Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] GAO: SEC systems vulnerable to attack

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] GAO: SEC systems vulnerable to attack
Date: Mon, 28 Mar 2005 03:57:56 -0600 (CST) 
http://www.fcw.com/article88406-03-25-05-Web

By David Perera
March 25, 2005 

Computer networks at the Securities and Exchange Commission remain
vulnerable to hacking, a Government Accountability Office report
finds.

Data at risk includes regulatory information, SEC financial
transactions and internal payroll and personnel information, the
report states.

Security is getting more attention these days because of high-profile
cases involving Bank of America, information gatherers ChoicePoint and
LexisNexis, where unauthorized people were able to access personal
data.

During the period of GAO's review, from April though November 2004, 
the commission's network intrusion-detection system was not fully 
implemented and "there was no capability to target unusual or 
suspicious network events for review as they occurred," the report 
states. 

Network services and devices were vulnerable, outdated, and/or 
misconfigured, the report also states. 

During one examination of SEC security controls, GAO auditors found an 
internal SEC network-connected computer located inside a public area. 
Some former employees also retained network access, including one 
former employee who could still log onto SEC systems for eight months 
after departing the commission. 

The congressional watchdog also found that some SEC network users 
could bypass security and audit controls altogether. 

A key reason for the commission's security weaknesses is its lack of a 
comprehensive information security program, the report states. 
Although the agency has established a central security group and 
appointed a senior information security officer, SEC officials have 
yet to complete a comprehensive risk assessment and develop adequate 
policies, the report states. 

Each year, the SEC processes more than 600,000 financial documents and 
collects more than $1 billion in filing fees, penalties and 
disgorgements in fulfilling its mission to oversee U.S. security 
markets. 

GAO auditors are not alone in noting SEC security weaknesses; a fiscal 
2004 SEC inspector general audit found the commission substantially 
out of compliance with the Federal Information Security Management Act 
of 2002. 

SEC officials said the commission recognizes the need to further its 
existing programs and will complete the corrective actions identified 
by GAO auditors by June 2006. Significant progress is already 
underway, adds the official commission response to the GAO findings.



_________________________________________
Network Security -http://www.auditmypc.com
Free vulnerability test - How secure is your computer?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] GAO: SEC systems vulnerable to attack, InfoSec News <=
Previous by Date:  [ISN] Secunia Weekly Summary - Issue: 2005-12, InfoSec News
Next by Date:  [ISN] Linux Advisory Watch - March 25th 2005, InfoSec News
Previous by Thread:  [ISN] Secunia Weekly Summary - Issue: 2005-12, InfoSec News
Next by Thread:  [ISN] Linux Advisory Watch - March 25th 2005, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]