Pages

Monday, April 23, 2007

The Cyber INsecurity and hackers


If you had no chance to read the newest document from a ground-breaking Congressional hearing, it's worth reading:
http://homeland.house.gov/SiteDocuments/20070419153038-21091.pdf
This is an outstanding document that confirms that our Government is still quite rusty on IT security. Some of the statements in this document are quite troubled: "We don't know the scope of our networks," said subcommittee chairman Langevin, "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
The purpose of this hearing was to afford House members the opportunity to understand how deeply federal systems have been penetrated and what the Department of Homeland Security and others are doing to stop the compromises.
(thanks to Alan Paler from SANS who shared this information)

Let me tell you one story (a good add-on to this article).
Some days ago, I began working for one of the divisions in the Government organization (I am skipping the real name). I came across the Division Director's laptop that is frequently used outside of an agency’s headquarter. As you know, in order to configure the laptop for any program, you have to have the administrator's privileges. I have been told that the password on this laptop is the word "password".

Being in the security field for more than 8 years, I felt obligated to remind all division employees the importance of the strong passwords. So, I found an excellent article on the web about that topic, and sent to all employees. Particularly, the article stated that the password word "password" can be cracked in 0.5 sec. You won't believe what happened after. My team leader said that the "boss" was not happy about it, and "suggested" (you know what it does mean) not to post the information of that content anymore.

The Russians have a proverb that in a direct translation says that "the fish is getting rotted starting from the head". How the employees will take care about the password security if their general manager not only ignores it but even prosecutes it?!

I don't know what should happen beyond September 11 events that may shake people up to the degree that they will finally get the feeling of INsecurity if the passwords are NOT secure enough, if the networks are NOT protected enough, if the operating systems are NOT patched in a timely manner, and that the cyber flavor of terrorism is a real thing.

1 comment:

cyberteacher said...

The follow up:

--Second Congressional Hearing Highlights Federal Cyber Security Failure (April 26, 2007) Several of the nation's most respected cyber security experts on Wednesday told the Homeland Security Committee's Emerging Threats and Cyber Security Subcommittee that the US is unprepared to defend its systems or recover from a broad-based cyber attack. "Foreign intelligence agencies must weep with joy when they contemplate U.S.
government networks," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, who went on to describe "an unparalleled looting of U.S.
government databases."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017860
http://blog.washingtonpost.com/securityfix/2007/04/nations_cyber_plan_outdated_la.html?nav=rss_blog
http://www.darkreading.com/document.asp?doc_id=122732&WT.svl=news2_1