Slashdot Mirror
U.S. Agencies Earn D+ on Computer Security
MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks.
'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"
D isn't failing.
"You're below average, but you do it very well!"
Better work on that C++
this surprises anyone?
"A D+ is NOT a failing grade. Sure, there's some room for improvement, and we're working on this. It's hard work. But the fact that these agency passed the test, even by a slim margin, is good news."
Now watch this drive.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
If I was more involved in politics, and, for some unknown reason, absolutely hated Bush...my commment would read something like:
Ah...stupidity is a communicable disease...
Is anyone at any level held accountable? Will we get change until these things happen?
Honestly it isn't surprising that our government is behind on security, especially when it comes to computers. Technology moves really fast and I imageint the US would have to spend billions just to keep up. It isn't entirely practical. All they can really do is hope for the best. Those that are a threat to security will always be one step ahead.
See, they know that.
Oh, and you blew your chance to do:
"This gets an F"
P
And what did we expect? That they were perfect? We all know how good the government is!!!
What about the NSA? I'm sure that they take computer security a little more seriously. - Taj
Tell the truth and you won't have so much to remember.
Isn't the point of security to be mute? (about the secrets, that is...)
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
We all know grade inflation runs rampant in the U.S.
TFU
.. that they showed up for class and tried their best. It's all we can really ask for.
(In reference to the Apple security comment)
Security through obscurity isn't a good security tactic.
Grades of D and below can no longer be referred to as "failing" and are now to be referred to as "success challenged."
I think he was trying to say "moot". That's based on the context.
(First off, let's just get out of the way the fact that you're an idiot.)
But in another related vein, you're an idiot.
moot
Dec 10, 2003: U.S. Agencies Earn "D" For Computer Security
No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).
If there where using mac's they would not be in 'business', as the the rest of the world does not use them (yet). Also if you used the default then you are lazy in general and would fail security anyway.
I hate people that dont have a sig
I don't think it really matters what operating system they use. It all depends on how well they can set it up. A Linux box not set up incorrectly can be just as much of a security problem then a Windows box... well... maybe not entirely. But they would be close.
'We're also seeing some exceptional turnarounds.'
now, ianam (i am not a mathematician) but is there any other direction for them to go....?
The only way to get rid of a temptation is to yield to it.
-Oscar Wilde
What are the side-effects of this? Perhaps whistle-blowers have easier access to "restricted" information because the systems aren't kept up to date? Or maybe there is an opportunity for some under-the-table independent verification of internal information because the doors are left unlocked unwittingly or on purpose?
With all the emphasis put on this issue for all this time and little meaningful progress has been made, you have to wonder. Would this actually be benefitial for some purpose? I guess I'm hoping this isn't complete incompetence.
Slashdot in 5 Paragraphs
5, Broccoli.
And if the US Govt. has them, then every script-kiddie in the world will be putting their efforts in too!
Seriously, it's obvious where this is headed. This report was done by a Congressional committee using reports from each agency's inspector general. That's a lot of ineffective bueracracy to start with, but it's only going to get worse. Next we'll have an agency devoted just to making sure these other agencies have proper security. And of course each of those agencies will need to hire specialized people and consultants to figure out how to fix their security problems, and then to diligently maintain the new security fixes on an ongoing basis.
So what do we have at the end of the day? The government reports on itself and determines that more government is needed. Never saw that coming. At least there was one good thing to come of thus, from TFA: If only their sense of freedom was enough to "dampen" these efforts...
Remember what the 2 biggest parts of next years government budget are? Defense and Homeland Security. And the workers there will continue to get fat and wealthy, while being incredibly lazy and careless... as is typical in most government positions. Then when a product doesn't work, either they get rid of that contractor and get a new one (Who behaves the same way), or they just keep on going.
Oh yes, I forgot to mention: it's not just people employed by the government. Contractors are at fault too. Contractors are the ones who do a lot of the work!
It's a difficult situation to handle, I know I wouldn't want to be managing it right now.
What are you trying to do, win an award for all-time least intelligent Slashdot user?
'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'
Rep. Davis continues, "These turnarounds will assist us to more effectively collect tax, which is, afterall, the reason why we're here. The less we spend on computer security breaches, the more we can spend on programs that justify the collection of tax."
"I voted for the D+ before I voted against it. This does not pass the global test."
Maybe I could get a little more concerned about this is they let us know what the test was? When you are talking about government agencies, the words a computer and network security test could mean quite a few things. 10/200 computer are still running Win3.1 - you get a D+. You are missing meta tags on your intranet - D+.
Hard to have any kind of opinion about that article unless they tell us more about this magical test.
They have to balance security and accessability. Apple definitely falls on the secure end of that spectrum....
Next time we attack a country and then the public finds out there was no evidence behind the attacks, they won't have to get Britain to cover for them.
They can just get a guy with a nerdy voice to go up to the podium and say "OMG WTF OUR DATA WAS HAX0RED."
At least that excuse is believable.
Besides, FOIA does not mean that you can get all of the information that you want from the government. FOIA requests can be refused for a variety of reasons (these reasons are specified in the act). Requests for "sensitive" data are often refused. So computer security isn't moot anyway.
I keep thinking that if government agencies are really having such a hard time with security and also the typical failure of their large and expensive it projects they should centralize their IT into a department that will manage all the government IT stuff so as to allow the other agencies to get back to their main business. Kind of the way that computers can be made more secure by not letting the users administer them. If one agency managed all the purchasing, support, and development for the other agencies it might make things work better. As it stands only a handful of agencies seem to be able to handle technology. They would also be able to more easily hold accountable the large contractor corporations that seem to just milk the government on IT projects that never work.
I wish the government wouldn't be singled-out as this is a universal problem, no matter who owns the computer. The underlying problem, IMO, is that too many people want adminstrator rights to systems who know nothing about how to be an administrator. There's no one to enforce security policies and there are no realistic training requirements or credentials for users who operate these systems. This has become an increasing problem in the workplace as the number of systems and their pseudo-admins grow.
As many have said, someone MUST be held accountable for their lack of responsibility. If the admins/users wish to be lazy, and no one forces them not to be, then what's the motivation to be security-conscious? In businesses, government, institutions, only well-trained and competent people should be allowed to manage any device on the network. Many people think they are administrators, but just knowing how to update a system doesn't make you a good admin, and most don't even realize all the different layers of security that need to be considered. For home users, (I'll probably get bashed for this), the ISP's should play a bigger role in making sure their customers are responsible for any damage they cause, or even be the ones to offer security services to customers. I people would be double-checking access logs and services, running scans, and doing updates more frequently if they could be fined, fired, or otherwise held responsible for not keeping things secured.
Here is a link to the full scorecard and the reporting methodology
Committee on Government Reform
-- Freedom means letting other people do things you don't like.
Sendmail has 108 security advisories at Secunia... Outlook Express has none (Though it has 235 viruses...)
Want to compare Apache2 to IIS6?
I wonder how many are using microsofts secure products - those ones that are more secure than the alternatives that is?
But I can't because there apparently is no list for me to read. Anyone know where I can find info on how all agencies/companies that were involved in the "test" fared?
Sendmail is known to be a piece of shit. There are several more secure and elegant mail servers. (not to mention that sendmail != linux)
"Orthodoxy means not thinking--not needing to think. Orthodoxy is unconsciousness." --Eric Blair
... I think I have been trolled. Outlook Express vs Sendmail? hmm.
"Orthodoxy means not thinking--not needing to think. Orthodoxy is unconsciousness." --Eric Blair
I'm sure he put excellent policies and procedures in place. This must be Bush's fault!
Unplug the network cable and lock it up in a guarded vault. Only power and no other access, instant A+ security. You don't even need to fiddle with password security.
Hey this is 2005, putting the prefix "Cyber" in front of everything is so 1998. I like "Network Infrastructure Security" or something like that... Kinda makes me want to start a company called Compu-Hyper-Global-MegaNet (a-l-a Homer Simpson).
I want my rights back. I was actually using them when our government stole them after 9/11.
And an A++ comes from taking the computer with the sensitive data and pulverizing it into pebbles using a piledriver.
Hack THAT!
is ANYONE overseeing all of these orgs, or is this just a mess of organizations running w/o any centralized leadership?
--------
rochelle brief physiatry rehabilitation
Well, it must have really gotten under your skin. You and all the other slashbot drones who keep bringing it up. You all just sit around all day saying "yep I dont believe that study one bit" and all nodding your heads and agreeing with each other. Meanwhile wringing your hands nervously. "I mean it can't be true... CAN IT!?!?!?"
Security isn't failing in most government agencies due to lack of attention or lack of aptitude. In fact, from what I see in the IT-heavy, defense agency I work for (as a contractor, thank God), the incredible bureaucracy of the process is what keeps them behind the times. There are several competent people, each capable of keeping an up-to-date, secure network running at full speed, but they are so strangled with the briefing, pre-approval, documentation, status reports, testing process, etc., etc., etc., that it takes them a week to get a simple patch approved and installed. All that leads to a apathetic, "I did everything that was specifically required of me" attitude.
There's a pretty high turnover rate for sys admins, which certainly doesn't make the overall maintenance any easier.
http://www.reform.house.gov/UploadedFiles/Computer %20Security%20Report%20card%202%20years.pdf(pdf) for last year (2003 Dec) report.
It is obvious that those agencies have never heard of it either. But, actually I have heard of it (in passing), but never knew too much about it or bother looking it up (until now).
From the report card, the Department of Homeland Security got an 'F' this year and last.
- Our Economy - Job market - legal system - Government
Join the Slashcott! Feb 10 thru Feb 17!
And the nice thing about computers is that things change. And its amazing how long you can draw FOIA requests along. Those 2 factors are wonderful things for security. That and if it does expose a serious exploitable flaw, we dont have to release it.
In other news, today, CNN reported that the this year's Nobel Prize for Astronomy will be awarded to Jonathan Hersfield, who has recently published a formal proof for the theories that the sky is blue and water tends to be wet between the temperatures of 0C and 100C.
You didn't RTFA before complaining that people didn't RTFA.
Thanks for that inside report on how bureaucrats on Prozac can't even think straight.
Richard Clarke, former white house cybersecurity,advisor, criticised microsoft security yet government has got substandard grades for security.
Have you ever been to a turkish prison?
I work at as a government contractor in IT, in a large government agency. We don't handle secrets, so there is not a huge (legal) impetus for security there--that is, we're about as interested in it as any major corporation. Lives aren't at stake, like they might be at the NSA.
That said, the agent officially in charge of security in my division is as dumb as a bag of nails. How they got that position I don't know--but I understand that it's not uncommon to take, essentially, someone in a bureaucratic position, give them a few night classes, and then they can call themselves chief of security.
My officer is long on procedure--many meetings are attended in which they take copious notes on procedure--and then those procedures are handed down to us to implement. However, since the officer themself isn't technical, a great many gaps can occur between implementation and actual security need. Quite a few things are overlooked, which everyone in the trenches recognize as an issue, yet we don't have the authority to fix it ourselves; but on the other hand, there are often draconian implementations of security put in place, which have no real effect other than to frustrate the users who then circumvent it.
Case in point: all users are required to use strong passwords, mixed case, number, punctuation, of over 7 characters; these passwords are rotated every 90 days. That's all pretty typical. But oh--our email is IMAP, and it's not over SSL. And you can get connected outside of our firewall. So all of the users with laptops merrily connect from home, sending this super strong password, in the clear, every night. Totally defeating the purpose. While I've recognized this issue, and made my immediate superiors aware, the person that could implement a change in policy is 6 levels above us; and our designated security officer is not technical enough to explain the issue to the folks who would listen. So it gets dropped, until it winds up on a report like this.
Essentially--it's a checkbox method of management. Our officer has boxes to check, and they get checked off. Which means we're secure. Except real security preparedness requires thinking like a burglar, and thinking "out of the box"--but the folks that do aren't the same that make policy.
That's at least the case at my institution. I hate to think that it might be the same where there are actual lives at stake--but who really knows?
Friends of Mr. Bush might be happy to point out that Clarke is a former member of the Bush cabinet who left under unhappy conditions. For me, this would complete my proof.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I wonder if the company that did the audit also supplied a quote to fix it.
No I didn't read the article it doesn't really interest me.
Terror == Fear
The War against Fear ?
A war against fear, and a color coded domestic propaganda department that creates it. It's perfect.
New poll:
If the neighbors are causing Terror in you, you:
1) Fence yourself in to protect yourself.
2) Move. No, sorry, can't move.
3) Throw heavy things at them to fight back.
4) Try to figure out why they are pissed and fix it.
5) Send more money to your other neighbors to do 3, and then casually do 4.(and casually steal your neighbors oil)
6) 1, then 5 then 3.
They've gone from D to D+ -- sure, there's still room for more improvement, but why do you guys always have to look at the negative side of things?
Actually, the idea of external auditors is a good idea. The leadership of the organization being audited will not be able to use intimidation etc to make the auditors let a couple of unacceptable practises go unmentioned.
Rather, the output from the audit must be taken seriously. It seems rather curious that an agency can receive failing grades over and over without anyone forcing the agency to take effective measures.
Yes - some improved, but why didn't the rest of 'em? But hey - if I was an Al Qaeda operative, I would certainly thank the auditors for pointing out the inherently weak links..
Stop the brainwash
(In reference to the Apple security comment)
_ _________ __
Security through obscurity isn't a good security tactic.
________________________________________
Security though obscurity wasn't even mentiond. Secure by default was the premis. Pay attention you insensitive clod.
You know they graded on a curve.
Care about electronic freedom? Consider donating to the EFF!
I used to be employed at a large government agency in Washington, DC. There was no security in the building until you got onto the floor I was working. One day, I forgot my badge so I couldn't get in the door. Standing next to the elevators, I waited for someone to let me in even though it was pretty early in the morning and most people didn't arrive until after 9am. Finally, someone else showed up and showed me that you don't really need a badge. He passed his credit card along the door jamb and the door latch opened up just like in a bad spy movie. There were no cameras, nothing.
Also, we had a lot of private consultants who were using laptops to dial back to their respective firms. Since said laptops were simultaneously connected to the LAN, they basically did an end-run around our firewall and created a vulnerability....assuming we had a firewall which we didn't. The place was pathetic yet still required the Top Secret clearance, etc., etc., etc.
That's a knee-jerk reaction to stereotype faceless bureaucracies. To keep my soapbox short, I chalk up most of my negative experiences working within the gov't to the political side of human nature, and those inefficiencies are always going to be there. Until we fiure out how to breed perfect administrators.
each of those agencies will need to hire specialized people and consultantsA solution to this is being tried: NMCI (Navy Marine Corps Intranets) is one poor example of standardizing IT (and with it some security issues) across agencies. Unfortunately it's implementation is stifling to engineers, scientists and non-bureaucrats, and you really don't want to know how much the individual components are costing taxpayers. If NMCI is cutting edge for IT security, then security technology's got a long way to go to not throttle productivity! We'll take local IT mgmt over NMCI anytime.
Is it a rule, that there's an exception to every rule?
I'm no government apologist, but how long do you think it would take you to integrate pieces of 100's of agencies (DHS) with thousands of custom and COTS applications on every platform imaginable into a brand new superagency? They can't even get office space together, how can they be expected to have their infosec together? When mission continuity is your only priority, and your budget is earmarked for more important things, you lose a lot of your options.
People who think they know everything really piss off those of us that actually do.
When the newest and largest government organization doesn't perform "Due Diligence", and adopts Microsoft OSes and Apps wholesale, it doesn't bode well for their "Mission Statement".
The Department of Homeland Security inked a multi-year multi-billion USD contract with Microsoft for their OSes and Apps, in spite of warnings from independent IT security experts.
"Dubya" has embraced policies that are contrary to his stated "war on terror" (such as border & seaport security understaffing and underfunding), and the DHS has embraced Microsoft as their "IT" solution by choice. That's enough "irony" to build another Golden Gate Bridge.
This may have been modded as 'Flamebait' and maybe it was--but if you look at the subsequent posts you will see that it was highly accurate.
Slashdot: being predictably obsequious towards the political left without regard for the facts.
Hey there's a wawr agin the terrorists people. We ain't got no time for security. Now watch this drive.
Um... do you know the diff between mute and moot?
The real problem with government agencies is that it's almost impossible to get fired. You have to do something criminal to get the boot. Incompetance is not grounds for termination, it's standard business practice. Everyone looks the other way because they're doing the same thing. Think about it... If it was nearly impossible for you be fired, how long before you started to slack off and become part of the problem. People in the real world know that if they don't work, they'll be fired... And if you don't enjoy your job, that's all the motivation you need. Just as water seeks it's own level, if you work for the government long enough, you will become useless too. The only way to fix the government is to bring in an independent professional auditer and make everyone in government interview for their own jobs. This will weed out the dead weight and open up positions for new people who have not yet been assimilated by the system.
Davis said troubling areas included... little training available for employees responsible for security.
Why am I so unsurprised? Oh, right, because only last year was I hired by the government to design a monthly calendar that federal employees were supposed to post in their cubicles, each month with its own little message like "don't write down your passwords on sticky notes and stick them to your monitor." An incredibly secure system doesn't mean bubkes if the people using the system are totally lacking in common sense. Unfortunately, common sense isn't.
Umm...do you know the meaning of 'redundant'?
This makes me wonder, the one that got an A+ - are they really that secure or does that mean they did all their paperwork? They seem to think that paperwork makes things more secure. I'm not sure if anything could be further from the truth.
Audits. Some agencies get audited to the point they have several audits going on at the same time. At one agency (famous agency) I know it got so bad that a few of the managers took the auditors to court and had the court order them to stop harrassing them. They were requiring them to put in 18 hour days, one guy had a heart attack and died over it. More secure? Nope, they were doing paperwork so patches weren't applied. That agency had a number of compromises I blame on the overzelous audits. No I don't work for that agency.
Before you start bashing Bush over this, it isn't him. We had this BS going on way before he became president. We do seem to have more agencies trying to wear the auditor hat. I have noticed that the questions being asked seem to have a lot more to do with Windows and not Unix/Linux. Some idiot auditors don't realize the difference (i.e. rent a cop equivelent, know enough to be dangerous). The Presidents have asked during the years from Regan on to make sure machines are secure. In fact the rainbow series came out of Regan asking for a standard, that was published around 1985 depending on which one you are looking at. I still have my copies right here. C-2, C-1, B-2 and so on. As time has gone on each president has asked for additional requirements. Clinton probably had the most sweeping changes since Regan. That could be expected as things became public when Bush I signed the internet into the public domain just before he left office.
They lost the keys a long time ago, and have been trying to get the budget increased for the $80,000 it costs for new keys.
How many corporations (Fortune 100, 500, or small businesses) would receive a passing grade for infrastructure security? Who grades private industry? And before you answer, 'the stockholders', how many security incidents go un-noticed? Who has more of your information, government or private industry? (I'm not defending or attacking either party)