3 min read

Lessons Can Be Learned From Homeland Security Weaknesses

Companies can learn a few lessons from the security missteps and weaknesses at the Department of Homeland Security. Here are some tips to reduce your vulnerability.
As bad as information security may be at the Department of Homeland Security, the situation should act as a good lesson for IT and security managers on the corporate side.

In a Congressional Hearing on Wednesday afternoon, congressmen and government officials took a hard line with the Department of Homeland Security and its CIO, Scott Charbo, over the number of security vulnerabilities and breaches that have plagued the agency. And this isn't just any government agency. The DHS is an umbrella agency that is in charge of preventing terrorist attacks within the United States. In that vein, it's set up to be the leader in the country's cybersecurity.

Wednesday's hearing, though, highlighted some pervasive problems in the department's network -- infected desktops, unauthorized laptops connected to the network, classified e-mails sent over unclassified networks, and classified "data spillage."

Keith A. Rhodes, chief technologist at the U.S. Government Accountability Office and the man considered to be the fed's top hacker, said in an interview that the spotlight on security weaknesses at DHS should be a wake-up call because none of them are government-agency specific. They're problems that any company could be suffering from.

"They should be thinking about this," he said, adding that there are four major areas that CIOs and CSOs should be focusing on.

  1. Don't Be Cheap -- If you're in a position of authority, you've got to understand that you've got to put some money into this. It does not have to break the bank, but it does not come for free. CIOs and CSOs have to have a budget and they have to have the backing of the board. The board has to understand that they have something to lose.

  2. IT Must Talk To The Users -- IT managers and the IT workers down in the trenches need to understand what it is they're protecting. They're not just protecting boxes and machines. The people who are running the system have an obligation to talk to the users to understand the value of the information they're protecting. What is this information? How critical is it? Based on the value of certain information, they might, for instance, decide they need two-factor authentication in certain areas.

  3. Users Need To Be Vigilant -- Users need to understand that they have a mission -- a part to play in protecting their company. They need to keep their eyes and ears open about what's going on in the system and be aware of things that don't look right. A user has to notice when systems operate differently than normal. They have an obligation to tell someone if they are in the middle of doing something and the system logs them out and then asks them to log back in again. That could be a sign that someone is interjecting a fake log-in screen to capture passwords.

  4. Get Legal Involved -- The company has to understand what it can and cannot do in order to protect its systems. How can they appropriately and legally monitor employees? How do they go about collecting evidence after a breach? What is the company's relationship to local law enforcement and the FBI?