[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] GAO: FBI's internal network has critical security flaws
By Wade-Hahn Chan
May 24, 2007
The FBI could be exposing critical networks and information to attacks
and insider threats, the Government Accountability Office says.
In a report published today , GAO found that the FBI uses inadequate
information technology security controls on its critical internal
networks. The combined security problems could lead to a breach of
sensitive information or an insider attack, the report states.
The problems include:
* Inconsistent configurations for network devices.
* Inadequate control over identification and authentication to ensure
that only authorized individuals can access networks.
* Individuals ability to access information and functions outside what
they need to perform their jobs.
* Unencrypted sensitive data.
* Patches that were not installed in a timely manner.
* Employees not following physical security policies with their
Additionally, although the FBI established the Enterprise Security
Operations Center to monitor and protect information systems, the center
could not effectively audit and monitor all security-related activity on
These weaknesses place sensitive information transmitted on the network
at risk of unauthorized disclosure or modification, and could result in
a disruption of service, increasing the bureaus vulnerability to insider
threats, the report states.
The report also notes that many of the FBIs insecurities could violate
the Federal Information Security Management Act.
FBI Deputy Chief Information Officer Dean Hall concurred with many of
the findings, but told GAO the bureau didnt believe the weaknesses added
up to an increased risk to FBI information.
The FBI has made significant strides in reducing these risks by
establishing policy, processes and procedures to ensure the
confidentiality, integrity and availability of law enforcement,
investigative and intelligence information, Hall said.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com