An ongoing audit of user accounts in the armed services has uncovered an epidemic of expired and unauthorized accounts, including 3,000 in DISA (Defense Information Systems Agency), 1,500 in the U.S. Armys Korean operation, and thousands more spread throughout the military services.
The weak account management, in addition to slow patch distribution, could be exploited by hackers to gain access to military systems, and has prompted a wholesale review of the militarys IT infrastructure, according to Lt. Gen. Charles Croom Jr.
The account audit was prompted by a general "stand down" by the U.S. Department of Defenses militarys information assurance groups in November 2005, said Croom, who is Commander of the Joint Task Force – Global Network Operations within the DOD.
Croom was addressing an audience of military and civilian cyber crime experts at the annual DOD Cyber Crime Conference in Palm Harbor, Fla.
"The stand down focused us to think about how we think about our networks. Verifying user accounts was about asking Who is on the network? Do they have a valid user account?"
Often the answer to that question was "no," according to Croom, who said that the review is ongoing and will not be complete for all DOD agencies until March.
Between 10 and 20 percent of the accounts audited were flagged for one reason or another.
Many were merely inactive: vestiges left behind when military personnel transferred from one role to another within the armed forces.
Others were valid user accounts that had been assigned inappropriate or unnecessary permissions, Croom said.
Croom declined to comment on how many of the accounts were unauthorized or malicious in origin.
However, there are ominous signs that outsiders may have been using the accounts to access military systems.
In the weeks since the military began flagging and disabling the accounts, there has been a marked increase in so-called "spear phishing" attacks against DOD personnel, in which outsiders send e-mail messages that appear to come from superiors within the DOD and ask the employee to provide their password.
Croom declined to comment on the source of the attacks, but said they were evidence that the change in account management and provisioning was working.
But poor management of user accounts and permissions, which is often referred to as "provisioning," is just one problem facing the military.
The DOD and armed services are also struggling to remediate vulnerabilities in the hardware and software it uses.
The military deployed double the number of security patches in 2005—42—as it did in 2004.
However, the process is very slow, and often relies on manual processes and phone calls to coordinate between the four branches of the military and 30 military agencies, he said.
DOD has also cracked down on open communications ports on the systems that run on its networks, and has closed around 90 percent of inbound and outbound ports on its systems, he said.
However, vulnerability tracking, user tracking and compliance checking are also decentralized and inefficient, often relying on manual processes that vary from agency to agency.
"We have inadequate visibility into the global [military] network," he said.
The U.S. military operates more than 1,500 networks, containing both classified and unclassified information.
However, those networks often lack internal boundaries and firewalls that would prevent an intruder who had penetrated the militarys perimeter defenses in one part of the network from traversing the entire military system, Croom said.
The DOD will be conducting a ground-up review of its classified and unclassified networks and may even need to rebuild those networks from the ground up to improve their security, Croom said.
"The network is now critical to the war fight. You cant go to war without it," he said.