Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn "D" For Computer Security

Posted by timothy on from the not-for-delicious dept.

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

43 of 302 comments (clear)

  1. How did by dan+dan+the+dna+man · · Score: 5, Interesting

    the Department of Homeland Security do?

    --
    I don't read your sig, why do you read mine?
    1. Re:How did by KDan · · Score: 5, Informative

      It got an F.

      Daniel

      --
      Carpe Diem
    2. Re:How did by Kenja · · Score: 5, Funny

      They're not saying, however they've issued a guava alert.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:How did by flamingnight · · Score: 5, Interesting
      According to the ZDNet article,
      The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.


      Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
    4. Re:How did by 16K+Ram+Pack · · Score: 4, Funny
      Maybe they should get put in detention?

      There's a centre built for it, somewhere in Cuba.

    5. Re:How did by TedCheshireAcad · · Score: 5, Funny

      Like any organization, they've outlined a strategic plan to assess the situation and assigned a mission-critical task force to consolidate committees and subcommittees on bleeding-edge decision making processes. They've empowered the new paradigm, they're looking down the road, and keeping their feet out of the mud.

      Yeah, they're right on top of it.

    6. Re:How did by Davak · · Score: 4, Informative

      Please mod parent up. They did actually receive an F.

      See quote from article.

      The Department of Homeland Security was one of eight agencies that received a grade of F for its network security efforts.

      Davak

    7. Re:How did by Strange+Ranger · · Score: 4, Interesting
      Good!

      If they're so completely ineffective at one of the most fundamental tasks they've been assigned, maybe they'll be ineffective at further eroding our civil rights.

      They got off to a bad start much earlier, when they created the department, named it, and put Ridge in charge. Apparently he is well atuned to the media though...

      Remarks by Secretary Tom Ridge at the National Cyber Security Summit

      For Immediate Release
      Office of the Press Secretary
      December 3, 2003
      ** Remarks as Prepared **
      I was going to pull out some quotes, but the fact that it came out 6 days before their 'F' says quite a bit already.
      --

      Operator, give me the number for 911!
    8. Re:How did by Mullen · · Score: 5, Insightful
      Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

      I think you nailed it on the head. I work at a large company that is very bureaucratic and it is absolutely soul crushing. No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

      I completely understand why government agencies never have good computer systems or security. It is just not possible.

      --
      Linux O Muerte!
    9. Re:How did by demachina · · Score: 4, Interesting

      I haven't read the details of how this report is generated but the Washington Post said the agencies self report the data. As a result the whole thing should be taken with a grain of salt. Getting an "F" could be a cynical ploy by an agency to make itself look bad and get billions more dollars to spend on new computers. These are bureacracies and they tend to work this way especially when it comes to maximizing their budgets and the deficit.

      The report would be much be much more creditable if an independent inspector general or analyst audited the agencies and probed their defences. Perhaps someone who knows can describe how the report is produced and how likely it is to be a meaningful assessment of real security,

      --
      @de_machina
    10. Re:How did by HBI · · Score: 4, Interesting

      I'm sure there is little to no standard on de-classified computer systems in the govt.

      Totally not true. SBU systems (sensitive but unclassified) have very clear standards. Encryption and interconnection standards are very precise. Drives get wiped, etc.

      I know in DoD these are taken seriously. In other departments? I think things are more slack at the Dept of Agriculture, for instance. :-)

      --
      HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  2. Again, not a surprise by cspenn · · Score: 5, Insightful

    As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".

    Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.

    Sigh.

    --
    Subscribe for free to my show!
    1. Re:Again, not a surprise by GoofyBoy · · Score: 4, Insightful

      >the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks

      What makes you think that its the fault of contractors? Nothing in the articles say this. In fact one of them blames internal, highlevel staff.

      From the ZDNet article;
      "We must get those at the very top, the decision makers, the ones accountable to the shareholders, the customers or the electorate, to recognize that lack of network security in an organization is a material weakness and one that deserves necessary resources and immediate action." "

      --
      The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
    2. Re:Again, not a surprise by nemaispuke · · Score: 5, Informative

      Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.

      The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:

      http://csrc.nist.gov/pcig/cig.html

      If you have administrators who are limited by inept guidance, what do you expect!

    3. Re:Again, not a surprise by Davak · · Score: 4, Informative

      I am assuming that you are not trolling.

      I have seen the contractor system work very well in the past... however, it took multiple redundant contractors to complete one system.

      For example, we recently setup a system in a clinic that deals with medical records. One contractor brought in the boxes, networked them, and left. Then we brought in our security contractors that locked down the boxes as tight as possible. After that, we had our internal security guru try to pick apart their security... and they came back and corrected the problems they left.

      The security guys are not the general installation guys.

      Save your energy... and get seperate contractors.

      Davak

    4. Re:Again, not a surprise by cspenn · · Score: 5, Interesting

      I used to work for a government contractor a couple of years ago. Security - even when we got security guidelines, my fellow coders picked and chose which of them they actually felt like coding.

      Now, should they have been canned? Absolutely. Were they? No. Is that the government's fault? Only partially, in the sense that the government didn't have any way of verifying whether the work we were doing met the standards they specified. Management at the government and at the contractor simply agreed that things looked good, and that was that.

      Hence my comment.

      --
      Subscribe for free to my show!
    5. Re:Again, not a surprise by div_2n · · Score: 4, Interesting

      The only thing that WOULD be good in my opinion is setting up liability legislation. If any contractor or software company KNOWINGLY designs and deploys a system whether hardware or software without making security a key design consideration in the interest of making the lowest bid, then they should be liable.

      There comes a point of accountability when contractors should stand up and say, "I won't do this project if you won't fund the proper security design issues."

      You wouldn't knowingly make cuts that would effect whether a system actually operates or not. Security shouldn't be any different.

      I have turned down jobs before when I knew that what they asked was completely at odds with the client's best interest. I told them that and they understood.

      Equally should agencies and companies be held liable if they knowingly deploy a system that is fundamentally insecure in the interest of just "getting it done." A bank would be held liable if they left their front doors wide open and their vault unlocked overnight. Leaving security unconsidered in computer and software systems should be treated equally if not more harshly.

    6. Re:Again, not a surprise by pointbeing · · Score: 4, Informative
      Every government IT contract includes a "statement of work" that outlines what the government expects the contractor to do and the contractor doesn't have to do anything that's not in that statement of work. Maintaining IT security is part of the day-to-day operation of a government network and generally no modification to the contract is necessary.

      But - when something falls outside the realm of normal IT operations the contractor can ask for more money - as an example we bought about a hundred firewalls to deploy to satellite offices. The contract we have with IT support staff allows X number of billable hours per job description. Installing and maintaining those firewalls was not factored into the contract so the contract was modified and IA staff increased by four people.

      "This needs to be done" doesn't necessarily obligate the contractor. It does if it's part of the normal duties outlined in the contract, but if it exceeds time and materials outlined in the contract the contractor has the right to ask for more money.

      --
      we see things not as as they are, but as we are.
      -- anais nin
  3. news alert: not shocking by jaredmauch · · Score: 5, Insightful

    I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.

  4. let me get this straight by perlchild · · Score: 4, Interesting
    As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State.

    so let me get this straight, if all those failed security provisions are hacked, you'd get:
    1) hacked into the place that controls whether or not you go to prison(funny they're also the ones that investigate election fraud if I recall, I could be wrong, I'm Canadian)
    2) hacked into the place that controls nuclear power plants
    3) hacked into debt(identity theft) through the place that controls employment, etc...
    4) hacked into the place that determines if there is war or not
    (agriculture, interior, and "housing and urban development weren't good targets)

    *notices how Canada doesn't announce that kind of thing, I think they're embarassed at how badly they do*
    1. Re:let me get this straight by corbettw · · Score: 4, Informative

      3) hacked into debt(identity theft) through the place that controls employment, etc...

      Actually, DHHS controls medicare and related programs, not unemployment. Unemployment details are left at the state level down here. Though if the IRS (part of the Treasury deparment) were hacked, you would get completely screwed. (DHHS is also the office of the Surgeon General, so maybe tobacco companies could use this to get a ringing endorsement.)

      Also, the State Department controls things like visas, so hacking in there could be a step to getting into the country in the first place.

      Hacking the Interior and Agriculture departments could be useful to get yourself some free money. They both have pretty large budgets for either grants or subsidies. I believe the Indian Bureau is part of the Interior, too, so maybe some random tribe could use it to get more money.

      Housing and Urban Development gives money to poor people in the inner city, so someone could easily use them to embezzle obscene amounts of money.

      The one I'm most scared of is the Department of Energy. They're responsible for keeping nuclear weapons from being smuggled into the country. If someone tried to float a nuke up the Chesapeake, for instance, the boys in the Energy Department have the tools to notice it and alert the Navy and Coast Guard. So getting root there means you can wave your fingers and tell everyone "this is not the tanker you're looking for."

      --
      God invented whiskey so the Irish would not rule the world.
  5. High Expectations. by Anonymous Coward · · Score: 4, Insightful

    Let's flip this 180. Is there anything those agencies would get an "A" on? Didn't think so, so why should we be disappointed with this news?

  6. Here's the score and grade breakdown by dat00ket · · Score: 5, Informative

    Agriculture 40 F
    AID 70.5 C-
    Commerce72.5 C-
    DOD* 65.5 D
    Education77 C+
    Energy 59.5 F
    EPA 74.5 C
    GSA 65 D
    HHS 54 F
    DHS 34 F
    HUD 40 F
    Interior43 F
    Justice 55.5 F
    Labor 86.5 B
    NASA 60.5 D-
    NRC 94.5 A
    NSF 90.5 A-
    OPM 61.5 D-
    SBA 71 C-
    SSA 88 B+
    State 39.5 F
    Transportation 69 D+
    Treasury* 64 D
    VA* 76.5 C

    Government-wide Average 65 D

    1. Re:Here's the score and grade breakdown by TedCheshireAcad · · Score: 5, Funny

      Well that's before the curve. We're probably looking at a B- if the professor isn't a dick.

    2. Re:Here's the score and grade breakdown by WebMasterJoe · · Score: 5, Funny

      Slight correction on NASA's score - that's in metric, should actually be 92.4.

      --
      I really hate signatures, but go to my website.
    3. Re:Here's the score and grade breakdown by jd · · Score: 5, Insightful
      To put this in a bit of context, the DoE has its own network intrusion detector package, which is encrypted so that only DoE people can use it. (Which is dumb, as it also means nobody can audit it, and it's so much extra work, it's likely little used.)


      NASA passed a directive over 5 years ago that all machines were to be behind a firewall, and that public webservers were to be accessed via proxies. In practice, a lot of servers stayed outside of the firewall and security procedures are often ignored.


      Probably the worst cases are servers that are accessed by rsh (not ssh - just plain rsh) with .rhosts enabled and used. These servers are amazingly vulnerable. Why? For three reasons.

      • First, the servers need to be accessed by archaic scripts on a range of external servers. This would almost be a reasonable excuse, if other authentication systems didn't exist.
      • Second, NASA (and other Govt agencies) are kept rigidly to the FIPS-180 standard. So rigidly, in fact, that many Govt. agencies are extremely wary of using software that is not specifically stated as approved, even if all the internals are approved. For example, let's say you have an approved implementation of DES, and you then have either NIST's or the DoD's version of IPSec use that for the encryption. Sorry, not OK. IPSec is not on the list. It may be 1000% better than rsh with .rhosts, it may eliminate one of the stupidest vulnerabilities, but they aren't authorized to use it.
      • Ancient software. This is a killer for many organizations. We are not talking a few weeks out of date, here. We're talking five to ten YEARS out of date, where there are more advisories on vulnerabilities than there are lines of code. In a few cases, vulnerable code that is decades old is still used. I've seen this in virtually every place I've worked. If you want to be secure, you can't just ignore these things. So why do they? There's no incentive to clean things up. Admins get paid to keep the bosses happy. They are not paid to perform major in-depth security audits, and are certainly not paid to find problems. Those cost money to fix. Finding problems is BAD.


      Why are skript kiddies so successful? Because their code is any good? Don't make me laugh. They're successful because the rules and regulations any organization needs to be successful are wantonly abused, preventing essential maintenance, often because reloading from backup tape is a cost that can be written off, whereas paying for decent security might hurt the balance sheet.


      In the case of Government, cost is usually not the reason. Power politics, computer-illiterate officials and self-preservation are far more common. Hackers can be passed off as inevitable. Finding gross failures in the system, though - that would be embarassing and potentially fatal to a career.


      It's time to wake up. It's time forn Government departments to realize that the rules are intended to promote security, by ensuring that buggy code is prevented from being used. The rules were never intended to impose buggy code! Nor were they intended to encourage faulty practices.


      I do not consider it acceptable that an organization that has taken on the responsibility of running the country cannot be relied upon to even run a server properly. If you cannot be trusted with something minor, how can you be trusted with something major?


      This will never happen, but I believe that any Government agency that scores below a "B" on any task that it performs should be relieved of that task. I would like to see something similar in the private sector, with shareholders actively enforcing high standards (and thereby raising the value of the stock) rather than relying on the price to magically rise of its own accord.


      These are the kinds of standards an employee would be held to, for designated work. Why, then, should implicit work be held to a lesser standard?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Here's the score and grade breakdown by GMFTatsujin · · Score: 4, Funny

      In other news: President Bush announced today that as part of his "No Government Agency Left Behind" plan, any agency that could not show marked improvement in performance within 16 weeks would be grounded, have its allowance withheld, and would not be allowed to go to Prom. In related developments, the NRC and NSF would like their lunch money back.

  7. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  8. NSF got A by KD5YPT · · Score: 5, Insightful

    See what we get when there's an agency ran mostly by the intellects and not bureaucrats?

    --
    In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
  9. Possible reasons by vchoy · · Score: 4, Interesting

    This is MHO:

    Look how much is spent on 'physical' security and you will see why. A Government agency that is physically attacked (eg bomb, chemical, bio) usually results in human casualties/lives...and is very hard to cover up.

    Now look at attacks on computer security (eg cyber attacks, worms, compromised systems). A Government agency that is 'electronically' attacked 'APPEARS' to not result in human casualties/lives.

    Notice I stressed the word 'appears' in my last comment. I say this because it may be the real situation OR it maybe we don't know as previous cases have been covered up...as it is easier for an organisation to cover up these types of attacks.

  10. Sad.. by hookedup · · Score: 4, Interesting


    Added Chairman Davis, "I'm deeply concerned that too many agencies have not yet responded to FISMA's requirements; for example, the fact that 79 percent of agencies don't even have accurate system inventories casts doubt over the entire reporting process."

    I work in IT for a govt. agency here in Canada, and to not have an accurate inventory of our hardware is absolutely unthinkable. 79% of agencies having no idea where their systems are (and arent) is a recipe for disaster.
    This whole thing reminds me of a couple of years back, when a CSIS (Canada's spy agency) agent went to an Ottawa Senators hockey game, leaving her laptop in her car, only to have it stolen when the car was broken into.

  11. here's how bad it is... by theMerovingian · · Score: 5, Funny


    This report card was supposed to be classified.

    --
    "If you think you have things under control, you're not going fast enough." --Mario Andretti
  12. errata yadda yadda by segment · · Score: 4, Informative

    Compsec... and they had so called mapped out plans for years now too... (NATIONAL PLAN FOR INFORMATION SYSTEMS PROTECTION EXECUTIVE SUMMARY). One quote I will always remember is something to the extent of "the feds are good at carrying guns not locking down machines."

    There are so many variables involved with government, that they are the ones shooting themselves in the foot. Considering if you're using a machine right, and you know it's insecure, if you took it upon yourself to fix it, you could be charged with a crime. Hell slightly off topic but look at what the gov did with the so called chaplain spy (charged with downloading porn).

    I'm sure gov's IT staff throughout the branches are overwhelmed with things, so it's a bit unfair to call them all clueless gimps or similar. However, and I will throw this out as a `story` someone stated they worked for a gov agency. Person stated the procedures for daily wipes to ensure things are wiped, etc., ... According to person he had never seen it done, because they never bothered with it.' Now imagine if one of these machines were thrown out and the machine had material on it that was highly sensitive. It happens more often than some think.

    --
    MoFscker
  13. As an employee by blankmange · · Score: 5, Informative
    of the Fed, I would have to agree. Where I work at, we rely (almost 100%) on Microsoft products (OS, applications built with Office, etc), so we are bombarded with updates, patches, and alerts. Also, I am the tech support in the District Office here, so whenever there is a problem with a workstation, it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing. My agency is one of the few that actually improved since last year, but we have a very long way to go before I would put my trust in them.

    In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.

    --
    ...we are from the government - we are here to help...
  14. Update by tds67 · · Score: 5, Funny
    They're not saying, however they've issued a guava alert.

    The problem has been traced to kindergarten hackers and has been fixed. Please disregard the following terror-alert color codes:

    Brick Red
    Flesh
    Lemon Yellow
    Prussian Blue
    Spring Green

    Sincerely,
    Homeland Security

  15. Link to the Actual Report Card by richg74 · · Score: 5, Informative

    Here is the link to the actual page containing the report card.

  16. Butting your head against a wall by andih8u · · Score: 4, Insightful

    I did contracting work for the government and most of the blame lies in trying to do anything with a couple of goverment employees in charge of what actually gets done. The stereotype of them being lazy and generally slow to get anything accomplished is absolutely correct. When you mix a fast paced IT world with a "I can coast until retirement" attitude you get bad things happening. The other half of the problem is the users who put the password for their windows login and dialin on a stickynote on top of the laptop. On the other hand, any of the actual critical servers were well monitored and they would track down any breakin attempts, etc.

    --


    slashdot, news for crazed liberal socialist zealots
  17. So here's how it worked for us by Anonymous Coward · · Score: 5, Interesting
    I'm a sysadmin at a non-secret DOE national lab, which is run under contract by a non-profit corporation. I'm posting anonymously 'cause people higher up don't like this sort of thing discussed publicly.

    So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".

    So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.

    But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.

  18. Bureaucracy is the reason by Ignorant+Aardvark · · Score: 5, Interesting

    My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.

    --
    Cyde Weys Musings - Scrutinizing the inscrutable
  19. You keep using that word... by neocon · · Score: 5, Insightful

    You keep using that word... I do not think it means what you think it means...

    Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.

    Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:

    • The Department of Agriculture -- which pays farmers not to grow crops
    • The Department of the Interior -- which mainly handles subsidies for Indian casinos
    • The Department of Labor -- which pays the unemployed not to work
    just to pick a few examples.

    Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...

  20. govt IT by Anonymous Coward · · Score: 5, Insightful

    I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).

    I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.

    Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.

    Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?

    Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.

    From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.

    just sign me... not admitting to anything. :)

  21. Re:I'm a govt network admin... by Anonymous Coward · · Score: 5, Interesting
    I work for a government agency (also not federal but state.) And I'll back up what you are claiming. I'm probably one of the highest ranking technical people in the dept and definately the highest ranking in regards to network security. It's not uncommon for non-tech superiors to order very insecure things to be done, especially if their proprietary app "requires" it to work.

    I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.

    So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.

  22. Re:I'm a govt network admin... by hackstraw · · Score: 5, Informative

    Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.