Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uncle Sam Earns C-minus Grade for PC Security

Posted by CowboyNeal on from the not-that-important dept.

An anonymous reader writes "Twenty-four federal departments and agencies earned a collective grade of C-minus last year for their performance in meeting computer and network security requirements, according to marks handed out by a key congressional oversight committee today. The government-wide grade is up slightly from the 2005, when it earned an overall grade of D+. Eight agencies earned A grades, while as many warranted failing marks. '..the Department of Defense led a group of eight agencies that received failing marks for computer security. Also receiving that dubious distinction were the departments of Agriculture, Commerce, Education, Interior, State and Treasury, as well as the Nuclear Regulatory Commission. The Department of Homeland Security earned a D, although its overall performance improved since 2005. The Department of Veterans Affairs did not provide enough data to earn a grade. In 2005, it received an F.'"

8 of 88 comments (clear)

  1. Well... by rsilvergun · · Score: 2, Interesting

    if it was good enough for our president...

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  2. Perl scripts and default passwords? by AHuxley · · Score: 3, Interesting

    Read up on what Gary McKinnon http://en.wikipedia.org/wiki/Gary_McKinnon found.
    Just like in the control room for Springfield's reactor in Last Exit To Springfield (9F15).
    The US has all the Get Smart like security, but then has the dilapidated MS door wide open for any and all.

    --
    Domestic spying is now "Benign Information Gathering"
  3. Re:If it were only so simple by Anonymous Coward · · Score: 5, Interesting

    Naw, I work with the government too and most of the problems really are quite simple (or at least no more complicated than most). It's all the paperwork and bureaucracy that makes it complicated. Oh sure, we COULD just go to the store and buy the thing, but instead we'll fill out form 361-B in triplicate, ensuring one is in English, one is in French and the other is in some language only three people in the world can speak (meaning you'll have to get approval and fill out more paperwork to fly them in to finish that section the form) and then wait 4-6 months for the document and its approval to weave it's way through the maze of middle management. Oh well, at least it keeps me and many other workers employed.

  4. Not surprised by jlindy · · Score: 2, Interesting

    We shouldn't be surprised by this. Considering the size of the federal gov't it's safe to assume that they're a representative cross section of the population. If it's true that 25% of the computer in this country are part of a botnet, (http://it.slashdot.org/article.pl?sid=07/01/26/22 29203 ) then the gov't. is on par with the rest of the country.

  5. I am not surprised by Mike_ya · · Score: 5, Interesting

    I suspect this also includes government networks run by contractors.

    A while back I use to be friends with someone who worked for one of these companies that do contract work for the government, for one of those agencies that require Secret or Top Secret clearance along with requiring routine polygraph tests.

    I was told stories on occasion how IT jobs would come open and be filled not with individuals that had the technical qualifications but those that had the security clearance.

    Heck, my friend who had a clearance and did clerical work was promoted to run the Help Desk and was giving a book to learn on the job. Then again a few years later to administer servers spread around the globe, with no formal training.

    I was told the contracting companies would not hire individuals for the clearance jobs unless they already had the clearance. The clearance trumped any sort of job qualification.

    If this has changed since 9/11 I don't know.

  6. Don't believe it by Spazmania · · Score: 3, Interesting

    As someone dealing with a security audit right now, all I can say is: don't believe a word of it. The auditors tick off items on a checklist. Telnet running? Lose points. Telnet running on your Cisco routers in a configuration where a man-in-the-middle attack is impossible? Its Telnet. Lose points. Telnet running in an impregnable fashion because that's what the vendor offers for remote access and you locked it down damn tight to compensate? Its Telnet. Lose points.

    Damn auditors.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  7. Re:Hacking the grades by ralewi1 · · Score: 2, Interesting

    In reading the article, paragraph two states that the Department of Defense led the list of failing agencies. DoD is made up of NSA, ONI, NRO, DIA, NGIA, "Army Intelligence" (INSCOM) and AIA, as well as a myriad assortment of other entities, big and small. So, if 2 through 7 in coward's list of "agencies" hacked, they only looked out for themselves, sabotaged each other, or hid under a rock.

  8. Re:The grading seems skewed by saverio911 · · Score: 2, Interesting

    Actually the grades are created by the GAO in conjunction with each Department's Inspector General. They audit a cross section of the assessments submitted by the system owners for each Department. And by "audit" I mean they show up at the site with the report and go through a physical verification of all the details entered. Nothing makes a government Sysadmin's day like having an auditor shoulder surf while they go over server settings for 8 hours. I have been through it.