Inefficient Security Makes VA Systems Vulnerable
The Veterans Affairs Department (US) has unsafe web application servers and is not able to regulate connections between the Web and its computer systems, revealed an internal agency watchdog.
In testimony before the House Veterans Affairs Committee, VA Assistant Inspector General, Belinda Finn, said that these conditions make the systems susceptible to attacks, as per the reports by nextgov on May 19, 2010.
At the time of system testing, the security experts recognized major flaws with access control made to safeguard VA mission critical systems from inauthentic access, tampering and damage.
For example, they recognized a huge number of weak passwords on application servers, databases and networking devices supporting systems at several VA facilities tested. The fact that weak passwords are found in the system is important security vulnerability that enables harmful users to gain unlawful access to mission critical systems.
Chief information officer (VA), Roger Baker, confirmed that the VA observes its main enterprise network round the clock and has distributed 160 intrusion detection systems countrywide and has blocked 16.4 Millions e-mails per day from being delivered as they were allegedly spam or carried malware, as per the news published by nextgov on May 19, 2010.
Further, the watchdogs recognized many cases of VA hosting unsafe web services that enable an attacker to exploit some vulnerabilities and obtain unlawful access to VA systems. Also, they came across many database platforms which provide system functions or hosted outdated system software that enable any system user to gain unofficial access to mission critical data and change the database's operation.
Moreover, VA had still not recognized, regulated or controlled a substantial amount of system connections with external sources, implying that a hacker can easily hit VA's internal network and systems over a certain period of time without being traced.
It is remarkable that the 2002 Federal Information Security Management Act demands federal agencies to document develop or follow the detailed information security programs. However Finn stated that VA still has critical flaws in information security.
Therefore, to make the condition better in this area, VA should adopt an inclusive enterprise-based vulnerability and patch management program that can recognize security flaws affecting mission critical systems.
Related article: Infection in Chinese Security Website
» SPAMfighter News - 31-05-2010