Department of Homeland Security Can't Even Secure Its Buildings Against People It Fired (theintercept.com) 49
For the fourth time since 2007, an internal audit shows the Department of Homeland Security isn't deactivating access cards in the hands of ex-employees, leaving its secure facilities vulnerable to intruders. From a report: A new report by Homeland Security's Office of Inspector General shows that the department is systemically failing to revoke tens of thousands of "personal identity verification" cards that allow staff to enter sensitive, secure facilities and access internal data networks, despite being warned about the problem for 15 years. The issue is made worse, the report continues, by the fact that Homeland Security's internal record-keeping is so shoddy that it was impossible to determine how many ex-staffers have working access cards they aren't supposed to.
Like many modern office workers, Homeland Security hands out office-unlocking keycards to its employees to make sure strangers can't wander in off the street. And, like most workplaces, the department is supposed to follow a standard policy: When an employee is no longer an employee, for whatever reason, their card is to be promptly deactivated. Unlike most employers, though, Homeland Security is a component of the U.S. Intelligence Community, meaning these credit card-sized badges have a "grave potential for misuse if lost, stolen, or compromised," according to the inspector general report. Unfortunately for the department -- and potentially the homeland -- the OIG's latest audit found that's exactly what's happening, and on a vast scale.
Like many modern office workers, Homeland Security hands out office-unlocking keycards to its employees to make sure strangers can't wander in off the street. And, like most workplaces, the department is supposed to follow a standard policy: When an employee is no longer an employee, for whatever reason, their card is to be promptly deactivated. Unlike most employers, though, Homeland Security is a component of the U.S. Intelligence Community, meaning these credit card-sized badges have a "grave potential for misuse if lost, stolen, or compromised," according to the inspector general report. Unfortunately for the department -- and potentially the homeland -- the OIG's latest audit found that's exactly what's happening, and on a vast scale.
Re: "The Beating of a Liberal" (Score:2, Flamebait)
Fresh Subject (Score:2)
'Nuff said.
Re: "The Beating of a Liberal" (Score:3)
If you replace liberal celebrity with Putin, I'd watch
Blame GSA (Score:1)
GSA handles HR as well as smart cards and access cards for all of the federal government.
It can take years just to fire a federal employee in the first place, unless they have committed a national security felony. In that case it can be done in a couple of months. Either way, deactivating a building access card is towards the very end of the process flow for terminating a federal employee.
Re: (Score:3)
deactivating a building access card is towards the very end of the process flow for terminating a federal employee
I don't know why that should work that way. You put out a notification that an employee is leaving. Facilities and systems access are rescinded on the date specified. If it takes a few days (or weeks) to finish the HR paperwork, then they are on paid time off until that is completed.
Happens all the time in contractors facilities with security clearances. People actually get an escort to the gate. The opposite happens when they are hired. Not all the paperwork for access and clearances might be complete. In
Re: (Score:2)
Indeed. A mess-up this massive is only possible with complete incompetence. Which, to be fair, the DHS is known for.
Re: (Score:2)
To be even more fair, it's probably the fault of OPM. The 'HR' department of the federal government.
Re: (Score:2)
Not quite. OPM is the 'HR' department of all the retired federal government.
GSA controls all the PIV cards for gov't employees (except those issued by DoD). GSA controls all the root certificates for all the certs on the cards to validate against. It is up to the individual agencies (DHS, DoC, DOI, etc) to manage their employee's cards and have a process for deactivating cards for outgoing employees.
If the fast turnover of employees at DHS means they are not deactivating cards, don't have a process for r
Re: (Score:2)
Not quite. OPM is the 'HR' department of all the retired federal government.
Things mush have changed. They were in charge of losing all the personal information of current government employees and contractors with security clearances to foreign intelligence services only a few years ago. My how time flies.
I lucked out and got my clearance when the FBI was still doing background checks. They asked me to sign a new agreement to deal through OPM. I said I'd be retiring instead. They left me dealing with the FBI.
Re: Blame GSA (Score:5, Interesting)
This is an interesting topic to me because I happen to do software development for identity and access management. Among other things, I maintain the software that automatically provisions and deprovisions access for new and termed employees. The way we do this is basically we have a one step process to deactivate ALL access, including their PIV cards that they need to access the buildings.
There's basically two processes for this though. If an employee has a contract that is ending, or if they've put in their notice, then the HR system will have that end date, which our system picks up, and once that date hits then everything is deprovisioned.
Then there's a "forced" termination process. Either HR or the person's manager notifies us that somebody is being terminated immediately, and somebody on our team logs into our system and hits a button. Just like that, all access is gone; no other manual steps needed.
We actually "tested" this functionality on my last day at my previous company. Basically I was in the building and on a video call, and somebody shared their screen while they termed my account in a "Viking funeral". Then my now former boss asked me to try logging into stuff, and see if my badge still worked. It took about 5 minutes before almost everything stopped working, though we did find a longer delay (about two hours) in a relatively insignificant system that I presume the remaining engineers have since fixed.
We also had software that periodically (about weekly) scans all systems to ensure that all employees that are currently termed have had their access revoked in every application in case something was missed, broken, etc
Interesting that Homeland Security, of all places, has no such thing. Without IAM, you basically don't have any security.
Re: (Score:2, Funny)
It can take years just to fire a federal employee in the first place, unless they have committed a national security felony. In that case it can be done in a couple of months
How about if the ex federal employee takes home 20 boxes of highly-classified documents, and stores them in the bottom of an unlocked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?
Re:Boomer problem. (Score:5, Insightful)
Incompetence and dereliction is bipartisan.
Re: (Score:1, Offtopic)
Historically yes, recently no. Incompetence and dereliction are qualifications for one party now, not the other.
Re: (Score:2)
Historically yes, recently no. Incompetence and dereliction are qualifications for one party now, not the other.
For the other, it's just serendipitous.
Classic Joke (Score:5, Funny)
In the US we have two parties: the Stupid Party and the Evil Party. Every now and then both parties work together to pass a bill that's both stupid AND evil. They call this "bipartisanship".
This is how we got DHS.
Re:Boomer problem. (Score:5, Insightful)
Uh, yes, because before genz and millennials came along we activated billions of cards but no one knew how to turn one off. Tech was just too hard! Thank god you kids came along to invent the internet, the cpu, hard drives, Wi-Fi, and everything else in use today. Before you got here, we had to brush our teeth with dirty leaves and didn't even know how to wipe our own asses, so we just kinda backed into someone else's leg and wiggled around.
Toilet paper! Yet another marvelous invention that didn't exist before genz millennials came along. Thank god for you kids savings us old stupid people! I was so tired of the wiggle thing and my knees aren't what they used to be, either.
Re: Boomer problem. (Score:2)
You know us millennials are already 40 right? The ones building these systems are us now. People like me build working systems like these for the private sector. And they do work well. I should know.
Why the government doesn't is anybody's guess. My guess is their compensation is crap so they have to hire from the bottom of the barrel, i.e. the typical employee who wants to be a in a labor union or else they'd have no job security because they do everything half-ass.
But that's just a guess.
Though it's intere
Re: (Score:2)
You know us millennials are already 40 right?
Your math is a little off. By definition, a "millennial" (someone born no more than about five years before the Millennium) can't be older than about 27.
Re: (Score:2)
Re: Boomer problem. (Score:2)
"Millennials, also known as Generation Y or Gen Y, are the Western demographic cohort following Generation X and preceding Generation Z. Researchers and popular media use the early 1980s as starting birth years and the mid-1990s to early 2000s as ending birth years, with the generation typically being defined as people born from 1981 to 1996.[1] Most millennials are the children of baby boomers and older Generation X;[2] millennials are often the parents of Generation Alpha." - Wikipedia
Re: (Score:2)
That's the first I've ever heard this definition. And you're totally wrong.
What do you think a "Baby Boomer" is? It's someone born during the "Baby Boom," when soldiers came home from World War II and started having a lot of babies. That would make those babies born somewhere around the mid-late1940s through the mid-1960s.
When the children of the baby boomers started having kids, it would have been in the 70s to 80s. Those kids are known as Generation X.
And when Generation X started having kids, it would ha
Re: (Score:2)
2. See number 1
3 15 seconds of interweb sleuthing would have told you this
4 Facts, much like science, don't care if you believe in them
https://www.beresfordresearch.com/age-range-by-generation/ [beresfordresearch.com]
https://www.pewresearch.org/fact-tank/2019/01/17/where-millennials-end-and-generation-z-begins/ft_19-01-17_generations_2019/ [pewresearch.org]
https://en.wikipedia.org/wiki/Millennials#/media/File:Generation_timeline.svg [wikipedia.org]
https://www.usatoday.com/story/news/2022/09/02/what-years-gen-x-millennials-baby-boom [usatoday.com]
Re: (Score:2)
Millennial doesn't mean what you think it means.
Re: (Score:2)
Claim that all you want. See my other reply, above.
Re: Boomer problem. (Score:2)
First, these names given to generational groups are basically applied by people in marketing and don't really have any relevance outside of that.
Second, as in all things marketing, there are variances in their definitions, but it generally comes down to this: Millennial means you were born before the turn of the millennium but didn't reach adulthood until some time afterwards. In most of the US, that means you were born after 1 January 1982 but no later than 31 December 1999. Thus, the oldest among us are n
Re: (Score:1)
Why the government doesn't is anybody's guess.
Seems pretty clear to me - it's all about incentives. 15 years ago big corporations had no incentives to handle IT security properly - so they didn't. Since then many executives realized, after several high-profile cases, that security lapses can have ruinous financial and reputational costs, so many places started taking it seriously.
But people in government institutions are still not liable for security issues. Somebody walks away with private citizen data? Oops. A cop stalks his ex using police infrastru
Re: (Score:2)
I've heard it's very difficult to get fired from a government job. Given the natural human tendencies toward apathy and laziness, that's not a great formula for excellent work products.
New Hires and Recent Terms = Actually hard (Score:5, Informative)
I mostly deal with recent terminations but also occasionally new hires. Employee new hire/termination are actually very hard and largely unsolved problems. Systems that integrate with Azure/Okta/Devops workflows have helped alleviate some of that pain in the last 5+ years at least on the digital side of things BUT come with their own can of worms: One login to rule them all.
New hires need: Equipment, badge, network login, access to specific systems, and spin up of employee benefits packages.
Termed employees need: Turn in equipment and badge, network access termination, termination of access to systems outside the network, and termination of employee benefits.
To muddy the waters a lot: Life is complicated! Not all termed employees are fully terminated immediately. Not all new hires start immediately. Some employees go on paid leave (e.g. maternity) and only need partial deactivation during their extended leave. Some are termed but immediately restart as some sort of contractual vendor. Some vendors need access to some systems to conduct maintenance.
Coordinating new hires and terms usually involves a lot of people across a range of disciplines: HR, IT, security desk, the employee's manager, and usually some random people involved in account setup/teardown, and sometimes vendors need to be contacted. At least a dozen people with specific responsibilities are involved just for one employee. Email and support tickets are generally the primary means of communication. And it takes effort to make sure both the employee and the organization have good onboarding and offboarding experiences. This appears to be a largely unsolved problem because there are many moving pieces that take place over a flexible timeline. It's super easy to let something slip through the cracks. Mistakes are constantly made even at the best organizations.
Halfway decent organizations build their own reporting/self-audit tools to help automatically identify significant at-risk systems (e.g. "this disabled user in AD is still active over in this linked 3rd party system") on some sort of frequency. Near the beginning of the month on a day when managers aren't running their monthly reports and any account that hasn't been used for 90 days are good rules of thumb for alerting someone. It also requires someone to actually care about that report and pay attention to the details and overcome inertia to take appropriate action. Obviously DHS hasn't gone through that exercise, so this latest audit caught them with their pants down. We can understand how this happened, but for an entity the size of DHS, it is inexcusable.
Re: (Score:3)
The biggest issue then, is that the badge-access system isn't tied directly into the employment records system. If the employment records don't trigger suspension, restoration, and termination of existing building access, along with triggering notifications for things like change-of-rights or enabling new badges to begin with when people receive promotion or transfer, then the system is subject to human failings out of apathy or ennui. If the employment system wasn't written with that kind of API call and
Re: (Score:2)
I can build that in a weekend, I mean oh wait, it's a government contract, that will take 5 years and $150 million for the first iteration plus support, maintenance and a per admin fee and a per card/user fee. Forever.
Re: New Hires and Recent Terms = Actually hard (Score:4, Informative)
You shouldn't tie anything directly into the HR systems. Ideally you have a central identity warehouse that automates access controls, and it uses the HR system as one (of possibly many) inputs to govern access. That system then connects to the other systems you use to adjust things like ACLs, permission, groups, etc, or in this case, which doors their badges open. You're not only dealing with new hires and terminations, but also people who change job roles. And when new systems are added, you want to just set rules/policies for them so that existing employees automatically get access to it if they need it.
Then you have other maintenance scripts or programs that periodically scan other systems to ensure that all access remains compliant with the policies.
HR should not have FULL IT admin / service accots (Score:2)
HR should not have FULL IT admin / be able to see service accounts.
The last thing you need is HR killing some app service account or killing the IIS user.
Re: (Score:3)
I mostly deal with recent terminations but also occasionally new hires. Employee new hire/termination are actually very hard and largely unsolved problems.
Termed employees need: Turn in equipment and badge, network access termination, termination of access to systems outside the network, and termination of employee benefits.
Failing to see the issue. Failing to see how there's any problem on the IT side. Employee has credentials, tick box that locks them out. The. End. Your entire post sounds like the kind of post I'd expect from someone at Twitter when Elon came round and asked them to justify their job.
Re: New Hires and Recent Terms = Actually hard (Score:2)
You missed his point entirely. The problem is that it isn't just ticking one box and done. It's that there are twenty different boxes on fifteen different systems, each of which can only be ticked by a specific, different person from some specific, different department and/or vendor. Is this stupid? Sure. Is it avoidable? Probably not.
Re: (Score:2)
I don't think he missed the point. He's saying on the IT side. Ticking one box and having all of those credentials revoked, including building access and access to outside systems, is entirely doable and happens all the time. The stuff like taking receipt of equipment snd badges and termination of employee benefits are the only things on the list that need to be handled by other departments.
That is, if you're sensible and using some form of single sign-on authorization and access management system (Okta, On
Re: New Hires and Recent Terms = Actually hard (Score:2)
No, you missed it too. You're talking about how things should be. He was talking about how things often are. Totally different things. Should it be a one tick affair? Yeah, sure. Is it always? No. Is it even always possible? No. There are many times when people need vendor logins in addition to their own company's login. There's no easy way to handle both with one click. Can it be done? Maybe. But often not.
Re: (Score:2)
Re: (Score:2)
Near the beginning of the month on a day when managers aren't running their monthly reports ... It also requires someone to actually care about that report and pay attention to the details and overcome inertia to take appropriate action.
Isn't that the manager's one job? To manage? Like, if they can't handle keeping track of who's on their team and what they need (the task of which, I might add, at any la
22 agencies (Score:5, Interesting)
Jack Ryan would NOT let this happen (Score:3)