U.S. Agencies Earn "D" For Computer Security

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn "D" For Computer Security

Posted by timothy on Wednesday December 10, 2003 @03:27AM from the not-for-delicious dept.

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

6 of 302 comments (clear)

Min score:

Reason:

Sort:

Re:How did by KDan · 2003-12-10 03:29 · Score: 5, Informative

It got an F.

Daniel

--
Carpe Diem
Here's the score and grade breakdown by dat00ket · 2003-12-10 03:37 · Score: 5, Informative

Agriculture 40 F
AID 70.5 C-
Commerce72.5 C-
DOD* 65.5 D
Education77 C+
Energy 59.5 F
EPA 74.5 C
GSA 65 D
HHS 54 F
DHS 34 F
HUD 40 F
Interior43 F
Justice 55.5 F
Labor 86.5 B
NASA 60.5 D-
NRC 94.5 A
NSF 90.5 A-
OPM 61.5 D-
SBA 71 C-
SSA 88 B+
State 39.5 F
Transportation 69 D+
Treasury* 64 D
VA* 76.5 C

Government-wide Average 65 D
Re:Again, not a surprise by nemaispuke · 2003-12-10 03:42 · Score: 5, Informative

Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.

The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:
http://csrc.nist.gov/pcig/cig.html
If you have administrators who are limited by inept guidance, what do you expect!
As an employee by blankmange · 2003-12-10 03:56 · Score: 5, Informative

of the Fed, I would have to agree. Where I work at, we rely (almost 100%) on Microsoft products (OS, applications built with Office, etc), so we are bombarded with updates, patches, and alerts. Also, I am the tech support in the District Office here, so whenever there is a problem with a workstation, it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing. My agency is one of the few that actually improved since last year, but we have a very long way to go before I would put my trust in them.
In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.

--
...we are from the government - we are here to help...
Link to the Actual Report Card by richg74 · 2003-12-10 04:05 · Score: 5, Informative

Here is the link to the actual page containing the report card.
Re:I'm a govt network admin... by hackstraw · 2003-12-10 05:45 · Score: 5, Informative

Yeah, that is a risk, however, you still can't disable TELNET. It is required."

I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.