Critical FBI Network Full of Security Holes, Government Auditors Report: "A critical'FBI communications network containing sensitive law enforcement and investigative data is rife with security flaws and is vulnerable to attacks from outsiders and insiders alike, according to an audit released Thursday by the Government Accountability Office.

The unnamed network is'part of the long delayed and scandal plagued Trilogy system that the FBI wants to replace its network of computers and networks,' which for years was so bad that agents reportedly couldn't email one another.

System administrators have failed to keep obsolete software off the network, patch computers quickly, ensure passwords and data are strongly encrypted, log and audit security events'and prevent insiders from having more privileges than necessary for their job, according to the audit (pdf).' The report explicitly refers to rogue former agent Robert Hannsen, who misused his insider access to sell government secrets for years to the Soviets.

Ineffective controls threaten the confidentiality, integrity, and availability of the sensitive law enforcement and investigative information transmitted by the critical internal network. Certain information security control weaknesses existed in network devices and services, identification and authentication, authorization, cryptography, audit and monitoring, physical security, and patch management. The bureau’s lack of a comprehensive inventory of the current network operating environment— an enterprise wide view—compounds the effect of these weaknesses.[...] These weaknesses leave the bureau vulnerable to insider threats.

For its part, the FBI's Deputy Chief Information Officer Dean Hall'agrees'the FBI'needs to make some changes, but contends it mostly all good.

'The FBI does not agree that it has placed sensitive information at an unacceptable risk for unauthorized disclosure, modification, or insider threat exploitation,' Hall wrote'in response to the report.

(Read Original Article - Via Threat Level.)