Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn "D" For Computer Security

Posted by timothy on from the not-for-delicious dept.

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

20 of 302 comments (clear)

  1. Re:How did by KDan · · Score: 5, Informative

    It got an F.

    Daniel

    --
    Carpe Diem
  2. Here's the score and grade breakdown by dat00ket · · Score: 5, Informative

    Agriculture 40 F
    AID 70.5 C-
    Commerce72.5 C-
    DOD* 65.5 D
    Education77 C+
    Energy 59.5 F
    EPA 74.5 C
    GSA 65 D
    HHS 54 F
    DHS 34 F
    HUD 40 F
    Interior43 F
    Justice 55.5 F
    Labor 86.5 B
    NASA 60.5 D-
    NRC 94.5 A
    NSF 90.5 A-
    OPM 61.5 D-
    SBA 71 C-
    SSA 88 B+
    State 39.5 F
    Transportation 69 D+
    Treasury* 64 D
    VA* 76.5 C

    Government-wide Average 65 D

  3. Re:Again, not a surprise by ubrgeek · · Score: 2, Informative

    That's the biggest load of crap I've ever heard unless what you mean contracting "companies" rather than the contractors themselves and even then I'd have to disagree. A _vast_ majority of the contractors working on cyber security issues have a huge, personal interest in keeping things secure. And, furthermore, the "profit motive" is very clear: Contracts are won and lost on the report card. If a company is hired to protect a gov't network and that network is shown to have been compromised (or vulnerable) then that company will not be selected to continue on the contract when it comes time to renew. Further, the USG has passed "information security protection" legislation, in terms of the Office of Management and Budget, along with all Inspector General offices are holding the agencies to task for securing their networks, to the point of witholding funding if they don't. As someone replied to one of my (unrelated) postings, "Get your facts straight."

    --
    Bark less. Wag more.
  4. Re:Again, not a surprise by nemaispuke · · Score: 5, Informative

    Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.

    The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:

    http://csrc.nist.gov/pcig/cig.html

    If you have administrators who are limited by inept guidance, what do you expect!

  5. Re:Grades by thinkliberty · · Score: 2, Informative

    Actually they were using Linux (from netcraft.com Microsoft-IIS/6.0 25-Nov-2003 63.208.194.46) until they switched to 2003 server on 11/26/2003.

  6. Re:Again, not a surprise by Davak · · Score: 4, Informative

    I am assuming that you are not trolling.

    I have seen the contractor system work very well in the past... however, it took multiple redundant contractors to complete one system.

    For example, we recently setup a system in a clinic that deals with medical records. One contractor brought in the boxes, networked them, and left. Then we brought in our security contractors that locked down the boxes as tight as possible. After that, we had our internal security guru try to pick apart their security... and they came back and corrected the problems they left.

    The security guys are not the general installation guys.

    Save your energy... and get seperate contractors.

    Davak

  7. Physical Access by rf0 · · Score: 3, Informative

    You can have all the cyber security (firewalls, IDS ) etc you want however there is still the risk of someone just stealing a laptop and getting access to a load of secret files.

    Your security is only as strong as your weakest link

    Rus

    --
    Cheap UK and US VPS
  8. Re:Again, not a surprise by ekephart · · Score: 2, Informative

    Until security is as measurable as the price of a contract, it will always take a back seat.

    Unfortunately measuring security is difficult. One may conduct an extensive (and expensive) study like this report card. Alternatively, most measure security by what *doesn't happen* (viz. successful attacks), which is insufficient.

    --
    sig
  9. Re:How did by Davak · · Score: 4, Informative

    Please mod parent up. They did actually receive an F.

    See quote from article.

    The Department of Homeland Security was one of eight agencies that received a grade of F for its network security efforts.

    Davak

  10. errata yadda yadda by segment · · Score: 4, Informative

    Compsec... and they had so called mapped out plans for years now too... (NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION EXECUTIVE SUMMARY). One quote I will always remember is something to the extent of "the feds are good at carrying guns not locking down machines."

    There are so many variables involved with government, that they are the ones shooting themselves in the foot. Considering if you're using a machine right, and you know it's insecure, if you took it upon yourself to fix it, you could be charged with a crime. Hell slightly off topic but look at what the gov did with the so called chaplain spy (charged with downloading porn).

    I'm sure gov's IT staff throughout the branches are overwhelmed with things, so it's a bit unfair to call them all clueless gimps or similar. However, and I will throw this out as a `story` someone stated they worked for a gov agency. Person stated the procedures for daily wipes to ensure things are wiped, etc., ... According to person he had never seen it done, because they never bothered with it.' Now imagine if one of these machines were thrown out and the machine had material on it that was highly sensitive. It happens more often than some think.

    --
    MoFscker
  11. As an employee by blankmange · · Score: 5, Informative
    of the Fed, I would have to agree. Where I work at, we rely (almost 100%) on Microsoft products (OS, applications built with Office, etc), so we are bombarded with updates, patches, and alerts. Also, I am the tech support in the District Office here, so whenever there is a problem with a workstation, it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing. My agency is one of the few that actually improved since last year, but we have a very long way to go before I would put my trust in them.

    In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.

    --
    ...we are from the government - we are here to help...
  12. Link to the Actual Report Card by richg74 · · Score: 5, Informative

    Here is the link to the actual page containing the report card.

  13. Re:let me get this straight by corbettw · · Score: 4, Informative

    3) hacked into debt(identity theft) through the place that controls employment, etc...

    Actually, DHHS controls medicare and related programs, not unemployment. Unemployment details are left at the state level down here. Though if the IRS (part of the Treasury deparment) were hacked, you would get completely screwed. (DHHS is also the office of the Surgeon General, so maybe tobacco companies could use this to get a ringing endorsement.)

    Also, the State Department controls things like visas, so hacking in there could be a step to getting into the country in the first place.

    Hacking the Interior and Agriculture departments could be useful to get yourself some free money. They both have pretty large budgets for either grants or subsidies. I believe the Indian Bureau is part of the Interior, too, so maybe some random tribe could use it to get more money.

    Housing and Urban Development gives money to poor people in the inner city, so someone could easily use them to embezzle obscene amounts of money.

    The one I'm most scared of is the Department of Energy. They're responsible for keeping nuclear weapons from being smuggled into the country. If someone tried to float a nuke up the Chesapeake, for instance, the boys in the Energy Department have the tools to notice it and alert the Navy and Coast Guard. So getting root there means you can wave your fingers and tell everyone "this is not the tanker you're looking for."

    --
    God invented whiskey so the Irish would not rule the world.
  14. Correlation - unsat supplier -> unsat security by SgtChaireBourne · · Score: 2, Informative
    It [the dept. of homeland security] got an F.
    I suppose there's a correlation there somehow. An unsatisfactory supplier leads to unsatisfactory security. Choose products more carefully next time.

    It's not like there wasn't a warning ... for the last 10 years.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
  15. Re:How did by jgabby · · Score: 2, Informative

    Here says that the DHS scored a 34 ... the lowest of all the agencies surveyed. Way to go, guys!

  16. Re:How did by 56ker · · Score: 2, Informative

    Here's a link to the actual hearings page and the Computer Security Report Card 2003 (pdf file).

    --


    Video Game cheats, hints a
  17. This is an unwinnable war. by karmaflux · · Score: 2, Informative

    The DoD is something I know about -- I can't even get rights to install another network printer. I'm in the Army Reserve, and we're told we have to talk to the "building network administrator," who isn't there on weekends... which is the only time we're there. In a DoD network, all this stuff comes down to one guy per building/unit/whatever. If he's not on the ball, the whole unit can go down in a blaze of MSBLAST.

    --

    REM Old programmers don't die. They just GOSUB without RETURN.

  18. Re:Again, not a surprise by pointbeing · · Score: 4, Informative
    Every government IT contract includes a "statement of work" that outlines what the government expects the contractor to do and the contractor doesn't have to do anything that's not in that statement of work. Maintaining IT security is part of the day-to-day operation of a government network and generally no modification to the contract is necessary.

    But - when something falls outside the realm of normal IT operations the contractor can ask for more money - as an example we bought about a hundred firewalls to deploy to satellite offices. The contract we have with IT support staff allows X number of billable hours per job description. Installing and maintaining those firewalls was not factored into the contract so the contract was modified and IA staff increased by four people.

    "This needs to be done" doesn't necessarily obligate the contractor. It does if it's part of the normal duties outlined in the contract, but if it exceeds time and materials outlined in the contract the contractor has the right to ask for more money.

    --
    we see things not as as they are, but as we are.
    -- anais nin
  19. Re:I'm a govt network admin... by hackstraw · · Score: 5, Informative

    Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.

  20. Re:You keep using that word... by neocon · · Score: 0, Informative

    Leaving Godwin aside for a moment, do you actually have a point here? Would you care to actually back up any of your claims?

    You assert that the creation of DHS is `unconstitutional', for example, yet you fail to give any argument why combining several federal agencies which had existed for decades could be `unconstitutional' if the prior existence of the agencies themselves was not.

    You suggest that the `favored mode of operation' of DHS is to `suppress' people, but surely you agree that this is mere FUD if you cannot provide any examples.

    And finally, you suggest that DHS is not interested in protecting the homeland (the only claim which might make the original poster's claim that the name `Department of Homeland Security' is `Orwellian'), but you don't back this claim up either, nor explain whether you think the customs service, the coast guard, the office of the postal inspector-general and the other organizations which were merged to form the DHS were ``oppressive'' before they merged, or if cutting through the bureaucratic mess which made these agencies so ineffective before is what makes them ``oppressive'' in your view.

    Well? Or are you just blowing hot air?