If you’ve been a long time reader around here, you’ll know one of my favorite things is to highlight government computer ineptitude. While it is quite difficult to get computer security perfectly right, it’s easy to get it good enough that the risks are easily manageable. The government, however, rarely manages even this basic level of security. Underscoring this is the Department of Homeland Security’s bizarre focus on whether its employees are looking at pornography.
A report (PDF) by the DHS Office of the Inspector General released yesterday shows that DHS’s computer network’s security systems are overloaded, partly due to several million “incidents” of possible accesses of pornography, which may be causing the department to be missing incidents that require urgent attention, such as active break-in attempts.
You’ll love this. When DHS was initially formed, the job of network security fell to Immigration and Customs Enforcement — not because that’s naturally where it should be, but because they were the only agency within the new department to have any kind of network security division. As it turns out, their intrusion detection system sucks.
ICE uses the Intellitactics NSM (Network Security Manager). Among other flaws, this system intermingles intrusion detection events with other events, such as suspected downloads of illegal software and pornography. Because ICE doesn’t have a system to separate these messages, it winds up manually sorting through what amounts to useless noise.
In July 2004, prior to the start of our audit, approximately 5.4 million security event messages were generated each month by the DHS wide area network. At our entrance conference in November 2004, the DHS CIO requested that we provide a breakdown of the security event messages that were generated. We reviewed the security event messages generated by the DHS wide area network intrusion detection system in February, March, and April 2005. There were approximately 65 million messages generated during these three months. This average, of approximately 22 million messages a month, is more than a 400% increase in the monthly averages for security event messages as compared to the averages that occurred less than a year earlier.
During the three-month period reviewed, 16 devices generated approximately 45.5 million of the 65 million security event messages (70%) recorded on the DHS wide area network. Approximately 6.5 million (10%) of the 65 million security event messages were the ‘ids.detect.misuse.porn’ [sic] message. Additionally, 4.9 million of the 6.5 million ‘ids.detect.misuse.porn’ [sic] messages (approximately 75%) were generated by 16 devices or web sites. — Management of the DHS Wide Area Network Needs Improvement (PDF)
As it turns out, ICE couldn’t tell who was generating all those events, because it assigns workstations addresses using DHCP (Dynamic Host Control Protocol), which means an individual workstation could get a different address each day, or anytime the computer is restarted, and only kept logs of which computer had what address for a week.
In addition, many of those ids.detect.misuse.pornography messages were likely to be false positives, because the system did not match words carefilly enough. Innocuous words such as “behavioral” would generate a false match for “oral,” for instance.
And to top it all off, DHS is transitioning to a more integrated network, called OneNetwork, and in light of the problems presented in this report, it will have Customs and Border Protection run security for the new network. Excuse me?
Oh, and nevermind that the new OneNetwork might not have adequate security either, that it may have cost overruns, or that it just might not work at all. That’s just icing on the cake.