DHS security still full of holes
Despite much work done since last year, the Dept. of Homeland Security still has not corrected numerous security holes, many of which were previously identified. eWeek reports:
According to a July audit letter from KPMG LLP released last week, the DHS did not correct vulnerabilities in access controls and systems software that had been identified previously, limiting its ability to ensure that data is maintained with confidentiality, integrity and availability. The audit focused on the agency's financial reporting, and the weaknesses found had a negative impact on the financial internal controls, in particular.
One of the most significant problems was found with access control inside the department's firewalls. Reminiscent of the weak "yellow sticky note" password system found all too frequently in the private sector, users at the DHS were sometimes able to use sensitive testing and development devices with a group password or system default password.
KPMG also found that many user accounts were not configured for automatic log-off or lockout and that some workstations and servers were configured without necessary security patches.