Information systems at the U.S. Department of Defense suffer from "serious weaknesses" and are vulnerable to hacker attacks and fraud, warned the General Accounting Office this week after conducting an audit of the department's massive array of unclassified systems.
Many of the problems cited by the GAO have to do with basic security measures: Passwords weren't changed often, audit logs weren't consistently reviewed, and user access was poorly documented, among other things.
But the same thing could be said about private-sector systems, several corporate security managers and experts said. The problems that the GAO cited "are widespread throughout every single organization," said Chris Grillo, an information technology security manager at Minnesota Power Inc. in Duluth and an auditor at Canaudit Inc., a Simi Valley, California firm.
"I challenge IS security practitioners to take the GAO findings and ask themselves the same questions about their organizations," said Richard Power, editorial director at the San Francisco-based Computer Security Institute.
But Bob McKee, assistant vice president of corporate information security at The Hartford Financial Services Group Inc. in Hartford, Connecticut, said the GAO's report surprised him. McKee said he thought an organization as large as the Defense Department, and one with "a fair amount of sensitive information to protect, would hit those things head on."
In response, the Defense Department said it was addressing the problems raised by the GAO. The GAO's review focused on the department's unclassified systems, which make up a substantial part of its 2.1 million computers and 10,000 LANs.
The report was a follow-up to a security audit in 1996 that found similar problems.