A Shocking State of IT Security

Throwing money at information security has never been a particularly effective way of preventing or solving IT problems. Indeed, the Department of Energy (DOE) is finding that throwing $2.7 billion (the amount estimated for fiscal year 2004) at its computer security issues may not do the job. The agency's inspector general, Gregory H. Friedman, noted in a recent evaluation of systems that while DOE "continues to improve its unclassified cyber security program," there are still many problems that "could expose critical systems to compromise."

The weaknesses that remain include the lack of certification and accreditation of major networks that would enable administrators to identify and mitigate risks; the absence of contingency plans to keep mission critical systems up and running after an emergency or disaster; and a host of access control problems.

These last weaknesses were found in 7 out of the 25 sites under review and included vendor passwords left unchanged (the report notes that default vendor passwords are widely known and thus easy to exploit), excessive system-administrator access privileges, and the granting of network access to some students and visitors without performing mandatory background checks.

The upshot is that DOE networks are not only at risk, but under regular attack, Friedman concludes. "The potential for harm is demonstrated by the frequency of successful intrusions, 199 in the last year, affecting 3,531 systems across the complex," he writes. "Without continuing vigilance in this area, it is likely that future attacks will continue to jeopardize the availability and integrity of critical information technology assets."

The inspector general's full report is available via SM Onlne.