Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Friday Squid Blogging: Squid Patents | Main | Interesting Spoofing Attack »

May 28, 2007

Network Insecurities at the FBI

The FBI has lousy security against insider attacks, according to a GAO report.

Insider attacks are hard to defend against. One of the most important defenses is a good audit trail, so that when something happens you can figure out who did it.

Posted on May 28, 2007 at 6:19 AM12 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

merkelcellcancerMay 28, 2007 9:26 AM

In the past the FBI has been scrutinize for lack of infrastructure and networking that would ensure direct and accurate communication for all its field offices and computer networks. I am not surprised that the lack of standardization of its computers and networks has contributed to this security problem.

A single disgruntled agent or IT expert could bring the system to its knees.

Craig HerbergMay 28, 2007 9:47 AM

It is frightening what could "leak out" without proper controls in place. Both confidential data and our national security could be compromised.

Craig Herberg
http://craigherberg.com

AnonymousMay 28, 2007 12:28 PM

I rely on the FBI's continued lack of competence as the best way to protect the US national security.

NathanMay 28, 2007 3:18 PM

There's a piece in the latest Wired magazine about an employee at Sandia National Labs cyber stalking the lead singer of Linkin Park.

The lab had bad security, auditing, and oversight (the employee spent all day every day just stalking the singer). Of course when outside investigators closed in they had to figure out how to do their job without triggering the lab's bureaucratic self defense mechanisms.

You can read about it here: http://www.wired.com/entertainment/music/news/...

acaMay 28, 2007 3:33 PM

Remeber:

http://www.schneier.com/blog/archives/2007/01/...

Now it's finally known what it was:

Canadian 'poppy coin' culprit behind U.S. spy warning

http://www.cnn.com/2007/WORLD/americas/05/07/...

Bryan FeirMay 28, 2007 4:55 PM

@aca:

Already blogged about, just under three weeks ago.

http://www.schneier.com/blog/archives/2007/05/...

Hyper CynicMay 28, 2007 5:08 PM

@Bruce

The GAO report is quite interesting and depressing. You note the importance of auditing. I cannot help wondering how the staff responsible for IT security would have the capability to effectively audit access to resources if they did not have the skills/tools/resources/mindset to secure the network in the first place.

Speaking from personal experience, I also have a few questions about Trilogy:

1. If Trilogy is so Uber sensitive, did the acountants budget accordingly?

2. Are the users ready and willing to buy into the security versus convenience tradeoff?

3. Did the Trilogy network architect highlight the security risks?

I am cynical. It's far too easy for upper management to issue instructions of the "make it so" variety without understanding the real implications of their decisions. Complex IT security and human nature rarely mix well.

meta cynicMay 28, 2007 6:44 PM

"Complex IT security and human nature rarely mix well."

(cough) Complex ANYTHING and human nature rarely mix well. It's just that few things outside of IT let you create such recursive castles of air. The non-physicality of IT is its weakness and its strength.

sooth_sayerMay 28, 2007 9:28 PM

generally speaking GAO reports are meant to address toilet paper shortage in washington .. One should NEVER make a story of their pronouncements.

This one is no exception

What_did_you_sayMay 29, 2007 11:56 AM

Insider attacks at the feebee? no way?! ;)

Ranum FanMay 29, 2007 4:15 PM

>Did the Trilogy network architect highlight the security risks?

I doubt it. One of the many was too busy raking in the $$

Trilogy led to this failure:
“Report: FBI wasted millions on 'Virtual Case File',��? CNN.com (February 3, 2005). http://www.cnn.com/2005/US/02/03/fbi.computers.

“The FBI's Upgrade That Wasn't,��? The Washington Post (August 18, 2006). http://www.washingtonpost.com/wp-dyn/content/...

Sjaak LaanMay 30, 2007 6:55 AM

Let's just say that the FBI is just like any other organisation, and it will be as long as they employ people like any other organisation...

Sjaak Laan
http://www.sjaaklaan.com

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier