Department of Homeland Security Not Very Secure

DooKey

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,552
According to a recent report from the Office of Inspector General, the Department of Homeland Security isn't as secure as they could be. The report states that some configuration settings are improperly configured, unsupported OS's are still in use, they don't patch vulnerabilities quickly, and many more problems. Ultimately these problems are blamed on a lack of security talent. Furthermore, I completely believe all of these findings because they jive with many I witnessed while I was a member of the Air Force IT team. Until leadership addresses their manning and enforcement issues the Department is going to be vulnerable.

The report also scolds DHS for continuing to use unsupported operating systems. DHS, the Coast Guard, and the Secret Service were all found to be using Windows Server 2003 after Microsoft's July 2015 discontinuation of support.
 
They've also already been hacked 3-4 times and still in the same boat. LOL!
 
Sounds like DHS is in the same boat as most folks and companies. Too many things to keep track of, not enough cyber security folks to do the needed work. Just because MS deems a product EOL, doesn't mean end users automagically get new money to replace the product. If you think things are bad now, wait until Win 10 becomes the main server product. Instead of a many year lifecycle, now you have a 18~36 month lifecycle with MS controlled major OS updates. Some clients will respond by just blocking MS updates at the firewall rather then deal with the constant full systems testing required for each major OS update. Its not just MS. Cisco has hardcoded passwords. Smartphones can be a den of malware and often feature auto connect settings to any available wifi, allowing the malware to spread to other networks.

These days, almost any electronic gizmo can be an attack vector. Mice, keyboards, sdcards, TVs, bluetooth headphones, connected cars, toys, etc. Most of which want to phone home to someone.
 
Big_Rig_Stig said:
Just install Linux.

Problem solved.
Click to expand...

If they don't have the resources to patch Windows, which is extremely easy, the same issue will be had with Linux. Sometimes, it's not the base OS, it's the many other packages/applications that ride on top of it. Windows may be an easy target due to it's size, but Linux isn't necessarily more secure if you have people that don't know what they are doing and/or slow. Exploiting those known vulnerabilities can be very trivial at times. If they aren't patched, they are vulnerable. Regardless of OS.

Hit Vulnhub, Hackthebox, etc. for many examples of Linux boxes that are vulnerable and hackable (some can be pretty difficult while others are just insanely easy).
 
Big_Rig_Stig said:
Just install Linux.

Problem solved.
Click to expand...

That wouldn't resolve the issue. I've seen some poorly secured Linux boxes as well and they do also require patching when updates come out. What it comes down to is it all depends on how well you secure it. This is just another case of the US government not taking security very seriously; I don't think they ever have.
 
I am shocked, shocked, I say! This has been going on since the first viruses started appearing, security is so often #3 or lower compared to convenience and cost.
 
On the news lately, I hear of so much lack of security in departments and big or small companies. Often it can be fixed by consistent patching, updating the OS, and other relatively simple fixes, given a trained staff. It's a shame. Security/encryption, and protecting the privacy of all the information on subjects/people they possess should be number one priority. I truly hope they will hire more qualified and efficient cyber security personnel.
 
And this is the thing I don't like about the government. Too many agencies that don't share resources. A lot of cyber security processes and procedures have been created and constantly updated by DISA (Defense Information Systems Agency), but aren't used by anyone outside of DoD. Why? I don't know.

Instead each of these Depts setup their own cyber security teams to secure their networks and obviously, some of them do a shit job of it. You'll still need a decent IT staff to implement the features, but at least you can cut down on cyber security staff and increase the cyber operations staff.

danc3 said:
On the news lately, I hear of so much lack of security in departments and big or small companies. Often it can be fixed by consistent patching, updating the OS, and other relatively simple fixes, given a trained staff. It's a shame. Security/encryption, and protecting the privacy of all the information on subjects/people they possess should be number one priority. I truly hope they will hire more qualified and efficient cyber security personnel.
Click to expand...

It'd be nice to see qualified and efficient cyber security personnel in general. We have our own cyber security team. Think it's 12 people. Not a single one of them would be able to open up powershell and dump a list of all AD users to a csv file. They haven't a clue what they're reading when it comes to our DISA STIGs (Security Technical Implementation Guides). Nothing like getting a blank stare back from one of them, when you're explaining that you have to break STIG to make an application on a server work.
 
^^ thats exactly why i left security. i was a "security engineer" prior to "cyber" or "information assurance" being the latest buzzword title. the job went from the realm of jedi's, to the realm of CISSP's and checkboxes. its a complete shit show, today. when you have idiots running around checking boxes, not even sure what they're doing or why they're checking it, they arent going to pro-actively do anything but waste tax dollars.

now i work for a privately owned VAR/MSP, saving the government from themselves.
 
You must log in or register to reply here.
Back
Top