Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk Page: 4 of 37
The following text was automatically extracted from the image on this page using optical character recognition software:
- The configuration of Commerce operating systems exposed excessive
amounts of system information to anyone, without the need for
authentication, allowing potential attackers to collect systems
information that could be used to circumvent security controls and gain
unauthorized access. In addition, Commerce did not properly configure
operating systems to ensure that they would be available to support
bureau missions or prevent the corruption of important data. For
example, in a large computer system affecting several bureaus,
thousands of important programs had not been assigned unique names,
which could result in unintended programs being inadvertently run,
potentially corrupting data or disrupting system operations. In this
same system, because critical parts of the operating system were
shared by the test and production systems, changes in either system
could corrupt or shut down the other system. Additionally, unnecessary
and poorly configured system functions existed on important computer
systems in all bureaus we reviewed, allowing us to gain access from the
- None of the Commerce bureaus reviewed had effective external and
internal network security controls. Our testing demonstrated that
individuals, both within and outside Commerce, could compromise
external and internal security controls to gain extensive unauthorized
access to the department's networks and systems. We obtained such
access as a result of weakly configured external control devices, poorly
controlled dial-up modems, and ineffective internal network controls.
* Second, we found other control weaknesses, including inadequate
(1) segregation of computer duties of the staff to mitigate the risk of errors
or fraud, (2) control of software changes to ensure that only authorized
and fully tested software is placed in operation, and
(3) development of comprehensive and completed recovery plans to
ensure the continuity of service in the event of a service disruption.
* Third, Commerce is not adequately (1) preventing intrusions before they
occur, (2) detecting intrusions as they occur, (3) responding to successful
intrusions, or (4) reporting intrusions to staff and management. Thus,
there is little assurance that unauthorized attempts to access sensitive
information will be identified and appropriate actions taken in time to
prevent or minimize damage. For example, Commerce has not instituted
key measures to prevent incidents, such as acquiring software updates to
correct known vulnerabilities. During our testing we discovered 20
systems with known vulnerabilities for which patches were available but
not installed. As a result of ineffective detection capabilities, the tested
bureaus were generally unable to detect our extensive intrusion activities
(only two of the bureaus had installed intrusion detection systems). Also,
Here’s what’s next.
This text can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Text.
United States. General Accounting Office. Information Security: Weaknesses Place Commerce Data and Operations at Serious Risk, text, August 3, 2001; Washington D.C.. (digital.library.unt.edu/ark:/67531/metadc289826/m1/4/: accessed September 22, 2018), University of North Texas Libraries, Digital Library, digital.library.unt.edu; crediting UNT Libraries Government Documents Department.