Slashdot Mirror
U.S. Agencies Earn "D" For Computer Security
Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology."
Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As
mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."
the Department of Homeland Security do?
I don't read your sig, why do you read mine?
As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".
Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.
Sigh.
Subscribe for free to my show!
I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.
so let me get this straight, if all those failed security provisions are hacked, you'd get:
1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
2) hacked into the place that controls nuclear power plants
3) hacked into debt(identity theft) through the place that controls employment, etc...
4) hacked into the place that determines if there is war or not
(agriculture, interior, and "housing and urban development weren't good targets)
*notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*
Let's flip this 180. Is there anything those agencies would get an "A" on? Didn't think so, so why should we be disappointed with this news?
Agriculture 40 F
AID 70.5 C-
Commerce72.5 C-
DOD* 65.5 D
Education77 C+
Energy 59.5 F
EPA 74.5 C
GSA 65 D
HHS 54 F
DHS 34 F
HUD 40 F
Interior43 F
Justice 55.5 F
Labor 86.5 B
NASA 60.5 D-
NRC 94.5 A
NSF 90.5 A-
OPM 61.5 D-
SBA 71 C-
SSA 88 B+
State 39.5 F
Transportation 69 D+
Treasury* 64 D
VA* 76.5 C
Government-wide Average 65 D
Comment removed based on user account deletion
See what we get when there's an agency ran mostly by the intellects and not bureaucrats?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
This is MHO:
Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.
Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.
Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.
After my experiences dealing with DOD contractors, and their use of firewalls. Specifically, firewalls were used to strip out javascript on the fly; they were not used to block unauthorized access (that, of course, was left up to the administrator of each individual server).
Needless to say, this does not lend itself to a centralized, comprehensive security plan.
Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."
I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.
Actually they were using Linux (from netcraft.com Microsoft-IIS/6.0 25-Nov-2003 63.208.194.46) until they switched to 2003 server on 11/26/2003.
The main problem with ALL government agencies is that almost all of their actually employed work is 90% opened only to internal candidates. And they try to fill it in that way. Why? Because background checks cost a lot of money, and getting clearance for people up into the higher echelons would cost even more. That's the main part of your problem right there, really. If they hired more people externally, and paid them what they're worth, no problem at all.
This report card was supposed to be classified.
"If you think you have things under control, you're not going fast enough." --Mario Andretti
Welcome to the new America, where the "Forest Service" has finally completed its transformation into a lumber industry-owned and -operated body, the "Immigration and Naturalization Service" uses a voluntary registration program to evict the foreign residents who show up, and the "Environmental Protection Agency" has its rules set by the industries who're meant to be restrained by them. Meanwhile "Family Planning" is about keeping information away from women -- or about pushing false information to do with bogus correlations between abortions and breast cancer. Oh, and did I mention that when terrorists blow our kids' legs off that's a good thing, because it means we're fighting them where they live? (When they don't blow up our kids, naturally, that's also proof we're winning...)
We've had our moments before -- the idea of Nuclear deterrent never did quite convince anyone that "Peacemaker" was the perfect name for a missile -- but truly, there's never been a more quintessentially Orwellian moment in American history. This is the real goods. Take a look at that name: "Homeland Security."
"Fundamentalism" isn't about divine morality. It's about human authority.
Did you actually expect anything different? Most anytime a report comes out about a government agencey, it is bad. The whole point of having a report is to show that it is bad. I sure the points that are raised are valid but I hardly think that the report was supposed to be balanced.
Not everything is analogous to cars. Car analogies rarely work.
You can have all the cyber security (firewalls, IDS ) etc you want however there is still the risk of someone just stealing a laptop and getting access to a load of secret files.
Your security is only as strong as your weakest link
Rus
Cheap UK and US VPS
Compsec... and they had so called mapped out plans for years now too... (NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION EXECUTIVE SUMMARY). One quote I will always remember is something to the extent of "the feds are good at carrying guns not locking down machines."
There are so many variables involved with government, that they are the ones shooting themselves in the foot. Considering if you're using a machine right, and you know it's insecure, if you took it upon yourself to fix it, you could be charged with a crime. Hell slightly off topic but look at what the gov did with the so called chaplain spy (charged with downloading porn).
I'm sure gov's IT staff throughout the branches are overwhelmed with things, so it's a bit unfair to call them all clueless gimps or similar. However, and I will throw this out as a `story` someone stated they worked for a gov agency. Person stated the procedures for daily wipes to ensure things are wiped, etc., ... According to person he had never seen it done, because they never bothered with it.' Now imagine if one of these machines were thrown out and the machine had material on it that was highly sensitive. It happens more often than some think.
MoFscker
The only reason that government agencies are able to get away with this is because nothing embarassing has happened yet. Wait until a hacker manages to get a few thousand social security numbers from a government agency computer - then we'll see some real change.
In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.
...we are from the government - we are here to help...
The problem has been traced to kindergarten hackers and has been fixed. Please disregard the following terror-alert color codes:
Brick Red
Flesh
Lemon Yellow
Prussian Blue
Spring Green
Sincerely,
Homeland Security
Here is the link to the actual page containing the report card.
Yes, this is truly pathetic. But honestly, folks... how many people are surprised by it? The U.S. government has something of a history of neglect when it comes to technology, as several have pointed out. After all, it's a sad day when major government systems can be compromised by worms of any sort. It simply shouldn't happen. Period. And yet it has. And then, there are the constant sad stories coming out of the U.S.P.O., where people are patenting things that are blatantly not their own.
So, here's what we need: A government office that is responsible for the electronic welfare of the country. Not merely a minor department in some other place, but a significant entity of its own. It would be able to stop all these government technological blunders before they happen, being comprised of tech-savvy individuals. Or at least, it would have some people who specialized in the field. Yes, it may sound Orwellian, but it wouldn't be much more so than what we have now: Now, several government agencies work completely apart from one another to regulate electronics, and each government department is responsible for its own security. This would simply take this task out of the hands of the overworked and unknowledgable, and might actually boost those grades.
It's not like there wasn't a warning ... for the last 10 years.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Sure, non-locked hardware won't be illegal right away, but it'll get a lot more expensive when it isn't mass-produced because it can't run Longhorn.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I did contracting work for the government and most of the blame lies in trying to do anything with a couple of goverment employees in charge of what actually gets done. The stereotype of them being lazy and generally slow to get anything accomplished is absolutely correct. When you mix a fast paced IT world with a "I can coast until retirement" attitude you get bad things happening. The other half of the problem is the users who put the password for their windows login and dialin on a stickynote on top of the laptop. On the other hand, any of the actual critical servers were well monitored and they would track down any breakin attempts, etc.
slashdot, news for crazed liberal socialist zealots
All of these security problems at Federal Agencies, with Blaster, Welchia, spam, "piracy" etc. are going into a big hopper, where they will be used as reasons to justify TCPA, aka the Death of My Computer.
In a nutshell,
Yeah, right."Provided by the management for your protection."
So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".
So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.
But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.
Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
Not a federal govt IT guy, but I work for a state govt organization. The bureaucracy is a BIG PROBLEM. My fellow IT workers and myself are definitely not complete idiots. If we had our way, we'd ditch all the unsecure technology (i.e. MS stuff) in a heartbeat. The problem centers around our upper management *ordering* us to do insecure things, like place an unprotected windows server directly on a routeable internet segment outside of the firewall, because some cheesy piece of software they bought (and again, *ordered* us to install) will work no other way, and they just flat outright don't give a damn about our security concerns. Now when such a box gets hacked, all of a sudden it's our fault. This is much akin to the senior-ranking bigshots ordering the fire marshall to allow them to light up cigarettes at gas stations and/or ordering the police chief to not dare even think of hassle them for driving around while DUI.
My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.
Cyde Weys Musings - Scrutinizing the inscrutable
The DoD is something I know about -- I can't even get rights to install another network printer. I'm in the Army Reserve, and we're told we have to talk to the "building network administrator," who isn't there on weekends... which is the only time we're there. In a DoD network, all this stuff comes down to one guy per building/unit/whatever. If he's not on the ball, the whole unit can go down in a blaze of MSBLAST.
REM Old programmers don't die. They just GOSUB without RETURN.
You keep using that word... I do not think it means what you think it means...
Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.
Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:
- The Department of Agriculture -- which pays farmers not to grow crops
- The Department of the Interior -- which mainly handles subsidies for Indian casinos
- The Department of Labor -- which pays the unemployed not to work
just to pick a few examples.Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...
Okay, I know, I know - - I'm the soft-hearted liberal who still thinks government does some good and stops some evil. Anyway, with such lousy marks coming out, why don't some of the Slashdot geniuses who are not yet employed go into consulting, get some security contracts, and make some dough while improving things for all of western society?
Just a thought . . .
On the other hand, we could just go on talking about how lousy the government is in every aspect and wait for the whole thing to implode like a cow patty.
It's only funny until someone gets hurt. Then, it's hilarious.
We can't have this much failure in the US Govenment!!!
These security grades are obviously created by the MAN to keep their security grades up while making everybody else look BAAAAAAD.
We need a newer test that encompases more to make it fair. I sugues we measure the following to determine if their security grades.
Are their packet-filter inclusive?
Do they secure Appletack, Tokenring or just Ethernet?
To the set aside special days and allow special packets in?
To they support 2 letter passwords, and not just the 8 letter ones that advantaged people can type?
Do their proxy servers filter out gender discriminatory words like 'He' or 'Mister'?
Do their computers have master/slave IDE systems?
Just and example of how the curent test is biasedh
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).
:)
I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.
Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.
Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?
Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.
From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.
just sign me... not admitting to anything.
Speaking as someone who spent many years fighting various Good Fights against government idiots, I will say that government agencies will continue to get failing grades on security because they place the whims of incompetent managers above the advice of their technically competent employees. Not all government IT people are idiots, but most of them have no interest in challenging their pointed-haired bosses because those who do suffer pay discrimination and -- if they're really stubborn -- termination. So government sites will remain a monoculture of poorly patched and insecurely configured MS products just waiting for a new virus to slip in and lay waste to everything in site. In other words, most government sites are like most corporate sites, and for similar reasons.
The sad thing is that instead of fixing these things, they go on and take away liberties from the citizens to prevent ' terrorism '. Patriot Act anyone? So, for their ineptitude, we lose our rights.
"There is no teacher but the enemy."-Mazer Rackham
I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.
So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."
Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.
This thype of activity, and other similar activity is, unfortunately, not limited to Goverment agencies. Managers everywhere simply don't grasp the need for security. My present client, which is in NOT in the government, acutally had a Production Environment web server residing, fully exposed, on the DMZ. The project manager wanted it that way. At least, he did so until we started asking why they didn't move it fully behind the firewall.
In short, inside every manager is a pointy-haired boss. It's not just limited to government.
Yeah, that is a risk, however, you still can't disable TELNET. It is required."
I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.
You are most likely not evil, you just look like it because you like to get the job done, period.
I have worked in several different companies in the IT field from small to very large. One trend that I have noticed is that a knowledgable "technical" manager is a rarity. Some may argue that this is not true, I apologize to those managers that are 'actually' hands on at least a little with their admins. I have been lucky and have had a couple of these rare species, to learn from
From what I have seen, most managers are hired for the position because they have a degree, not a technical degree mind you but a degree (usually management).
This is appropriate in the managerial sense, however I still feel that to be an appropriate 'technology' manager you can not base your technical experience on your "Intro to Microcomputers" (ASU - consisted of 8 weeks of introductory Java and 8 weeks of Autocad...WTF), or "Using Excel/Powerpoint" classes alone.
I would be more inclined to have an highly (or moderately so) technical manager who merely has a BS in computer science (minor in business). Shows that his interest lies in the technical domain and supporting his employees in the proper ways (ie...training, mentoring, etc.), rather than someone with an MBA "climbing the ladder" to the next butt-kiss.
:-( --- argh. Despair, I owe again.
Survey Questions
(1) Name of your government agency:
(2) Number of computers installed:
(3)Do any of your computers run Windows and/or other software from Microsoft?
Scoring: Use the following chart to score your agency's computer security:
Do NOT use Microsoft products: A.
Use Microsoft products: F.
Thank you for taking the time to fill out this survey.
The best boss I ever had was not technical. He had only technical people working for him, and understood enough of the technology that his nods weren't trying to stay away. What he did though wasn't understand the technology, he translated the technical talk into managerese, and vise versa. He made sure we got the resources we needed, work to do, fair raises, and most of the time wasn't in our way.
Technical managers are better than average, but they suffer from wanting to be engineers. So they try to fit in, not remembering that it takes a long time to really understand a problem and they don't have the time to focus on any one problem to help, much less the particular problem each of us is solving now. A few have made the transisition, most fail.
Remember, everyone is hired to do a job. The worst manager I knew (bosses bosses boss) was an excellent manager, motivated and worked hard to get a lot of things that needed doing done. However in seeing and solving all the other problems that weren't her job, she ignored some things that were her job. Eventially she "resigned for personal reasons", but in the mean time those of us who needed her to get things done lost.