Information Security
So, we have this big Department of Homeland Security who governs the security of... well our Homeland. Being such, they have infamously become a symbol of security in the eyes of many corporations. But have they really earned that position or do we assume too much?

Earlier this year a security firm used various open system tools while spending five months testing the security of the department. The main purpose of this was to attack passwords, vulnerability assess hosts, and to find remote access points. When looking for weak passwords they found 8-37% successful dictionary attacks in some departments. Of the four departments tested, only DHS Management was found in compliance to password cracking attempts.

When testing remote access for home and authorized remote users, it was found their policy lacked authentication methods stated by offical NIST guidelines and recommedations of the National Security Agency. Some of the primary failures were due to password length and password aging. The report states "Due to these remote access exposures, there is an increased risk that unauthorized people could gain access to DHS networks and compromise the confidentiality, integrity, and availability of sensitive information systems and resources,".

When using vulnerability assessment tools to probe hosts, it was found many systems lacked the most current patches, most of which are security related.

The results of war dialing their some 2,800 phone lines yielded 20 unaccounted modems, any of which could possibly yield remote access to sensitive systems.

Department CIO Steve Cooper stated a lot of the auditors concerns were overstated as failed password policy would prevent attacks on passwords, and that systems suffering from known vunerabilities were waiting for the associated patches to come out of testing. "As we complete the transition to Windows 2003 on most of our networks, it will be impossible to have a password that does not comply with DHS complexity requirements," Cooper wrote.

These problems are far from uncommon in the corporate world today, and apparently in our highest government offices. Although there are many levels to acceptable security, a thorough security audit is the only way to detirmine where you stand.

Comments
on Dec 21, 2004
Imagine what would happen if politicians (at any level of government) announced to their constituents that the absolute best defense against any security threat is we all need to wake up and pay more attention to what we are doing.

Any politician who tried it should make sure they have their resume in order because I doubt they would survive the next election cycle.

The sad fact is, no Dept. of Homeland Security or even IT guy at work can be more effective against any level of security threat than a population which actually accepts the fact that they are (not could be) a target.

Hopefully your article will serve as a friendly reminder to everyone who cares to read it. It is not being paranoid to be aware of a threat.