WASHINGTON (06/27/2000) - Six months after computer security at the U.S.
Environmental Protection Agency was judged to be so flawed as to be ineffective, the agency continues a massive security overhaul.
Security lapses left the EPA so vulnerable that, in February, the agency shut down its World Wide Web sites and cut off outside access to its computer systems to prevent them from being damaged in online attacks.
In the months since then, an information security team has ordered more than 100 changes in security practices. Still, about 30 percent of the services that were disconnected remain offline, according to George Bonina, the EPA's director of information security.
Dial-in access to the EPA's computer systems is one of the services not fully restored. It is proving difficult to secure. Permitting remote access can "open up huge holes in the firewalls. We don't have that fixed yet," Bonina told a group of federal Webmasters on June 22.
Public access to the EPA's Web sites has been restored, however. "The public was clamoring for access" after the Web sites were shut down, he said.
The EPA's vulnerabilities were discovered late last year during a security audit by the General Accounting Office. GAO investigators penetrated the EPA's systems that contained sensitive and national security-related information.
The agency's computer vulnerabilities were not obvious, even to many in the EPA. "Our actual security program on paper was pretty good. We just weren't implementing it," Bonina said.
Vulnerability came from a multitude of sloppy practices. For example, "we got clobbered because of passwords," he said. Even system administrators, who should know better, used passwords that were easy to guess. One used "sysadmin," he said.
Passwords were changed, and now system administrators are required to certify that they are following sound password practices.
Another weakness was created by the EPA's failure to keep access to its systems up-to-date. "We had a lot of people who were long gone from the agency who still had accounts" that gave them access to the EPA's computers, Bonina said.
Some were contractors, some were former employees and some were simply outsiders, he said. And "a lot of people were sharing accounts," which made it difficult to control access.
The EPA operates about 1,500 servers; during the security overhaul, agency officials discovered that "not all of them were configured to agency standards," Bonina said. That has been cleaned up, he said.