EPA cleans up security mess

Six months after computer security at the Environmental Protection Agency

was judged to be so flawed as to be ineffective, the agency continues a

massive security overhaul.

Security lapses left the EPA so vulnerable that, in February, the agency

shut down its World Wide Web sites and cut off outside access to its computer

systems to prevent them from being damaged in online attacks.

In the months since then, an information security team has ordered more

than 100 changes in security practices. Still, about 30 percent of the services

that were disconnected remain offline, according to George Bonina, the EPA's

director of information security.

Dial-in access to the EPA's computer systems is one of the services

not fully restored. It is proving difficult to secure. Permitting remote

access can "open up huge holes in the firewalls. We don't have that fixed

yet," Bonina told a group of federal Webmasters on June 22.

Public access to the EPA's Web sites has been restored, however. "The

public was clamoring for access" after the Web sites were shut down, he

said.

The EPA's vulnerabilities were discovered late last year during a security

audit by the General Accounting Office. GAO investigators penetrated the

EPA's systems that contained sensitive and national security-related information.

The agency's computer vulnerabilities were not obvious, even to many

in the EPA. "Our actual security program on paper was pretty good. We just

weren't implementing it," Bonina said.

Vulnerability came from a multitude of sloppy practices. For example,

"we got clobbered because of passwords," he said. Even system administrators,

who should know better, used passwords that were easy to guess. One used

"sysadmin," he said.

Passwords were changed, and now system administrators are required to

certify that they are following sound password practices.

Another weakness was created by the EPA's failure to keep access to

its systems up-to-date. "We had a lot of people who were long gone from

the agency who still had accounts" that gave them access to the EPA's computers,

Bonina said. Some were contractors, some were former employees and some

were simply outsiders, he said. And "a lot of people were sharing accounts,"

which made it difficult to control access.

The EPA operates about 1,500 servers; during the security overhaul,

agency officials discovered that "not all of them were configured to agency

standards," Bonina said. That has been cleaned up, he said.