Trending

U.S. Treasury Hacking Vulnerability Shows Need For Overhaul Of U.S. Government's Security Model

By

An annual audit done by the Office of Inspector General (OIG) to the U.S. Treasury, as mandated by the Federal Information Security Management Act (FISMA), found that the Treasury Foreign Intelligence Network (TFIN) was vulnerable to hacking by malicious actors.

The official reason for the TFIN's existence is for the Treasury and U.S. spy agencies to track payments to terrorists and to keep tabs on financial sanctions to various countries such as Russia and Iran.

The audit done by the OIG and submitted in September 2014 found no evidence of intrusion, but it discovered that 29 percent of the devices connected to the TFIN did not meet the proper security standards.

"As a result...devices may not be protected with the most secure recommended configurations, increasing the risk of being compromised," the Treasury's Office of Inspector General said.

A Treasury official said that the problem has been fixed since the release of the audit.

After the Office of Personnel Management (OPM) hack, which has been described as the largest data breach in the U.S. government's history, U.S. agencies need to respond more swiftly to security recommendations from such audits and adopt stronger security models that protect data even after a hack (against which the U.S. government may never become fully immune).

The OPM for instance, didn't encrypt social security numbers, fingerprints and other sensitive information about its employees, so when the hackers penetrated the network, they could access everything.

Google and other companies have started to move away from the "network defense" model, which doesn't seem to be as effective as it may have once been, and instead adopted a "zero trust network" model, where each computer is protected from the internal network as well as from the Internet.

Employees would also get only strictly necessary access to confidential information and would use two-factor authentication, which was suggested to the OPM years ago by the OIG and other security companies.

Such an overhaul of the government's systems could take many years and many billions of dollars, so even if the government decides to drastically strengthen the security of its computer systems, it may not actually get all the funding to do that. However, it could at least prioritize the more important infrastructure such as financial, healthcare and military institutions.

The government could also start living by a "least stored data" principle, where it only stores strictly necessary data for its purposes, but not more than that.

However, the U.S. government seems to have been going in the opposite direction lately with a "collect it all" principle of gathering all available data about everyone. This only ends up making U.S. data centers a more appealing target, either to other rival governments or criminal organizations, which could use the stored information to hack into other government systems or blackmail people.

Storing as little data about its citizens as possible combined with an "encrypt everything" attitude could at least drastically decrease the damage from such data breaches.

Follow us @tomshardware, on Facebook and on Google+.

Topics
Security
19 Comments Comment from the forums
  • ocilfa 24 July 2015 20:09
    US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."
    Reply
  • jimmysmitty 24 July 2015 20:37
    16318722 said:
    US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

    Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

    That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

    A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

    Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.
    Reply
  • house70 24 July 2015 20:42
    16318722 said:
    US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

    That pretty much sums it up.
    Reply
  • house70 24 July 2015 20:49
    16318937 said:
    16318722 said:
    US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

    Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

    That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

    A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

    Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.

    The fact that they stored personal information unencrypted is a testament to their ineptitude and no amount of "sticking up for them" can justify that. Even the hardware/software they use can't justify that. This is "I am the government and nothing can/will happen to me even if I screw things up badly" attitude at it's best. Because, really, who is going to hold them accountable for this? Ordinary citizens? Good luck trying to recoup some of the immense headache caused by such breach to you or me. The govt. will just shrug it off and keep on going.
    Reply
  • jimmysmitty 24 July 2015 21:01
    16319028 said:
    16318937 said:
    16318722 said:
    US Government: "Sorry, but your suggestion makes too much sense. Our "specialists" will instead update our McAfee, and perhaps upgrade our browsers to Internet Explorer 8. Thank you for your taxes and have a nice day."

    Not to stick up for them but most are using IE 10 and Windows 7. My wife works for the Arizona DPS who works with all state, local and federal entities and my best friend is in the Air Force at the Pentagon. They are not that far behind.

    That said, the main issue is that the people in charge are clueless to a basic computer let alone networking and security behind that network. They need to employ people who understand that an IT infrastructure is no longer a luxury but it is a necessity and with that comes the need to actually utilize the best security.

    A company/government cannot survive without a IT infrastructure but the issue is they see it the same way they see everything; if it works don't fix it. The problem is that while a Windows XP system will still work, it is not secure. While 8/8.1 was annoying to learn it is more secure. Server 2012 R2 is more secure.

    Instead of utilizing the proper people they have people who wouldn't know a router from a switch from a firewall even if they had access to the internet to look it up.

    The fact that they stored personal information unencrypted is a testament to their ineptitude and no amount of "sticking up for them" can justify that. Even the hardware/software they use can't justify that. This is "I am the government and nothing can/will happen to me even if I screw things up badly" attitude at it's best. Because, really, who is going to hold them accountable for this? Ordinary citizens? Good luck trying to recoup some of the immense headache caused by such breach to you or me. The govt. will just shrug it off and keep on going.

    You really didn't read my post, did you? I only said that they are not that far behind on OS/software.

    I did however say that the people in charge of these places treat their IT infrastructure as a luxury that only needs to be upgraded if it no longer works instead of treating it like a necessity that needs to be well maintained.

    Of course this should be expected as people rarely read past the first sentence in most cases.
    Reply
  • USAFRet 24 July 2015 21:35
    Interestingly, I am one o' them gummint IT guys.
    The servers do not run XP, much as you'd like to jab at them for outdated software. Server 2008, 2012, or Unix.
    Desktops? The current Standard Desktop Configuration (SDC), or Federal Desktop Core Configuration (FDCC) is Windows 7 and IE10. And there is a loooong list of specific configuration and lockdown items for that.

    Do things happen? Unfortunately, yes. Just like any other large organization that manages hundreds of thousands of devices and people.
    There is no such thing as perfect software, people, or procedures.
    We could go into far more detail, but then I'd have to shoot you.
    Reply
  • jimmysmitty 24 July 2015 21:49
    16319306 said:
    Interestingly, I am one o' them gummint IT guys.
    The servers do not run XP, much as you'd like to jab at them for outdated software. Server 2008, 2012, or Unix.
    Desktops? The current Standard Desktop Configuration (SDC), or Federal Desktop Core Configuration (FDCC) is Windows 7 and IE10. And there is a loooong list of specific configuration and lockdown items for that.

    Do things happen? Unfortunately, yes. Just like any other large organization that manages hundreds of thousands of devices and people.
    There is no such thing as perfect software, people, or procedures.
    We could go into far more detail, but then I'd have to shoot you.

    For most cases it is not the IT department at fault. A lot of times you guys don't have the resources and do the best with what you can, although the IT at my wife's location is pretty much a bunch of morons, while the higher ups just brush off anything you give them as a way to make it more secure.

    Considering that the US government has access to not only our identities they also have access to our SSI and other monies they should be doing a much better job securing it.
    Reply
  • USAFRet 25 July 2015 00:45
    16319395 said:
    16319306 said:
    Interestingly, I am one o' them gummint IT guys.
    The servers do not run XP, much as you'd like to jab at them for outdated software. Server 2008, 2012, or Unix.
    Desktops? The current Standard Desktop Configuration (SDC), or Federal Desktop Core Configuration (FDCC) is Windows 7 and IE10. And there is a loooong list of specific configuration and lockdown items for that.

    Do things happen? Unfortunately, yes. Just like any other large organization that manages hundreds of thousands of devices and people.
    There is no such thing as perfect software, people, or procedures.
    We could go into far more detail, but then I'd have to shoot you.

    For most cases it is not the IT department at fault. A lot of times you guys don't have the resources and do the best with what you can, although the IT at my wife's location is pretty much a bunch of morons, while the higher ups just brush off anything you give them as a way to make it more secure.

    Considering that the US government has access to not only our identities they also have access to our SSI and other monies they should be doing a much better job securing it.

    Yes they should.
    The procedures are there, the hardware is there, the software is there.....people are the problem.
    Reply
  • falchard 25 July 2015 04:15
    Best idea ever. Don't expose confidential information to the Internet. Still what would they hack? A counter that keeps adding dollars to the US treasuries balance sheet.
    while(1)
    TreasuryBalance++;
    Reply
  • rantoc 25 July 2015 05:27
    Having a system unsecured vs the internet is like leaving the door home unlocked - its just stupid! Hearing a gov run facility get hacked who is suppose to have very good security due to its content makes me wonder if they didn't leave the door poorly locked, gambling with the content within and this time that gamble backfired...

    Just hope the responsible (either security responsible or the administration if the security responsible pointed out they needed additional funding and din't get a dime - quite common sadly) gets the torch for allowing the hackers to gain access.

    I hope those poor sobs who have their personal information leaked due to the gamble sue them - Big times!
    Reply