PJC Journal – Original

How secure is the
Data on government databases? Does the government have any recognised testing
that is carried out on a regular basis?

Do we need a
grading system in the UK as they do in the US.?
 

The reason I ask,
is that the US federal departments have just failed to
show that any data they have is beyond the hackers.

Calling federal
information security “embarrassing” and “dangerous“, Rep.
James R. Langevin (D-RI) lashed out at federal departments including State,
Commerce and Homeland security for lax practices and serious breaches.  

The comments came
at a hearing of the Committee on Homeland Security's subcommittee on emerging
threats, cybersecurity and science and technology, to discuss recent high-level
security breaches in government, at which representatives of State, Commerce
and the Government Accountability Office testified.

Langevin cited
failing grades by both Departments of Commerce and State under the FISMA assessment. FISMA stands for the federal information
security management act of 2002. See background information via the National Institute
of Standards and Technology here. 

Langevin also
cited a hack into Commerce systems using a rootkit last October, and a June
2006 penetration of State Department systems which used social engineering and
a zero-day exploit of Microsoft Word to gain access.

Both departments,
Langevin said, tried to downplay the incidents saying no classified systems
were compromised. Langevin said that because the departments failed their FISMA
assessments and have failed to inventory all of their systems, “they can't
know for certain that these incidents don't involved classified systems.” 

About DHS, which
received a D on its FISMA assessment–the first time since 2003 DHS did not
receive an F–Langevin said he was “disappointed and troubled” with
the departments progress in securing cyberspace. “I don't know how the
department thinks it's going to lead this nation in securing cyberspace when it
can't even secure its own networks.”

SANS Institute
director of research Alan Paller, who attended the hearing, said that
government officials are finally saying publicly what many have known all
along: Their systems are insecure and put the nation at risk. “The State
and Commerce Department penetrations are the tiniest tip of the iceberg,”
said Paller. 

Paller also noted
that participants at the hearing said the FISMA was a bad assessment system
that measured the wrong things, and that receiving a grade of A wouldn't make
any of the participants at the hearing believe they were necessarily secure.

The hearing
demonstrated the remarkable consistency between corporate and government
problems with information security. The zero-day exploits and rootkits are the
biggest issues private companies are dealing with right now. Two zero-day
exploits have been discovered in the past month, and some speculate that
rootkits may have been used in the breach of TJX, the biggest data leakage case in history
to date. Indeed, the Commerce department's failure to pinpoint the time when
hackers first gained access mirrors TJX's confusion over origins of access, which is usually
a sign the hackers were able to conceal their activity through the use of a
rootkit, a basic tool for economic hackers.

In their fiscal
year 2006 financial statement audit reports, 21 of 24 agencies indicated that
they had significant weaknesses in information security controls. As shown by
reports by GAO and agency inspectors general (IG), the weaknesses persist in
major categories of controls—including, for example, access controls, which
ensure that only authorized individuals can read, alter, or delete data, and
configuration management controls, which provide assurance that only authorized
software programs are implemented.

An underlying cause for these weaknesses is
that agencies have not yet fully implemented agency wide information security
programs, which provide the framework for ensuring that risks are understood
and that effective controls are selected and properly implemented. Until
agencies effectively and fully implement agency wide information security
programs, federal data and systems will not be adequately safeguarded to
prevent unauthorized use, disclosure, and modification.

Langevin also
cited issues with intelligence sharing between departments over vulnerabilities
and exploits.

Langevin
concluded his opening statement with words that are becoming more common both
in government and business when it comes to information security: “We don't know the scope of our
networks. We don't know who's inside our networks. We don't know what
information has been stolen.” (source).

So before we
embark on giving the UK government our most personal of details
with the ID card scheme and ePassports, perhaps a very public health check
might be in order.

NuLab –
Destroying Britain from the inside out.

Related Reading:

Front Page (Sterling Main Street)

Stop the War Coalition: Main Page, Osama Bin Laden, John Rees, Communist Party of Britain, Communist Party of Great Britain Provisional Centre, Committee

Driving Change: How the Best Companies are Preparing for the 21st Century

Philby: intelligence service aux mains d'un agent soviétique

Soviet Main Street

How secure is the
Data on government databases? Does the government have any recognised testing
that is carried out on a regular basis?

Do we need a
grading system in the UK as they do in the US.?
 

The reason I ask,
is that the US federal departments have just failed to
show that any data they have is beyond the hackers.

Calling federal
information security “embarrassing” and “dangerous“, Rep.
James R. Langevin (D-RI) lashed out at federal departments including State,
Commerce and Homeland security for lax practices and serious breaches.  

The comments came
at a hearing of the Committee on Homeland Security's subcommittee on emerging
threats, cybersecurity and science and technology, to discuss recent high-level
security breaches in government, at which representatives of State, Commerce
and the Government Accountability Office testified.

Langevin cited
failing grades by both Departments of Commerce and State under the FISMA assessment. FISMA stands for the federal information
security management act of 2002. See background information via the National Institute
of Standards and Technology here. 

Langevin also
cited a hack into Commerce systems using a rootkit last October, and a June
2006 penetration of State Department systems which used social engineering and
a zero-day exploit of Microsoft Word to gain access.

Both departments,
Langevin said, tried to downplay the incidents saying no classified systems
were compromised. Langevin said that because the departments failed their FISMA
assessments and have failed to inventory all of their systems, “they can't
know for certain that these incidents don't involved classified systems.” 

About DHS, which
received a D on its FISMA assessment–the first time since 2003 DHS did not
receive an F–Langevin said he was “disappointed and troubled” with
the departments progress in securing cyberspace. “I don't know how the
department thinks it's going to lead this nation in securing cyberspace when it
can't even secure its own networks.”

SANS Institute
director of research Alan Paller, who attended the hearing, said that
government officials are finally saying publicly what many have known all
along: Their systems are insecure and put the nation at risk. “The State
and Commerce Department penetrations are the tiniest tip of the iceberg,”
said Paller. 

Paller also noted
that participants at the hearing said the FISMA was a bad assessment system
that measured the wrong things, and that receiving a grade of A wouldn't make
any of the participants at the hearing believe they were necessarily secure.

The hearing
demonstrated the remarkable consistency between corporate and government
problems with information security. The zero-day exploits and rootkits are the
biggest issues private companies are dealing with right now. Two zero-day
exploits have been discovered in the past month, and some speculate that
rootkits may have been used in the breach of TJX, the biggest data leakage case in history
to date. Indeed, the Commerce department's failure to pinpoint the time when
hackers first gained access mirrors TJX's confusion over origins of access, which is usually
a sign the hackers were able to conceal their activity through the use of a
rootkit, a basic tool for economic hackers.

In their fiscal
year 2006 financial statement audit reports, 21 of 24 agencies indicated that
they had significant weaknesses in information security controls. As shown by
reports by GAO and agency inspectors general (IG), the weaknesses persist in
major categories of controls—including, for example, access controls, which
ensure that only authorized individuals can read, alter, or delete data, and
configuration management controls, which provide assurance that only authorized
software programs are implemented.

An underlying cause for these weaknesses is
that agencies have not yet fully implemented agency wide information security
programs, which provide the framework for ensuring that risks are understood
and that effective controls are selected and properly implemented. Until
agencies effectively and fully implement agency wide information security
programs, federal data and systems will not be adequately safeguarded to
prevent unauthorized use, disclosure, and modification.

Langevin also
cited issues with intelligence sharing between departments over vulnerabilities
and exploits.

Langevin
concluded his opening statement with words that are becoming more common both
in government and business when it comes to information security: “We don't know the scope of our
networks. We don't know who's inside our networks. We don't know what
information has been stolen.” (source).

So before we
embark on giving the UK government our most personal of details
with the ID card scheme and ePassports, perhaps a very public health check
might be in order.

NuLab –
Destroying Britain from the inside out.

Related Reading:

Driving Change: How the Best Companies are Preparing for the 21st Century

Philby: intelligence service aux mains d'un agent soviétique

Un tour du monde des écoliers, à portée de main

Structured Experience Kit-Main Pages

Stop the War Coalition: Main Page, Osama Bin Laden, John Rees, Communist Party of Britain, Communist Party of Great Britain Provisional Centre, Committee

When I was a
young man, I was taught that the only people who had right of entry to your
home without a warrant was the Customs and Excise man. 

Long gone are
those days, the list is now so long the reading would send you to sleep. If you
ever believed that an Englishmans home was his Castle, dream on.
 

This from today’s
Daily
Mail online tell us there are 266 ways the Government can enter your house
- and you can't stop them

It
could be a statistic straight from George Orwell's chilling masterpiece 1984.
State officials have 266 justifications to enter your home.

Alas, the figure is not a
figment of Orwell's imagination but the reality of Britain in 2007.

Our table shows some of the
many powers today’s army of health and safety inspectors, bailiffs, Customs
officers, quango officials and policemen can use to gain entry to your
property. In most cases entry, if denied, can be gained by force. Homeowners
face fines and criminal charges if they obstruct officials who knock on their
doors.

Study author Richard Snook
said: 'This research* shows the State today enjoys widespread access to what was
previously considered to be the private domain.

Some of the new entry powers
have their origins in EU directives and regulations, rather than with an Act of
Parliament passed by the UK's elected legislators.'

Shadow Home Secretary David
Davis said: 'This is a sinister reflection of the power the State now has in
the lives of the citizen.

What the Daily Mail doesn’t tell
us is that since coming to power 10 years ago, the present Government have
introduced over 280 new legislative Acts, and created in excess of 3000 new ‘crimes’.

The Police
have powers of arrest without warrant, which make all offences, no matter how
trivial, into arrestable offences (Section 110 of
the Serious
Organised Crime and Police Act 2005, which came into force on 1-1-2006), also allowing the Police to take DNA, fingerprints and palm prints of all those arrested.

Once arrested, the Police can search the
home of arrested (not charged) people without the need for a warrant (PACE
Code), so the Daily Mail story should really read, 3000 ways the Government can enter your home.

NuLab – Destroying Britain from the inside out.

*Centre for Policy Studies entitled “Crossing the Threshold” (pdf),

Related Reading:

Soviet Main Street

Indian Literature: Sanskrit literature, Main Page, Mahabharata, Classical language, Sangam literature, P?li Canon, Vedas, Indian epic poetry, Assamese ... Bengali literature, Bhojpuri language

Structured Experience Kit-Main Pages

Driving Change: How the Best Companies are Preparing for the 21st Century

Philby: intelligence service aux mains d'un agent soviétique

When I was a
young man, I was taught that the only people who had right of entry to your
home without a warrant was the Customs and Excise man. 

Long gone are
those days, the list is now so long the reading would send you to sleep. If you
ever believed that an Englishmans home was his Castle, dream on.
 

This from today’s
Daily
Mail online tell us there are 266 ways the Government can enter your house
- and you can't stop them

It
could be a statistic straight from George Orwell's chilling masterpiece 1984.
State officials have 266 justifications to enter your home.

Alas, the figure is not a
figment of Orwell's imagination but the reality of Britain in 2007.

Our table shows some of the
many powers today’s army of health and safety inspectors, bailiffs, Customs
officers, quango officials and policemen can use to gain entry to your
property. In most cases entry, if denied, can be gained by force. Homeowners
face fines and criminal charges if they obstruct officials who knock on their
doors.

Study author Richard Snook
said: 'This research* shows the State today enjoys widespread access to what was
previously considered to be the private domain.

Some of the new entry powers
have their origins in EU directives and regulations, rather than with an Act of
Parliament passed by the UK's elected legislators.'

Shadow Home Secretary David
Davis said: 'This is a sinister reflection of the power the State now has in
the lives of the citizen.

What the Daily Mail doesn’t tell
us is that since coming to power 10 years ago, the present Government have
introduced over 280 new legislative Acts, and created in excess of 3000 new ‘crimes’.

The Police
have powers of arrest without warrant, which make all offences, no matter how
trivial, into arrestable offences (Section 110 of
the Serious
Organised Crime and Police Act 2005, which came into force on 1-1-2006), also allowing the Police to take DNA, fingerprints and palm prints of all those arrested.

Once arrested, the Police can search the
home of arrested (not charged) people without the need for a warrant (PACE
Code), so the Daily Mail story should really read, 3000 ways the Government can enter your home.

NuLab – Destroying Britain from the inside out.

*Centre for Policy Studies entitled “Crossing the Threshold” (pdf),

Related Reading:

Old Yishuv: Musta'Arabi Jews, Sephardi Jews, Four Holy Cities, Jerusalem, Main Page, Safed, Tiberias,Jaffa, Deluge Myth

Structured Experience Kit-Main Pages

Front Page (Sterling Main Street)

Driving Change: How the Best Companies are Preparing for the 21st Century

Un tour du monde des écoliers, à portée de main

When I was a
young man, I was taught that the only people who had right of entry to your
home without a warrant was the Customs and Excise man. 

Long gone are
those days, the list is now so long the reading would send you to sleep. If you
ever believed that an Englishmans home was his Castle, dream on.
 

This from today’s
Daily
Mail online tell us there are 266 ways the Government can enter your house
- and you can't stop them

It
could be a statistic straight from George Orwell's chilling masterpiece 1984.
State officials have 266 justifications to enter your home.

Alas, the figure is not a
figment of Orwell's imagination but the reality of Britain in 2007.

Our table shows some of the
many powers today’s army of health and safety inspectors, bailiffs, Customs
officers, quango officials and policemen can use to gain entry to your
property. In most cases entry, if denied, can be gained by force. Homeowners
face fines and criminal charges if they obstruct officials who knock on their
doors.

Study author Richard Snook
said: 'This research* shows the State today enjoys widespread access to what was
previously considered to be the private domain.

Some of the new entry powers
have their origins in EU directives and regulations, rather than with an Act of
Parliament passed by the UK's elected legislators.'

Shadow Home Secretary David
Davis said: 'This is a sinister reflection of the power the State now has in
the lives of the citizen.

What the Daily Mail doesn’t tell
us is that since coming to power 10 years ago, the present Government have
introduced over 280 new legislative Acts, and created in excess of 3000 new ‘crimes’.

The Police
have powers of arrest without warrant, which make all offences, no matter how
trivial, into arrestable offences (Section 110 of
the Serious
Organised Crime and Police Act 2005, which came into force on 1-1-2006), also allowing the Police to take DNA, fingerprints and palm prints of all those arrested.

Once arrested, the Police can search the
home of arrested (not charged) people without the need for a warrant (PACE
Code), so the Daily Mail story should really read, 3000 ways the Government can enter your home.

NuLab – Destroying Britain from the inside out.

*Centre for Policy Studies entitled “Crossing the Threshold” (pdf),

Related Reading:

Philby: intelligence service aux mains d'un agent soviétique

Indian Literature: Sanskrit literature, Main Page, Mahabharata, Classical language, Sangam literature, P?li Canon, Vedas, Indian epic poetry, Assamese ... Bengali literature, Bhojpuri language

Driving Change: How the Best Companies are Preparing for the 21st Century

Soviet Main Street

Un tour du monde des écoliers, à portée de main