jpete wrote:How can you say that when fraud is rampant? If there were a system in place to determine who is accessing the system, fraud would be nil.
If you mean they know which employee accesses the system, that's virtually meaningless because the bad guys aren't employees.
And the bad guy in the majority of this WikiLeaks stuff is a Pfc that was fully authorized to access the system so what good did any of the "security" do?
Any computer data system that contains as much information as SSA, or for that matter any government agency is large and complex. You need to have a better understanding on how it's organized before you can make simple generalizations like the bad guys are gaining access. The SSA system records are huge, not only does an individuals record include information about him or her it includes relationship to parents, spouses, etc. This is known as the master file. Access to this record is highly controlled. By law access is off limits to all most all other government agencies. So for example immigration can't access it. It is this master record that I'm speaking of. Even SSA own computer specialists (programmers) have difficulty getting access to it. Instead they use a fake data set when testing there newly developed programs. Any accesses to the master records requires pre-approval and there is strict recording of access logins.
When you apply for SSA benefits at your local field office the clerk can see your records but it can't be altered. The request for benefits must be supported by information that supports who you are. Here's were fraud can and does occur. But that is a much different problem than access to the master data files. Changes to the master files are done in batch processing mode. That's why it takes some time to start your benefits, a waiting period until the next batch processing input.
In the state department data breach it appears the low level intelligence analysis had wide ranging reading rights. Perhaps he couldn't alter the records but it's hard to understand why he would need such wide rights to do his war zone intelligence job. That was the first security breach, giving the broad rights. It's been reported that he recorded the state department data on a CD. A CD that he took in that contained music files. Then erased it and used it to record what he was looking at. Why would you allow a hardware system that has a CD burner in it? It's just a security risk, the second needless risk. If there is a need to record classified data to get it somewhere else, there is always stringent other approvals needed and a logging trail of who had what and when. Clearly there was also a security breach allowing him to bring a recordable data disk into the facility, whatever it was. That's a third security breach. Normally you can't even bring your lunch in to such a facility. Clearly there was a lot at fault. Yes, it was a rogue Pfc that had authorized access. But that's no excuse for not having a computer monitoring system in place that shows what, when and how much data was being looked at. For example our Forum's administrator can see everything we do. He used those tools to ban "Devil44" because he violated his warnings and the rules. There had to be obvious computer use clues the Pfc was up to no good. Either there wasn't a monitoring system in place or someone wasn't looking.