I have been paying attention to the way the US Government has been managing their cyber-security lately. I guess, since they have such a large responsibility to maintain security that I continue to be amazed at the poor examples that they set for others. How in the world can they expect organizations and businesses to maintain security when they cannot seem to do it themselves, even in the most critical of circumstances?
As an example, here is a recent article in the news about the TSA (a division of Department of Homeland Security) losing a hard disk full of employee private data. The identity of TSA employees, given their mission critical role in the War on Terror, I would assume is a fairly important piece of data for TSA to protect. How can government staffers and Congress rail against organizations losing back-up tapes and databases of information when the very people who are supposed to protect us show an example so egregious as this one?
I was reminded of this topic yesterday when on a visit to a website that is managed by the US Secret Service, I cut and pasted the URL between virtual machines in one of my virtual labs. In the cut and paste mechanisms, unbeknown to me, some character encoding was performed and the URL I was attempting to view got munged. Much to my shock, the web site in question spits out an incredibly in-depth application error page! The error page was a default .NET error page that revealed code, specific version information about the server, the applications and the environment. Now many of you might say “So what?!?”. Well, my answer to that is that bad error pages that display too much information are a basic component of the OWASP Top Ten issues that define the most common security baseline for web-based applications and web servers. Why in the world would an organization with the security requirements of the US Secret Service be missing such a simple issue? I can only hope (though I seriously doubt) that it is because they have performed an adequate risk assessment and identified this specific server as being of such a low risk that simply configuring it to spit back a standard error page is not worth the effort. How likely do you think that might be?
If you do some simple Google searches around US Government security, you will find all kinds of bad examples. I know that their attack surface is immense, their threat models are severe and that their resources are limited, but I truly hope they begin to address some of these basic issues. I really think they should be in a position to set an example of proper security and data protection and be more of a role model for how it is done. I would much prefer that to the way it is now. What do you think?