Faulty Firewalls Take the Heat
Firewalls or "Fire Logs"?Firewalls or "Fire Logs"? The latter is the unkind nickname for firewalls so poorly configured that "they might as well not be there," as shared by Bob Dacey, director for information security issues at the U.S. General Accounting Office, during the annual Control and Audit of Information Technology Conference Oct. 8 in Washington. Dacey reviewed the results of his audit of federal agencies IT security posture. Program management and access control were the two worst areas, with all agencies having "significant weaknesses" in these areas, he said. "When people move from one area to another, they get new access rights but dont lose their old ones; their rights accumulate," he said, in describing a common pattern leading to serious vulnerabilities.
In general, according to Dacey, too many users have too many privileges. "Once were in, its easy to get around," he said, describing the results of his own agencys "white hat" attacks on other federal systems. "Once we have a user ID, were usually able to get administrator privileges."