In his testimony (PDF), Wright said:
The first major issue is the lack of, and inability to conduct, an end to end security test on the production system. The number of contractors and absence of an apparent overall security lead indicates no one was in possession of a comprehensive, top down view of the full security posture. 3For a system dealing with what will be one of the largest collections of PII, and certain to be the target of malicious attacks and intrusions, the lack of a clearly defined and qualified security lead is inconsistent with accepted practices.
Wright pointed to a flaw involving the management of names and passwords, discovered by a private security researcher, that would have allowed hackers to take control of people's accounts. That hole has been patched, but others have been assigned a fix date of May 31, 2014—while the Website remains up and running.
This is completely unacceptable from an industry perspective, and is in extreme contravention of security best practices. Only in the government could such a gaping hole be allowed to exist without fear of consequence. This shows a lack of understanding for the consequences to consumers and the protection of also creates massive opportunity for fraud, scams, deceptive trade practices, identity theft and more. Much of this is playing out right now.
No comments:
Post a Comment