GAO scolds EPA for poor security

Share this article:

The U.S. Environmental Protection Agency (EPA) needs to clean up its security act, according to the investigative arm of Congress.

In a report released this week, the federal Government Accountability Office (GAO) found that the department charged with protecting human health and the environment is falling short at protecting its systems from unauthorized access.

In particular, the EPA is failing to always ensure that users employ strong passwords, that users are limited in the systems they can access, that critical data is encrypted, that logs are maintained to track suspicious activity and that physical access to sensitive systems is controlled.

Additionally, the agency has weaknesses in its update process, often missing patches for vulnerable database software and operating systems, and configuration tweaks for network devices, the GAO said. And the EPA is not adequately ensuring all of its media devices are properly wiped of sensitive data.

The GAO report also concluded that while the EPA has introduced a security awareness training program -- requiring that workers pass a web-based course -- it lacks a mechanism to certify that all employees have completed the work.

Earlier this month, the EPA disclosed that hackers breached a server storing data related to it Superfund program. They obtained access by tricking an employee to click on an email that contained a malicious attachment. The personal information of 7,800 people, including Social Security and bank routing numbers, may have been exposed to the intruders.

Greg Wilshusen, GAO's head of information security issues, told SCMagazine.com that the timing of the audit was coincidental with the breach

"We received the request to examine EPA's information security program from the House Committee on Energy and Commerce in March 2011," he said in an email.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Company news: New hires at Accuvant, ZeroFox and ThreatStream

New hires at Accuvant, ZeroFOX and ThreatStream, while a divestiture at Juniper and an acquisition for BlackBerry.

News briefs: The latest on Sony, Android, Backoff malware and more.

News briefs: The latest on Sony, Android, Backoff ...

This month's news briefs cover a preliminary settlement Sony will bear for the exposure of 77 million customers, and more.

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.