Return-Path: <sentto-279987-4805-1023820935-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 11 Jun 2002 11:43:09 -0700 (PDT) Received: (qmail 7373 invoked by uid 510); 11 Jun 2002 18:42:34 -0000 Received: from n5.grp.scd.yahoo.com (66.218.66.89) by all.net with SMTP; 11 Jun 2002 18:42:34 -0000 X-eGroups-Return: sentto-279987-4805-1023820935-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.197] by n5.grp.scd.yahoo.com with NNFMP; 11 Jun 2002 18:42:19 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_3_2); 11 Jun 2002 18:42:15 -0000 Received: (qmail 40868 invoked from network); 11 Jun 2002 18:42:15 -0000 Received: from unknown (66.218.66.216) by m4.grp.scd.yahoo.com with QMQP; 11 Jun 2002 18:42:15 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 11 Jun 2002 18:42:15 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g5BIgF118753 for iwar@onelist.com; Tue, 11 Jun 2002 11:42:15 -0700 Message-Id: <200206111842.g5BIgF118753@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 11 Jun 2002 11:42:15 -0700 (PDT) Subject: [iwar] [fc:GAO.faults.Army.Corps.security] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: GAO faults Army Corps security By Dan Caterinicchia, Federal Computer Week, 6/11/02 <a href="http://www.fcw.com/fcw/articles/2002/0610/web-army-06-11-02.asp">http://www.fcw.com/fcw/articles/2002/0610/web-army-06-11-02.asp> The Army Corps of Engineers has made great strides in managing its computer systems since a scathing 1999 review by the General Accounting Office, but the agency still has numerous security shortcomings, according to a new GAO report. "Information Security: Corps of Engineers Making Improvements, but Weaknesses Continue," released June 10, details a number of computer security issues that the Army Corps must address, including: * Controlling access to critical systems and data. * Developing adequate system software controls to protect programs and sensitive files. * Documenting software changes. * Securing networks. "These vulnerabilities warrant management's attention to decrease the risk of inappropriate disclosure and modification of data and programs, misuse of or damage to computer resources, or disruption of critical operations," according to the report. "Such vulnerabilities also increase risks to other Department of Defense networks and systems to which the corps' network is linked." The audit, which was conducted from January through October 2001, found that the Army Corps had not maintained accurate records of users who were granted access to the Corps of Engineers Financial Management System (CEFMS). "The weaknesses that we identified...placed the Corps' computer resources, programs and files at risk from inappropriate disclosure of financial and sensitive data and programs, modification of data, misuse of or damage to computer resources, or disruption of critical operations," according to the report. Additional tests also revealed problems with the smart cards that store users' electronic signatures for use with CEFMS. In some cases, smart cards were not under the sole control of an individual cardholder, an audit found, and "as a result, authentication controls were not effective to provide reasonable assurance that users' electronic signatures are valid." The GAO report said the primary reason for the Army Corps' computer control weaknesses was that officials had not fully developed and implemented a comprehensive security management program. In a May 20 letter responding to a draft copy of the report, Lt. Gen. Robert Flowers, commander of the Army Corps, said the agency has already taken corrective action on 11 past recommendations and has developed an action plan to correct all but 12 of the remaining recommendations by Sept. 30, 2002. He added that the remaining 12 recommendations would be completed in fiscal 2003 or beyond. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Will You Find True Love? Will You Meet the One? Free Love Reading by phone! http://us.click.yahoo.com/Deo18C/zDLEAA/Ey.GAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2003-08-24 02:46:32 PDT