Networks ill-prepared for hackers, terrorists

[InfoSec News <isn () c4i org>]

http://www.nationalpost.com/home/story.html?f=/stories/20020417/666688.html

Andrew McIntosh
National Post
amcintosh () nationalpost com
April 17, 2002
 
OTTAWA - The government is failing to strengthen security measures for
its computer systems and networks across all departments, exposing
critical government infrastructure to cyber attacks by thrill-seeking
hackers and terrorists, the Auditor-General warned yesterday.

If steps are not taken to fix problems fast, it could undermine the
federal government's much-vaunted effort to connect Canadians to the
Web and provide credible online government Internet services, Sheila
Fraser says.

"Cyber threats are real and can do significant damage," she wrote.  
"They can impair information assets and disrupt business operations.  
Some incidents result in lost productivity; others can lead to a loss
of consumer confidence, a tarnished reputation and loss of
credibility, to outright fraud."

In a special audit tabled in her annual report to Parliament, the
Auditor-General paints a picture of a slow-moving bureaucracy in a
state of denial about the threats posed by hackers, and inaction on
the computer security front.

Auditors embarked on a series of "vulnerability assessments" of
government computer systems.

They conducted what they called "war dialling" tests of government
phone lines and checked 260 separate government systems for possible
vulnerabilities.

One third of the systems checked contained vulnerabilities that "could
allow the systems to be readily compromised by a targeted cyber
attack," the audit found.

In one case, they found a system with no password for its
administrator, "allowing any Internet user to gain access to the
system."

In another case, a government system was so weak it could allow a
hacker to install software "to attack other systems on the Internet"  
and make it appear that the attacks "were initiated by the
government."

The government knows the threat is real, Ms. Fraser added.

In the summer of 1999, federal officials studied security measures for
Internet sites and computer systems involving six of its own
departments.

Officials learned that hackers triggered 80,000 alarms and, upon
further investigation, officials discovered 500 attempts by hackers to
penetrate government computers, "many using automated tools."

Ms. Fraser said that given the increased threat posed by possible
cyber attacks and the devastation they can be expected to cause, she
expected government oversight of computer security initiatives would
have been strengthened.

"However, this has not been the case," she wrote.

The government adopted a data security policy in 1994 that required
all departments to have security specialists from the Royal Canadian
Mounted Police review their system security measures at least once
every five years and more frequently for systems storing top secret
information.

Yet 85% of the departments that are subject to the policy failed to
comply.

So, the government adopted a new computer security policy in 2002: the
RCMP is no longer responsible for security reviews and there is no
longer a requirement that states the minimum frequency for security
assessments.

The government has pledged to complete a new report on the
"effectiveness of its computer security policies across all
departments by 2004.

"In our view," Ms. Fraser wrote, "a report is needed sooner."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.