Firewalls or “Fire Logs”? The latter is the unkind nickname for firewalls so poorly configured that “they might as well not be there,” as shared by Bob Dacey, director for information security issues at the U.S. General Accounting Office, during the annual Control and Audit of Information Technology Conference Oct. 8 in Washington.
Dacey reviewed the results of his audit of federal agencies IT security posture. Program management and access control were the two worst areas, with all agencies having “significant weaknesses” in these areas, he said. “When people move from one area to another, they get new access rights but dont lose their old ones; their rights accumulate,” he said, in describing a common pattern leading to serious vulnerabilities.
In general, according to Dacey, too many users have too many privileges. “Once were in, its easy to get around,” he said, describing the results of his own agencys “white hat” attacks on other federal systems. “Once we have a user ID, were usually able to get administrator privileges.”
Dacey also cited the increasing sophistication of formerly “dumb” peripherals. “We find printers that have IP addresses,” he said. These devices can turn out to be points of network entry. But no amount of technical scrutiny can protect systems that are badly configured or incompetently managed, he said. “On one system, virtually every user had access to an unencrypted file of passwords—including the administrator password,” he said.
Its up to departmental managers, as well as IT managers, to educate users so that such glaring oversights dont arise.