Uncle Sam Earns C-minus Grade for PC Security

An anonymous reader writes "Twenty-four federal departments and agencies earned a collective grade of C-minus last year for their performance in meeting computer and network security requirements, according to marks handed out by a key congressional oversight committee today. The government-wide grade is up slightly from the 2005, when it earned an overall grade of D+. Eight agencies earned A grades, while as many warranted failing marks. '..the Department of Defense led a group of eight agencies that received failing marks for computer security. Also receiving that dubious distinction were the departments of Agriculture, Commerce, Education, Interior, State and Treasury, as well as the Nuclear Regulatory Commission. The Department of Homeland Security earned a D, although its overall performance improved since 2005. The Department of Veterans Affairs did not provide enough data to earn a grade. In 2005, it received an F.'"

Also take into account..

[priestx]

The infrastructure to the DoD's system extends far beyond it's headquarters.

Government to use Full Disk Encryption on computer

[stonebeat.org]

This is why there is a 90-day project currently in progress to select a Full Disk Encryption suites for all government owned computers. A Request for Quotation (RFQ) has already gone out on the April 12, 2007. See http://www.herbb.hanscom.af.mil/download.asp?rfp=R 1450&FileName=NOTICE_OF_AVAILABILITY_OF_A_SOLICITA TION_2.doc

Turbo Tax vs. IRS

Yesterday, we have a story where Turbo Tax's online system exposed a few tax forms for returns with similar names.

Last Friday, it was reported that the IRS lost 490 computers with potentially millions of taxpayer records. (The IRS is not sure what was lost.)

Tell me why the latter isn't a bigger story?

Answer: With TJ Max, Georgia CHIP, the CIA, and Los Alamos were all desensitized to the daily reports.

Re:I am not surprised

[QuasiEvil]

>If this has changed since 9/11 I don't know.

A couple friends of mine recently hired on with a growing government contract IT firm out here. The HR department didn't even really care about the resume, but rather the fact that two of them already had clearances. According to them, they work with some utter idiots, but they're qualified to see almost anything, so they keep them around.

The grading seems skewed

[Gyorg_Lavode]

So the agencies were all graded on their self-reporting of their own security... I think I'm seeing the problem here. My guess is the DoD and other high-profile agencies got poorer marks because they grade themselves harder. I have seen many times where a group gets a bunch of security requirements and responds back, "yeah, we meet those."

And even legitimate reporting of FISMA requirements is damn near pointless. Q: "Do you have a firewall?" A: "yes! It's default allow with no rules but the requirement sais firewall." Q "Do you have an IDS?" A: "Yes! It has the default rule set, no one monitoring it, and we don't even know if you can access the logs but it's there." I have seen that answer, literally, on a system that people would simple assume had someone personally approving every packet.

In the end, it's damn near impossible to tell who's secure and who isn't without having a single team do unannounced pen tests on everything and reporting how they compare. And there are so many problems with that approach I don't know where to start. But you will always have teams that lock a system down so tight water doesn't get in yet fail requirements. You have people who meet the letter of requirements yet add no measurable security. And you will have the people who simply lie because they can't be bothered to hire someone competant to do the reporting.

Re:I am not surprised

[mu51c10rd]

I just left the civil service, working in DoD. I saw plenty of contractors, including the security teams ( security and accreditation process people) have complete ignorance of technology. They were hired because they held a 3C0 AFSC (if that) and a clearance. Their idea of security is running off of a checklist, with no thought given to new exploits in the wild. The checklists usually ran something like: 1. Antivirus up to date? 2. No Guest User? etc. These same people have caused there to be plenty of NT 4.0 servers still running as domain controllers. For that matter, there were plenty of individuals in the civil service who also were not IT people, but working in an IT capacity.

Those passwords are on the laptops

It is trivial to break in to a laptop when one has unrestricted physical access.

It is usually non-trivial to break into a server that is in a data-center behind firewalls given zero-knowledge.

Fortunately for the bad-guys, laptops have been proven over and over to contain network information, passwords, and raw protected data:

Chicago Public Schools
FBI
Boeing
Starbucks
Towers Perrin
US Commerce Department
US Department of Transportation and Sovereign Bank, et al.
US Navy
US Department of Veteran Affairs
Federal Trade Commission
Equifax
Ernst & Young (many times)

Unless "Get competent administrators" is software that prevents users from putting data on their laptops, this suggestion is meaningless.

"Get competent administrators" is a finger-waving nebulous non-solution from those that have no idea what competent administration looks like.

Competent adminstrators recognize that security problems are not simple and they are only solved by tangible, disciplined, and rigorous solutions, rather than dismissive statements of "be smarter."