Security gaps defy easy fixes

Related Links

"The great divide"

Hackers from the computer security firm Predictive Systems Inc. had no trouble late last year breaking into the Bureau of Indian Affairs' $40 million trust accounting system — they went in through a "back door" of the Interior Department's many Web sites.

That exploit reportedly made U.S. District Judge Royce Lamberth so angry that he issued the order to disconnect all of Interior's computer systems from the Internet. Since then, Lamberth has ordered Interior to get approval from Alan Balaran, the court's special master, before reconnecting its sites.

Balaran so far has demanded that Interior meet a high standard for security on any systems related to Indian trust data. Ensuring the security of this data on systems that were lacking in all measurable aspects requires "careful scrutiny," he wrote in a report filed Jan. 16 with the court.

Still, how long can it possibly take to put up firewalls and other security devices on Interior's systems? After all, the agency is one of the smallest in the federal government.

Security, however, isn't nearly as easy as it looks, experts in the field say.

"A firewall is simply a bunch of rules about what data traffic is allowed through that someone could use to gain access to the routers, servers and workstations on the network that are inside the firewall. It sounds more robust than it really is," said Clint Kreitner, president and chief executive officer of the Center for Internet Security.

"There are no silver bullets. A firewall isn't the one and only answer," said Lawrence Rogers of the CERT Coordination Center at Carnegie Mellon University.

"The security continuum runs from 'secure' to 'usable.' The challenge that systems administrators face is where to position themselves on that line," Rogers said. "The most secure system is the one that's turned off and sitting over in the corner. But it's not particularly useful."

Interior is still using one of the two legacy systems that the BIA's Trust Asset and Accounting Management System was supposed to replace, and that exacerbates the security problem, the experts add.

"Retrofitting meaningful security into database code that was not initially designed for that purpose is lengthy and difficult work," said Jon Lasser of Cluestick Consulting, a local computer-security consulting firm.

"Most [legacy] databases were designed before the Internet, back when everyone who worked on them was in a single building and could all know and trust each other," Lasser said. "Adapting from this small-town mentality to the big-city mentality of the Internet requires deep change."

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.