Featured eBooks
Open Season 2025 Guide
Health Tech
Space Trends
Insights & Reports
Access Management: Core to CISA’s Zero Trust Maturity Model 2.0
Presented By Carahsoft
Download Now
Identity Modernization for Government Service Excellence
Presented By Okta
Download Now
Magazine

Top Five System Security Holes

  1. Custom Applications
    As a cost-savings measure, government agencies frequently develop their own Web applications to automate critical business processes. Often, these contain vulnerabilities and weaknesses in design. "Programming of these applications is all process-specific and cannot be patched," says Patrick Howell, chief information security officer for the Housing and Urban Development Department. He suggests using a combination of controls to keep custom applications secure, including code-level reviews and secure programming practices.

  2. Decentralized Access Controls
    Many legacy applications incorporate their own access permissions and controls, which makes centralized management difficult. The more fragmented the security procedures, the more likely something will be overlooked and security holes will emerge. Gordon Hannah, managing director of the Public Services Security and Identity Management Group at BearingPoint, recommends that agencies take a federated approach to managing older systems with consistent processes to reduce potential breaks in policy.

  3. Encryption Keys
    A public key infrastructure is perhaps the most effective way to implement identity management, providing users with digital certificates that define their access rights. But PKI systems also create millions of pairs of encryption keys that essentially give two people permission to exchange information. Each one of those keys can be compromised. PKI management solutions are on the market, but nothing is foolproof. The National Institute of Standards and Technology says if a key is compromised, then all associated certificates should be revoked immediately.

  4. Departure Procedures
    System access rights don't suddenly disappear when an employee or contractor leaves a team or agency. The longer a person's information remains in the system, the greater the security risk it poses. In many cases, however, the account is deemed inactive and therefore goes unmonitored, making it ripe for compromise. "Agencies need a clear process in place for cleaning up accounts," says Hannah. "When people leave an organization, access should be turned off immediately and all associated permissions disabled."

  5. Lack of Oversight
    Consistent monitoring of how system resources are accessed by employees and contractors might be the only way to detect improper behavior. Technology can only do so much. "I think agencies sometime overlook or maybe underestimate the importance of people in their identity management and security solutions," says David Troy, identity management solutions practice leader at EDS. "You can have the best technology in the world, but if your business processes have holes in them or if your people are not trained properly or if they're not following proper policies and procedures, then you are at risk."

NEXT STORY: E-mail, campus visits found to be effective in recruiting