Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk Page: 3 of 37
The following text was automatically extracted from the image on this page using optical character recognition software:
At the seven Commerce organizations we reviewed,4 significant and
pervasive computer security weaknesses exist that place sensitive
Commerce systems' at serious risk. Using readily available software and
common techniques, we demonstrated the ability to penetrate sensitive
Commerce systems from both inside Commerce and remotely, such as
through the Internet. Individuals, both within and outside Commerce,
could gain unauthorized access to these systems and read, copy, modify,
and delete sensitive economic, financial, personnel, and confidential
business data. Moreover, intruders could disrupt the operations of systems
that are critical to the mission of the department. Additionally,
unauthorized access to sensitive systems may not be detected in time to
prevent or minimize damage. The underlying cause for the numerous
weaknesses we identified was the lack of an effective program to manage
We identified vulnerabilities in four key areas in the bureaus we reviewed:
First, controls intended to protect information systems and critical data
from unauthorized access are ineffectively implemented, leaving sensitive
systems highly susceptible to intrusions or disruptions. Specifically,
- Systems were either not configured to require passwords-including
powerful systems administrator accounts-or, if passwords were
required, they were relatively easy to guess, such as the word
"password" or commonly known default passwords supplied by
vendors. Further, (1) a significant number of passwords never expired,
(2) individuals had unlimited attempts to guess passwords, and (3)
unencrypted passwords, including those having powerful system
administrator functions, could be widely viewed. Commerce bureaus
also granted excessive system administration privileges to employees
who did not require them, including 20 individuals who had powerful
system privileges that should be used only in exceptional
circumstances, such as recovery from a power failure.
The Commerce organizations we reviewed were the Office of the Secretary, the Bureau of Export
Administration, the Economic Development Administration, the Economics and Statistics
Administration, the International Trade Administration, the Minority Business Development Agency,
and the National Telecommunications and Information Administration. For the sake of simplification,
throughout this testimony, we use the term "bureaus" to refer to all seven of the Commerce
organizations, although the Office of the Secretary is not actually a bureau.
By "sensitive" systems we refer to the systems that Commerce has defined as critical to the mission of
the Department as well as systems that fit OMB Circular A-130, Appendix III, criteria for requiring
Here’s what’s next.
This text can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Text.
United States. General Accounting Office. Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk, text, August 3, 2001; Washington D.C.. (digital.library.unt.edu/ark:/67531/metadc289826/m1/3/: accessed February 20, 2019), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.