment readiness and generates other reports accessing Personally Identifying Information (PII),the IG found accounts protected by “default” passwords, and improperly configured password controls.
Really? Default passwords?
I can understand some weak passwords. Sometimes we need to enter a particular password so often that even using a password keeping tool (as I have recommended before) seems to be too much work. I know, I’ve been there. The thought is that a simple password provides some protection and makes it easier to get work done. I don’t think that’s appropriate to protect PII data though.
This is another case where something other than passwords may be appropriate: a chipped card, a token, biometrics maybe. There are lots of choices. Long time readers of this blog know my disdain for simple passwords.
Using default passwords is another issue altogether. Default passwords are the ones set by the manufacturer. They’re generally the same for all similar products from the same manufacturer, or they can be easily discovered (such as on some DSL modems). Don’t use default passwords even at home! There are even lists of default passwords on the Internet. They provide virtually no security whatsoever!
We discuss both weak passwords and default passwords in Learning Tree Course 468, System and Network Security Introduction. Authentication is a major part of the course and should be a major concern for all organizations – government or private sector.
There are lots of other interesting findings in the report I cited above. I’m glad someone is doing studies like this. We all need to be concerned about the security of government data. On the other hand, it’s disturbing that there were so many “findings”. The report is short. It doesn’t take long to read. Let us know in the comments below what are the most interesting (or disturbing) issues you find.