Lessons Can Be Learned From Homeland Security Weaknesses - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Lessons Can Be Learned From Homeland Security Weaknesses

Companies can learn a few lessons from the security missteps and weaknesses at the Department of Homeland Security. Here are some tips to reduce your vulnerability.

As bad as information security may be at the Department of Homeland Security, the situation should act as a good lesson for IT and security managers on the corporate side.

In a Congressional Hearing on Wednesday afternoon, congressmen and government officials took a hard line with the Department of Homeland Security and its CIO, Scott Charbo, over the number of security vulnerabilities and breaches that have plagued the agency. And this isn't just any government agency. The DHS is an umbrella agency that is in charge of preventing terrorist attacks within the United States. In that vein, it's set up to be the leader in the country's cybersecurity.

Wednesday's hearing, though, highlighted some pervasive problems in the department's network -- infected desktops, unauthorized laptops connected to the network, classified e-mails sent over unclassified networks, and classified "data spillage."

Keith A. Rhodes, chief technologist at the U.S. Government Accountability Office and the man considered to be the fed's top hacker, said in an interview that the spotlight on security weaknesses at DHS should be a wake-up call because none of them are government-agency specific. They're problems that any company could be suffering from.

"They should be thinking about this," he said, adding that there are four major areas that CIOs and CSOs should be focusing on.

  1. Don't Be Cheap -- If you're in a position of authority, you've got to understand that you've got to put some money into this. It does not have to break the bank, but it does not come for free. CIOs and CSOs have to have a budget and they have to have the backing of the board. The board has to understand that they have something to lose.

  2. IT Must Talk To The Users -- IT managers and the IT workers down in the trenches need to understand what it is they're protecting. They're not just protecting boxes and machines. The people who are running the system have an obligation to talk to the users to understand the value of the information they're protecting. What is this information? How critical is it? Based on the value of certain information, they might, for instance, decide they need two-factor authentication in certain areas.

  3. Users Need To Be Vigilant -- Users need to understand that they have a mission -- a part to play in protecting their company. They need to keep their eyes and ears open about what's going on in the system and be aware of things that don't look right. A user has to notice when systems operate differently than normal. They have an obligation to tell someone if they are in the middle of doing something and the system logs them out and then asks them to log back in again. That could be a sign that someone is interjecting a fake log-in screen to capture passwords.

  4. Get Legal Involved -- The company has to understand what it can and cannot do in order to protect its systems. How can they appropriately and legally monitor employees? How do they go about collecting evidence after a breach? What is the company's relationship to local law enforcement and the FBI?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll