Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
United States Security

Department of Homeland Security Can't Even Secure Its Buildings Against People It Fired (theintercept.com) 49

For the fourth time since 2007, an internal audit shows the Department of Homeland Security isn't deactivating access cards in the hands of ex-employees, leaving its secure facilities vulnerable to intruders. From a report: A new report by Homeland Security's Office of Inspector General shows that the department is systemically failing to revoke tens of thousands of "personal identity verification" cards that allow staff to enter sensitive, secure facilities and access internal data networks, despite being warned about the problem for 15 years. The issue is made worse, the report continues, by the fact that Homeland Security's internal record-keeping is so shoddy that it was impossible to determine how many ex-staffers have working access cards they aren't supposed to.

Like many modern office workers, Homeland Security hands out office-unlocking keycards to its employees to make sure strangers can't wander in off the street. And, like most workplaces, the department is supposed to follow a standard policy: When an employee is no longer an employee, for whatever reason, their card is to be promptly deactivated. Unlike most employers, though, Homeland Security is a component of the U.S. Intelligence Community, meaning these credit card-sized badges have a "grave potential for misuse if lost, stolen, or compromised," according to the inspector general report. Unfortunately for the department -- and potentially the homeland -- the OIG's latest audit found that's exactly what's happening, and on a vast scale.

This discussion has been archived. No new comments can be posted.

Department of Homeland Security Can't Even Secure Its Buildings Against People It Fired

Comments Filter:
  • by Anonymous Coward

    GSA handles HR as well as smart cards and access cards for all of the federal government.

    It can take years just to fire a federal employee in the first place, unless they have committed a national security felony. In that case it can be done in a couple of months. Either way, deactivating a building access card is towards the very end of the process flow for terminating a federal employee.

    • by PPH ( 736903 )

      deactivating a building access card is towards the very end of the process flow for terminating a federal employee

      I don't know why that should work that way. You put out a notification that an employee is leaving. Facilities and systems access are rescinded on the date specified. If it takes a few days (or weeks) to finish the HR paperwork, then they are on paid time off until that is completed.

      Happens all the time in contractors facilities with security clearances. People actually get an escort to the gate. The opposite happens when they are hired. Not all the paperwork for access and clearances might be complete. In

      • by gweihir ( 88907 )

        Indeed. A mess-up this massive is only possible with complete incompetence. Which, to be fair, the DHS is known for.

        • by PPH ( 736903 )

          To be even more fair, it's probably the fault of OPM. The 'HR' department of the federal government.

          • Not quite. OPM is the 'HR' department of all the retired federal government.

            GSA controls all the PIV cards for gov't employees (except those issued by DoD). GSA controls all the root certificates for all the certs on the cards to validate against. It is up to the individual agencies (DHS, DoC, DOI, etc) to manage their employee's cards and have a process for deactivating cards for outgoing employees.

            If the fast turnover of employees at DHS means they are not deactivating cards, don't have a process for r

            • by PPH ( 736903 )

              Not quite. OPM is the 'HR' department of all the retired federal government.

              Things mush have changed. They were in charge of losing all the personal information of current government employees and contractors with security clearances to foreign intelligence services only a few years ago. My how time flies.

              I lucked out and got my clearance when the FBI was still doing background checks. They asked me to sign a new agreement to deal through OPM. I said I'd be retiring instead. They left me dealing with the FBI.

    • Re: Blame GSA (Score:5, Interesting)

      by ArmoredDragon ( 3450605 ) on Thursday December 29, 2022 @05:26PM (#63166686)

      This is an interesting topic to me because I happen to do software development for identity and access management. Among other things, I maintain the software that automatically provisions and deprovisions access for new and termed employees. The way we do this is basically we have a one step process to deactivate ALL access, including their PIV cards that they need to access the buildings.

      There's basically two processes for this though. If an employee has a contract that is ending, or if they've put in their notice, then the HR system will have that end date, which our system picks up, and once that date hits then everything is deprovisioned.

      Then there's a "forced" termination process. Either HR or the person's manager notifies us that somebody is being terminated immediately, and somebody on our team logs into our system and hits a button. Just like that, all access is gone; no other manual steps needed.

      We actually "tested" this functionality on my last day at my previous company. Basically I was in the building and on a video call, and somebody shared their screen while they termed my account in a "Viking funeral". Then my now former boss asked me to try logging into stuff, and see if my badge still worked. It took about 5 minutes before almost everything stopped working, though we did find a longer delay (about two hours) in a relatively insignificant system that I presume the remaining engineers have since fixed.

      We also had software that periodically (about weekly) scans all systems to ensure that all employees that are currently termed have had their access revoked in every application in case something was missed, broken, etc

      Interesting that Homeland Security, of all places, has no such thing. Without IAM, you basically don't have any security.

    • Re: (Score:2, Funny)

      by thomn8r ( 635504 )

      It can take years just to fire a federal employee in the first place, unless they have committed a national security felony. In that case it can be done in a couple of months

      How about if the ex federal employee takes home 20 boxes of highly-classified documents, and stores them in the bottom of an unlocked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'?

  • by bustinbrains ( 6800166 ) on Thursday December 29, 2022 @03:51PM (#63166508)

    I mostly deal with recent terminations but also occasionally new hires. Employee new hire/termination are actually very hard and largely unsolved problems. Systems that integrate with Azure/Okta/Devops workflows have helped alleviate some of that pain in the last 5+ years at least on the digital side of things BUT come with their own can of worms: One login to rule them all.

    New hires need: Equipment, badge, network login, access to specific systems, and spin up of employee benefits packages.

    Termed employees need: Turn in equipment and badge, network access termination, termination of access to systems outside the network, and termination of employee benefits.

    To muddy the waters a lot: Life is complicated! Not all termed employees are fully terminated immediately. Not all new hires start immediately. Some employees go on paid leave (e.g. maternity) and only need partial deactivation during their extended leave. Some are termed but immediately restart as some sort of contractual vendor. Some vendors need access to some systems to conduct maintenance.

    Coordinating new hires and terms usually involves a lot of people across a range of disciplines: HR, IT, security desk, the employee's manager, and usually some random people involved in account setup/teardown, and sometimes vendors need to be contacted. At least a dozen people with specific responsibilities are involved just for one employee. Email and support tickets are generally the primary means of communication. And it takes effort to make sure both the employee and the organization have good onboarding and offboarding experiences. This appears to be a largely unsolved problem because there are many moving pieces that take place over a flexible timeline. It's super easy to let something slip through the cracks. Mistakes are constantly made even at the best organizations.

    Halfway decent organizations build their own reporting/self-audit tools to help automatically identify significant at-risk systems (e.g. "this disabled user in AD is still active over in this linked 3rd party system") on some sort of frequency. Near the beginning of the month on a day when managers aren't running their monthly reports and any account that hasn't been used for 90 days are good rules of thumb for alerting someone. It also requires someone to actually care about that report and pay attention to the details and overcome inertia to take appropriate action. Obviously DHS hasn't gone through that exercise, so this latest audit caught them with their pants down. We can understand how this happened, but for an entity the size of DHS, it is inexcusable.

    • by TWX ( 665546 )

      The biggest issue then, is that the badge-access system isn't tied directly into the employment records system. If the employment records don't trigger suspension, restoration, and termination of existing building access, along with triggering notifications for things like change-of-rights or enabling new badges to begin with when people receive promotion or transfer, then the system is subject to human failings out of apathy or ennui. If the employment system wasn't written with that kind of API call and

      • I can build that in a weekend, I mean oh wait, it's a government contract, that will take 5 years and $150 million for the first iteration plus support, maintenance and a per admin fee and a per card/user fee. Forever.

      • by ArmoredDragon ( 3450605 ) on Thursday December 29, 2022 @05:57PM (#63166786)

        You shouldn't tie anything directly into the HR systems. Ideally you have a central identity warehouse that automates access controls, and it uses the HR system as one (of possibly many) inputs to govern access. That system then connects to the other systems you use to adjust things like ACLs, permission, groups, etc, or in this case, which doors their badges open. You're not only dealing with new hires and terminations, but also people who change job roles. And when new systems are added, you want to just set rules/policies for them so that existing employees automatically get access to it if they need it.

        Then you have other maintenance scripts or programs that periodically scan other systems to ensure that all access remains compliant with the policies.

    • I mostly deal with recent terminations but also occasionally new hires. Employee new hire/termination are actually very hard and largely unsolved problems.

      Termed employees need: Turn in equipment and badge, network access termination, termination of access to systems outside the network, and termination of employee benefits.

      Failing to see the issue. Failing to see how there's any problem on the IT side. Employee has credentials, tick box that locks them out. The. End. Your entire post sounds like the kind of post I'd expect from someone at Twitter when Elon came round and asked them to justify their job.

      • You missed his point entirely. The problem is that it isn't just ticking one box and done. It's that there are twenty different boxes on fifteen different systems, each of which can only be ticked by a specific, different person from some specific, different department and/or vendor. Is this stupid? Sure. Is it avoidable? Probably not.

        • by PCM2 ( 4486 )

          I don't think he missed the point. He's saying on the IT side. Ticking one box and having all of those credentials revoked, including building access and access to outside systems, is entirely doable and happens all the time. The stuff like taking receipt of equipment snd badges and termination of employee benefits are the only things on the list that need to be handled by other departments.

          That is, if you're sensible and using some form of single sign-on authorization and access management system (Okta, On

    • It is not an unsolved problem at all, has been solved many times over the past 20 or 30 years. Sadly companies still seem to treat it as a difficult issue when it isn't. basically it comes down to everything you have to turn on for them you turn off again. It is very easy to implement in workflows or hell just a sheet of paper with the steps for the offboarding person. What fucks it up is companies that try and overengineer it in things like SNOW, SNOW is fantastic as does a great job as long as you don't h
    • But, in the end, isn't the the direct boss or manager or HR that's responsible to make sure that the things are set up and access is removed once they're terminated? After all, if a someone gets fired and they take home a work laptop, the company is all over that sh*t. But if they walk out with a valid and active access card, that's a-okay?

      Near the beginning of the month on a day when managers aren't running their monthly reports ... It also requires someone to actually care about that report and pay attention to the details and overcome inertia to take appropriate action.

      Isn't that the manager's one job? To manage? Like, if they can't handle keeping track of who's on their team and what they need (the task of which, I might add, at any la

  • 22 agencies (Score:5, Interesting)

    by laughingskeptic ( 1004414 ) on Thursday December 29, 2022 @04:03PM (#63166530)
    There are some glaring holes in this assessment. How many of these "terminations" were transfers? You do not work for DHS, you work for one of the 22 agencies and departments in DHS and there are a lot of transfers. If you are "leaving leaving" the last person you see is security and they take your card, so active or not it does not really matter. If you are transferring they often save each of other the "trouble" of getting a new card in the new org which can take months. Some of these are also contract transfers. The government treats the end of a contract as a termination of all contractors ... even if they are coming back tomorrow under a new contract. Managers do not want their contractors to turn in their cards in this case and ask security to not take it. They instead do different paperwork the next day to associate the employee with the new contract. However, in this system that is likely going to show up as a card active beyond when it was supposed to be which is illogical and counter-productive. How many of these supposedly active cards have been used that were not part of transfers of some sort? -- They should be able to answer this question and my guess is this number is very close to 0. So we have dumb a agency that is made to appear even dumber than they actually are because they couldn't manage a software project and have crap software.
  • by fjorder ( 5219645 ) on Thursday December 29, 2022 @05:55PM (#63166776)
    Just saying

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...