Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Agencies Earn "D" For Computer Security

Posted by timothy on from the not-for-delicious dept.

Fighting.Cephalopod writes "For the fourth year in a row, most federal agencies have received low grades for failing to protect their computer networks from hackers and other cyberterrorists, according to a computer security report card issued today by the House Government Reform Subcommittee on Technology." Other readers point out coverage of the report at ZDnet, Reuters (via Forbes), The Washington Post, and ComputerWorld." As mr. don't points out, the agencies receiving an actual failing grade are "the U.S. Department of Justice, as well as the departments of Energy, Health and Human Services, Interior, Agriculture, Housing and Urban Development, and State."

26 of 302 comments (clear)

  1. How did by dan+dan+the+dna+man · · Score: 5, Interesting

    the Department of Homeland Security do?

    --
    I don't read your sig, why do you read mine?
    1. Re:How did by KDan · · Score: 5, Informative

      It got an F.

      Daniel

      --
      Carpe Diem
    2. Re:How did by Kenja · · Score: 5, Funny

      They're not saying, however they've issued a guava alert.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    3. Re:How did by flamingnight · · Score: 5, Interesting
      According to the ZDNet article,
      The newest department in the federal government, the Department of Homeland Security, got off to a bad start with an overall "F" for its computer security, despite the fact that securing the nation's network is part of its mission.


      Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.
    4. Re:How did by TedCheshireAcad · · Score: 5, Funny

      Like any organization, they've outlined a strategic plan to assess the situation and assigned a mission-critical task force to consolidate committees and subcommittees on bleeding-edge decision making processes. They've empowered the new paradigm, they're looking down the road, and keeping their feet out of the mud.

      Yeah, they're right on top of it.

    5. Re:How did by Mullen · · Score: 5, Insightful
      Either we've got a bunch of idiots for IT guys in the government, or they're bright guys who are battling the bureaucracy and losing. Personally, I think it's somewhere in the middle.

      I think you nailed it on the head. I work at a large company that is very bureaucratic and it is absolutely soul crushing. No matter what you want to do or what needs to be done, there is always someone who will undermined you, attack you or make you jump through hoops. You can gain ground, but you will never win.

      I completely understand why government agencies never have good computer systems or security. It is just not possible.

      --
      Linux O Muerte!
  2. Again, not a surprise by cspenn · · Score: 5, Insightful

    As long as the US Government continues to rely on contractors and subcontractors who have no interest or profit motive to secure USG networks, the government will continue to be insecure. Compound that with the fact that the government remains married to Redmond for the majority of its end user systems, and it's no surprise that they received a "D".

    Frankly, I wouldn't be surprised if the USG turns around and tries to pass additional "information security protection" legislation in response to this study, just like software vendors now do for reviewers. You can't say anything about USG systems under the rubric of anti-terrorism.

    Sigh.

    --
    Subscribe for free to my show!
    1. Re:Again, not a surprise by nemaispuke · · Score: 5, Informative

      Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.

      The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:

      http://csrc.nist.gov/pcig/cig.html

      If you have administrators who are limited by inept guidance, what do you expect!

    2. Re:Again, not a surprise by cspenn · · Score: 5, Interesting

      I used to work for a government contractor a couple of years ago. Security - even when we got security guidelines, my fellow coders picked and chose which of them they actually felt like coding.

      Now, should they have been canned? Absolutely. Were they? No. Is that the government's fault? Only partially, in the sense that the government didn't have any way of verifying whether the work we were doing met the standards they specified. Management at the government and at the contractor simply agreed that things looked good, and that was that.

      Hence my comment.

      --
      Subscribe for free to my show!
  3. news alert: not shocking by jaredmauch · · Score: 5, Insightful

    I think that until there is significant user-education on this topic, some of the issues raised (weak passwords for example) won't ever be fixed. I think that the movement to a smart-card (oh wait, directv will sue you if you try this but ..) based approach of authentication is the best way. You need the card and a PIN or other text-based password in order to authenticate yourselves. This is how a lot of people work, with these private tokens (eg: SecureID). They are a PITA, but help keep unwanted people out.

  4. Here's the score and grade breakdown by dat00ket · · Score: 5, Informative

    Agriculture 40 F
    AID 70.5 C-
    Commerce72.5 C-
    DOD* 65.5 D
    Education77 C+
    Energy 59.5 F
    EPA 74.5 C
    GSA 65 D
    HHS 54 F
    DHS 34 F
    HUD 40 F
    Interior43 F
    Justice 55.5 F
    Labor 86.5 B
    NASA 60.5 D-
    NRC 94.5 A
    NSF 90.5 A-
    OPM 61.5 D-
    SBA 71 C-
    SSA 88 B+
    State 39.5 F
    Transportation 69 D+
    Treasury* 64 D
    VA* 76.5 C

    Government-wide Average 65 D

    1. Re:Here's the score and grade breakdown by TedCheshireAcad · · Score: 5, Funny

      Well that's before the curve. We're probably looking at a B- if the professor isn't a dick.

    2. Re:Here's the score and grade breakdown by WebMasterJoe · · Score: 5, Funny

      Slight correction on NASA's score - that's in metric, should actually be 92.4.

      --
      I really hate signatures, but go to my website.
    3. Re:Here's the score and grade breakdown by jd · · Score: 5, Insightful
      To put this in a bit of context, the DoE has its own network intrusion detector package, which is encrypted so that only DoE people can use it. (Which is dumb, as it also means nobody can audit it, and it's so much extra work, it's likely little used.)


      NASA passed a directive over 5 years ago that all machines were to be behind a firewall, and that public webservers were to be accessed via proxies. In practice, a lot of servers stayed outside of the firewall and security procedures are often ignored.


      Probably the worst cases are servers that are accessed by rsh (not ssh - just plain rsh) with .rhosts enabled and used. These servers are amazingly vulnerable. Why? For three reasons.

      • First, the servers need to be accessed by archaic scripts on a range of external servers. This would almost be a reasonable excuse, if other authentication systems didn't exist.
      • Second, NASA (and other Govt agencies) are kept rigidly to the FIPS-180 standard. So rigidly, in fact, that many Govt. agencies are extremely wary of using software that is not specifically stated as approved, even if all the internals are approved. For example, let's say you have an approved implementation of DES, and you then have either NIST's or the DoD's version of IPSec use that for the encryption. Sorry, not OK. IPSec is not on the list. It may be 1000% better than rsh with .rhosts, it may eliminate one of the stupidest vulnerabilities, but they aren't authorized to use it.
      • Ancient software. This is a killer for many organizations. We are not talking a few weeks out of date, here. We're talking five to ten YEARS out of date, where there are more advisories on vulnerabilities than there are lines of code. In a few cases, vulnerable code that is decades old is still used. I've seen this in virtually every place I've worked. If you want to be secure, you can't just ignore these things. So why do they? There's no incentive to clean things up. Admins get paid to keep the bosses happy. They are not paid to perform major in-depth security audits, and are certainly not paid to find problems. Those cost money to fix. Finding problems is BAD.


      Why are skript kiddies so successful? Because their code is any good? Don't make me laugh. They're successful because the rules and regulations any organization needs to be successful are wantonly abused, preventing essential maintenance, often because reloading from backup tape is a cost that can be written off, whereas paying for decent security might hurt the balance sheet.


      In the case of Government, cost is usually not the reason. Power politics, computer-illiterate officials and self-preservation are far more common. Hackers can be passed off as inevitable. Finding gross failures in the system, though - that would be embarassing and potentially fatal to a career.


      It's time to wake up. It's time forn Government departments to realize that the rules are intended to promote security, by ensuring that buggy code is prevented from being used. The rules were never intended to impose buggy code! Nor were they intended to encourage faulty practices.


      I do not consider it acceptable that an organization that has taken on the responsibility of running the country cannot be relied upon to even run a server properly. If you cannot be trusted with something minor, how can you be trusted with something major?


      This will never happen, but I believe that any Government agency that scores below a "B" on any task that it performs should be relieved of that task. I would like to see something similar in the private sector, with shareholders actively enforcing high standards (and thereby raising the value of the stock) rather than relying on the price to magically rise of its own accord.


      These are the kinds of standards an employee would be held to, for designated work. Why, then, should implicit work be held to a lesser standard?

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  5. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  6. NSF got A by KD5YPT · · Score: 5, Insightful

    See what we get when there's an agency ran mostly by the intellects and not bureaucrats?

    --
    In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
  7. here's how bad it is... by theMerovingian · · Score: 5, Funny


    This report card was supposed to be classified.

    --
    "If you think you have things under control, you're not going fast enough." --Mario Andretti
  8. As an employee by blankmange · · Score: 5, Informative
    of the Fed, I would have to agree. Where I work at, we rely (almost 100%) on Microsoft products (OS, applications built with Office, etc), so we are bombarded with updates, patches, and alerts. Also, I am the tech support in the District Office here, so whenever there is a problem with a workstation, it is usually (75% or so) user-related. In other words, they didn't know what the hell they were doing. My agency is one of the few that actually improved since last year, but we have a very long way to go before I would put my trust in them.

    In addition, those of you who sound surprised, try reading The Myth of Homeland Security by Marcus Ranum (here. It is surprisingly accurate, and not just another 'chicken little' diatribe.

    --
    ...we are from the government - we are here to help...
  9. Update by tds67 · · Score: 5, Funny
    They're not saying, however they've issued a guava alert.

    The problem has been traced to kindergarten hackers and has been fixed. Please disregard the following terror-alert color codes:

    Brick Red
    Flesh
    Lemon Yellow
    Prussian Blue
    Spring Green

    Sincerely,
    Homeland Security

  10. Link to the Actual Report Card by richg74 · · Score: 5, Informative

    Here is the link to the actual page containing the report card.

  11. So here's how it worked for us by Anonymous Coward · · Score: 5, Interesting
    I'm a sysadmin at a non-secret DOE national lab, which is run under contract by a non-profit corporation. I'm posting anonymously 'cause people higher up don't like this sort of thing discussed publicly.

    So several years ago our Lab got handed an ultimatum that we had to come up with a security plan; our computing folks wrote up a proposal, it got sent back with issues needing clarification, there was another round, etc. This went on for about a year. Finally we get one of the drafts back, and we're told, in so many words, "this one's good, you have 6 months to have it in place".

    So now we have 6 months to redo every system on site, with no added budget to do so and no relaxation of other goals. To have any appearance of complying we basically had to set up a system for granting exemptions where each system exempted had to present a timeline for when it would be completed, etc. So at the end of the 6 months we were able to say that everything was either under the security plan, or had an exemption on file saying when it would be under the plan, or how it would be put behind a firewall, etc.

    But the real problem was that the proposal should have been met with discussion of a reasoned, planned schedule, and sufficient resources to implement it, rather than pretending a major security rework could be rolled out for free in 6 months. This goes all the way up to Congress, who passed this law about having agencies report on computer security, but so far as I know didn't designate any funds to pay anyone to do anything about it.

  12. Bureaucracy is the reason by Ignorant+Aardvark · · Score: 5, Interesting

    My father is a lawyer for the Department of Justice, and part of the reason for the insecurity is the federal bureaucracy. I'm a Linux advocate and my dad is a pretty techie guy. He was running a webserver on the WAN for his colleagues and wanted me to help him set up Apache. That was shut down directly by his superiors: Microsoft IIS is the only webserver "supported and recognized" by the IT department, and anything else is not allowed. In addition, the only browser you are allowed to use is IE and the only mail reader you are allowed to use is Outlook. I really wanted to help my dad secure his workplace by switching him away from a mailviewer that executes all attachments and a webserver known for its insecurities. But the Microsoft culture is so entrenched there that it wouldn't fly.

    --
    Cyde Weys Musings - Scrutinizing the inscrutable
  13. You keep using that word... by neocon · · Score: 5, Insightful

    You keep using that word... I do not think it means what you think it means...

    Whatever you may think about the Department of Homeland Security, it has, in point of fact, the most honestly descriptive of almost any of the department names. That is to say, whether it does a good job or not, it is here to secure the American homeland.

    Now, if you want to talk about `Orwellian' names, meaning names like 1984's Ministry of Truth (which handled propaganda), Ministry of Peace (which handled war), and Ministry of Love (which handled torture and brainwashing), let's look at some of the big social-program departments which you seem more fond of:

    • The Department of Agriculture -- which pays farmers not to grow crops
    • The Department of the Interior -- which mainly handles subsidies for Indian casinos
    • The Department of Labor -- which pays the unemployed not to work
    just to pick a few examples.

    Of course, since the rest of your post is at least as confused as your use of the work ``Orwellian'', right down to your last example (the `Peacemaker', of course, was a famous Colt firearm, as used by the sherrif in just about any old western -- though if you want to wax philosophical, even Gorbachev has admitted that it was the inability to keep up with American defense spending that brought about the Soviet Union's collapse, so the missile made peace in a very literal sense as well), and the general tendentiousness of your claims shows that your looking for political points more than accuracy anyhow...

  14. govt IT by Anonymous Coward · · Score: 5, Insightful

    I work for one of the agencies that failed (and thus am posting AC because I don't think they'd like this).

    I'm in a general research facility (nothing classified, etc.) with about 70 people, most of whom have one or more computers. We have 30% of one person's time as IT staff because our agency will not give us funding to hire anyone else. This person has little or no training in computer security. I worked as a unix sysadmin for a few years, and know more about the nuts & bolts of IT security than our IT person. Given the way the govt determines pay grade, we couldn't hire a compenent IT person even if we had the money, because we couldn't offer enough money.

    Anyway, what this boils down to is that everyone is responsible for the security on their own computer. With no training, and no time allocated for doing so, since everyone has a full slate of tasks of their own (yes, despite being federal employees we do work pretty hard). My location doesn't have an enforced security policy, even on things so definitely hazardous as enforcing the use of antivirus, not using un-passworded windows shares, etc.

    Even worse, the agency in question requires admin staff to use custom-written and obsolete administrative programs that won't run on an OS newer than Windows 98. The people dealing with payroll and personnel data have the least securable computers. Nice, no?

    Our regional IT staff don't seem to have much formal security training, and have made some decisions I consider questionable. The agency IT staff have also done some odd things, like recently forcing us all to switch our email to GroupWise.

    From my perspective, yes, we deserved our failing grade. It's primarily due to lack of support for creating and maintaining a coherent security policy. There's no substantive training, and very little awareness among the higher-ups of the needs of facilities like mine, where everyone has different technology requirements to perform their duties. The administrative legacy software issues don't help either.

    just sign me... not admitting to anything. :)

  15. Re:I'm a govt network admin... by Anonymous Coward · · Score: 5, Interesting
    I work for a government agency (also not federal but state.) And I'll back up what you are claiming. I'm probably one of the highest ranking technical people in the dept and definately the highest ranking in regards to network security. It's not uncommon for non-tech superiors to order very insecure things to be done, especially if their proprietary app "requires" it to work.

    I wanted to replace TELNET access with SSH to our most important server (manages all budgets, accounting, payroll, and also contains a LOT of data that would be considered a privacy breach if released.) I was informed that this could not be done because a hand full of people use an app from the vendor which requires telnet access to work. This server is on a LAN which is accessed by several hundred members of the public daily.

    So I ran ettercap and showing how trivial it was to capture my boss's password and capture the whole telnet session including root password. I was again told that "Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    Of course, the right thing for my boss to have done would have been to pressure the vendor to move to SSH on their app. But that would have cost money after all. I couldn't even filter telnet from the public access systems because it was some of them which actually needed to run the application. In the end all I could do was send a memo detailing the risk to my boss so I could cover my own ass if something happened.

  16. Re:I'm a govt network admin... by hackstraw · · Score: 5, Informative

    Yeah, that is a risk, however, you still can't disable TELNET. It is required."

    I was in a similar situation, and I modified the telnet daemon so that a password wasn't required and put the telnet app on a different port and tcp wrappered that port. Granted this wasn't financial info, but I could not have a plaintext password going to a mission critical system.