Network World
Saturday, November 22, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Layer8

Layer 8
NetworkWorld.com > Community > Layer8

Navigation

Report spanks cyber-security at Los Alamos National Lab (again)

By Layer 8 on Thu, 09/25/2008 - 3:15pm.

As one of the nation's premier national security labs and one of three nuclear weapons facilities - and after a series of high-profile security flubs --  one would think they'd go out of their way to get the facility's security act together. Apparently not.

Watchdogs at the Government Accountability Office  said today that while the Los Alamos National Lab has indeed bolstered some of its cyber protection, weaknesses remain in protecting the confidentiality, integrity, and availability of information on its unclassified network, among other deficiencies. LANL's unclassified network contains sensitive information, such as unclassified controlled nuclear information, export control information, and personally identifiable information about laboratory employees.

Some specifics of the report include:

  • LANL has implemented a network security system that is capable of detecting potential intrusions; however, the GAO found vulnerabilities in several critical areas, including identifying and authenticating users; encrypting sensitive information; and monitoring and auditing compliance with security policies. For example, LANL has implemented strong authentication measures for accessing its unclassified network, but once access is initially gained, a user can work around the authentication measures to access certain sensitive information. A key reason for LANL's information security weaknesses is that the laboratory has not fully implemented an information security program to ensure that controls are effectively established and maintained, the GAO stated.
  • At the time of our review, LANL had not implemented complete security solutions to address either the storage of classified nuclear weapons parts in unapproved storage containers or weaknesses in its process for ensuring that actions taken to correct security deficiencies are completed.
  • Management approaches that LANL and National Nuclear Security Administration (NNSA) officials told us they would use to sustain security improvements over the long term were in the early stages of development or contained weaknesses.
  • The lab's ability to sustain its improved physical security is unproven because (1) the laboratory appears not to have done so after a significant security incident in 2004, and (2) NNSA's Los Alamos Site Office-which is responsible for overseeing physical security at LANL on a daily basis-may not have enough staff or the proper training for these staff to execute a fully effective security oversight program.
  • The labs cyber security officials told the GAO that funding to address some of their security concerns with respect to the laboratory's unclassified network has been inadequate. Officials told the GAO LANL has not adequately justified its request for additional funds, and NNSA is developing a process for developing cyber security budgets more systematically. We made 52 recommendations to the Secretary of Energy and the Administrator of NNSA that, if effectively implemented, would improve LANL's information security program and controls over its unclassified network. These recommendations address, among other things, ensuring that LANL's risk assessment for its unclassified network evaluates all known vulnerabilities and is revised periodically, and strengthening policies with a view toward further reducing, as appropriate, foreign nationals' access to the unclassified network, the GAO stated.
  • LANL's most recent risk assessment for its unclassified network generally identified and analyzed vulnerabilities, but did not account for risks identified by the laboratory's own internal vulnerability testing. Furthermore, the GAO and other external security evaluators have reported concerns about LANL's policies for granting foreign nationals-particularly those from countries classified as "sensitive" by DOE-access to the unclassified network.

In addition to it previous recommendation, the GAA said it made an additional 41 recommendations that it did not pubically  disseminate.

             Layer 8 in a box

Check out these other hot stories:

Researchers look to root out those annoying Wi-Fi dead zones

NASA unleashes rubber ducks to battle global warming

Deficit remains but US exports $214B worth of high-tech goods in 2007

Robot fights set to smack-down in Texas

NASA banging, freezing next generation space telescope into shape

GAO report torches US for dumping electric waste in foreign countries

FTC wants to clamp down on prepaid phone card deception

Permalink
Tags:

Security equals IT?

Useful answer?
0
By tuomoks on Sat, 09/27/2008 - 12:49am.

Doesn't really matter which institution or corporate it is, security management has gone very weird! I understand that this is a very limited computer forum but security is much more than just IT or some tools and toys!

Security can never be solved by IT or any other, mostly technology based, function. Security is an abstract, a strategy, blah, blah..

Technology is easy - sorry, fighting it over 35 years, but trying to use some tools and toys, which in itself can help!, can not solve the basic problems.

So - this seems again as a power / political fight in name of security. Seen many of those, none ever solved anything or gave us more "security" (a note - define security) just more complications and, unfortunately often, less security!

Easy to throw rocks, let's see how you stand up to a GAO Audit

Useful answer?
0
By Anon (not verified) on Tue, 09/30/2008 - 10:16am.

I'd love to see anyone actually pass a GAO audit while trying to actually allow scientists to work. As is alluded to with the Nuclear Weapons Laboratory tag, Los Alamos National Laboratory is a Research Laboratory. While many places do research, few are bound to the level of reporting and security that Los Alamos is. It's easy to lock down a computer where all the owner does is run email, office applications, and even standard off-the-shelf applications. Los Alamos could easily crank out this kind of system and pass any audit thrown at them. However, securing a massively parrallel clustered system with over 2000 discrete servers run in-house developed code, much of it and the data it produces is classified, and trying to force that system into a standard Windows security configuration meant for an everyday corporate security plan does not work. Sure it will fail an audit. Additionally, the more controls that are forced on us, the harder it is for the scientists to get their work done. If LANL's goal is to run computers for the sake of running them, security is easy. If, on the other hand, LANL's goal is to produce world-class science, they will need to be able to do things nobody has done before. Things will need to be done that preclude a standard Enterprise security model. It's unfortunate that most of the people making the security rules have no clue what good secure practices would be when applied to an experimental environment.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Layer 8

Layer 8 is Network World's daily home for the not-just-networking news.
Contact Layer 8

Layer 8 archive

RSS feed

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: