EPA cleans up security mess
- By William Matthews
- Jun 26, 2000
Six months after computer security at the Environmental Protection Agency
was judged to be so flawed as to be ineffective, the agency continues a
massive security overhaul.
Security lapses left the EPA so vulnerable that, in February, the agency
shut down its World Wide Web sites and cut off outside access to its computer
systems to prevent them from being damaged in online attacks.
In the months since then, an information security team has ordered more
than 100 changes in security practices. Still, about 30 percent of the services
that were disconnected remain offline, according to George Bonina, the EPA's
director of information security.
Dial-in access to the EPA's computer systems is one of the services
not fully restored. It is proving difficult to secure. Permitting remote
access can "open up huge holes in the firewalls. We don't have that fixed
yet," Bonina told a group of federal Webmasters on June 22.
Public access to the EPA's Web sites has been restored, however. "The
public was clamoring for access" after the Web sites were shut down, he
The EPA's vulnerabilities were discovered late last year during a security
audit by the General Accounting Office. GAO investigators penetrated the
EPA's systems that contained sensitive and national security-related information.
The agency's computer vulnerabilities were not obvious, even to many
in the EPA. "Our actual security program on paper was pretty good. We just
weren't implementing it," Bonina said.
Vulnerability came from a multitude of sloppy practices. For example,
"we got clobbered because of passwords," he said. Even system administrators,
who should know better, used passwords that were easy to guess. One used
"sysadmin," he said.
Passwords were changed, and now system administrators are required to
certify that they are following sound password practices.
Another weakness was created by the EPA's failure to keep access to
its systems up-to-date. "We had a lot of people who were long gone from
the agency who still had accounts" that gave them access to the EPA's computers,
Bonina said. Some were contractors, some were former employees and some
were simply outsiders, he said. And "a lot of people were sharing accounts,"
which made it difficult to control access.
The EPA operates about 1,500 servers; during the security overhaul,
agency officials discovered that "not all of them were configured to agency
standards," Bonina said. That has been cleaned up, he said.