Security Vulnerabilities of Local Area Networks To: All Employees From: Donald Watson, Bureau Automated Information Systems Security Officer Subject: Security Vulnerabilities of Local Area Networks The purpose of this message is to remind the owners, administrators, and users of USGS local area networks (LANs) that these networks are inherently unsecure. The fact that most, if not all, LANs are connected to other wide area networks such as DOINET and the INTERNET further increases the security-related vulnerabilities. Although we are continually improving our network security controls, it is practically impossible, at present, to guarantee the privacy and confidentiality of sensitive information either transmitted over or stored on our LANs. In recent years, many private sector and Federally owned LANs have been broken into by individuals commonly referred to as 'hackers'. After gaining "privileged" access to a networked host computer through one means or another, these intruders typically plant monitoring software known as 'sniffers'. Using the 'sniffer' software, these individuals monitor network traffic, reading all information traveling over the LAN. From information gathered in this fashion, the intruder can collect sensitive data and potentially compromise other, connected computers. Electronic mail (E-mail) is an application that is often overlooked when considering the possibility of someone compromising confidential information. We generally tend to think that E-mail is private, and it should be. However, there are two situations that can jeopardize the privacy of E-mail. First, an individual can capture and read messages being transmitted over the network using 'sniffer' software. Second, someone could break into a weak, unprotected E-mail server, become the system administrator, and read any message stored on that server. Due to the risks described above and until stronger security measures can be implemented, I encourage you not to transmit the following types of information over our networks or store them, in the form of documents, on our E-mail systems. Privacy Act Information - data that uniquely identifies an individual, e.g., Social Security Number. Procurement-related materials such as proposal evaluations, actual bid numbers, or any other proprietary information. System registration information that includes User ID along with initial password. Documents written by supervisors that contain negative or adverse action comments on employee performance or behavior. Any information addressed to systems administrators that could be used to compromise the systems they manage, e.g., a list of devices with their passwords. Remember, successful 'hacks' into computers or networks are not always the result of brilliant technical prowess or superior hacking tools. Many times they are accomplished by taking advantage of the naive behavior of staff and users. It is important that everyone adheres to sound security practices and procedures when using any of our computing resources. It is especially important that network system administrators make sure that everything possible is being done to protect the systems under their control. If you have any further questions regarding the recommendations discussed in this message, please call me at (703)648-7046 or send an E-mail message to dwatson@usgs.gov.