[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20051126013738.DB5809F7@lists.grok.org.uk>
Date: Sat Nov 26 01:37:45 2005
From: randallm at fidmail.com (Randall M)
Subject: Interesting reading-Government MAC systems under
fire
Hi friends,
There is a very interesting development with the Department Of Interior and
its Security compliance. The Secretary and Inspector General of the DOI are
at odds on this issue. After the report of the lack of security as
demonstrated by pen-testing came out, a court order came ordering that the
systems be removed from the internet. Later, the Secretary through an
Appeals court stayed the order asking the Office of Management and Budget to
clarify what the compliances are and for a "clearer definition of adequate
security."
Now, if that argument is not by itself interesting, what the systems are
used for is the real story. They hold all the data for and about Indian
Trust payments for the oil, land, and other natural resources owed to some
500,00 Indians. The Tribes have filed a lawsuit for mismanagement of the
funds that are valued in the multiple billions. I have included here a
snippet of how SANs newsletter posted this (also included the DHS's report
on FEMA. databases). Then if your interested in further reading see the link
to the Indian Trust website.
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
HOMELAND SECURITY AND GOVERNMENT SYSTEMS SECURITY --Dept. of Interior Asks
OMB for FISMA Compliance Clarification (23/21 November 2005)
Department of the Interior (DOI) secretary Gale Norton has asked the Office
of Management and Budget (OMB) to clarify its interpretations of the
requirements for compliance with the Federal Information Security Management
Act (FISMA). DOI inspector general Earl Devaney's penetration testing
reportedly found that DOI networks were vulnerable to both internal and
external unauthorized access. The report concluded that DOI is not in
compliance with FISMA. DOI CIO Hord Tipton maintains Devaney's
interpretation of FISMA compliance exceeds basic requirements as reflected
in his answers in the FY 2005 reporting template. Mr.
Tipton also says the report does not take into consideration improvements
made during the year that came as a direct result of the IG's testing. Ms.
Norton maintains that her department meets FISMA requirements and has asked
OMB for a "clearer definition of adequate security."
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&
story.id=37643
http://www.fcw.com/article91521-11-21-05-Web
[Editor's Note (Schultz): Penetration testing performed by competent and
fully authorized individuals and organizations can be very beneficial.
At the same time, however, I hate to see the results of penetration tests
used in the way they apparently have been in the case of the Department of
the Interior. Penetration tests should never in and of themselves be used as
the sole evidence for the adequacy of security; they should instead be
considered part of a complete set of findings that include among other
things security reviews and vulnerability assessments.
(Paller): Gene's criticism is accurate but doesn't go far enough. People who
rely on penetration testing as their primary method of deciding whether
systems are vulnerable to cyber attacks are either misinformed or lacking in
competence.]
--DHS Inspector General: FEMA Core Databases are Not Secure
(21 November 2005)
According to a report from Department of Homeland Security (DHS) Inspector
General Richard L. Skinner, the Federal Emergency Management Agency (FEMA)
has not implemented sufficient security safeguards to protect its core
databases. The report acknowledges FEMA has made IT security improvements,
such as the development of a contingency plan. FEMA officials agree with the
majority of the findings and are taking action.
http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn2&story
.id=37600
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:::::::::::::::
The following web site gives the views from the Tribe and lawyers involved
in the case. See the right side:
http://www.indiantrust.com/
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::::::::::
In one of the articles the Inspector General states clearly that "his"
pen-testers were able to move around and even manipulate files. The
"editorial" section from SANS give the opinion that "Penetration tests
should never in and of themselves be used as the sole evidence for the
adequacy of security". I'm sorry, but when such an issue involves billions
of dollars and a "pen-tester" can move around the systems with no problem I
think that suffices as somewhat of a sole evidence needed! I also cannot
help but think that this "full disclosure" could be read by the wrong person
and a different penetration is eminent. Some of you on this list have dealt
with Government systems and probably know and understand the Inspector
Generals plea.
Thank You
Randall M
=====================
"You too can have your very own Computer!"
Note: Side effects include:
Blue screens; interrupt violation;
illegal operations; remote code
exploitations; virus and malware infestations;
and other unknown vulnerabilities.
Powered by blists - more mailing lists