Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uncle Sam Earns C-minus Grade for PC Security

Posted by CowboyNeal on from the not-that-important dept.

An anonymous reader writes "Twenty-four federal departments and agencies earned a collective grade of C-minus last year for their performance in meeting computer and network security requirements, according to marks handed out by a key congressional oversight committee today. The government-wide grade is up slightly from the 2005, when it earned an overall grade of D+. Eight agencies earned A grades, while as many warranted failing marks. '..the Department of Defense led a group of eight agencies that received failing marks for computer security. Also receiving that dubious distinction were the departments of Agriculture, Commerce, Education, Interior, State and Treasury, as well as the Nuclear Regulatory Commission. The Department of Homeland Security earned a D, although its overall performance improved since 2005. The Department of Veterans Affairs did not provide enough data to earn a grade. In 2005, it received an F.'"

16 of 88 comments (clear)

  1. But it was a strong improving "F" by Danathar · · Score: 4, Funny

    I heard on the radio that some gov spokesperson for DOD said

    But it's a strong improving "F" ...LOL

    I don't recall that ever working with mom "But Mom...it's an improved F over the last F I got"

  2. of course D of VA didn't provide data by 192939495969798999 · · Score: 3, Funny

    They didn't have any data, since all of it was stolen last year! DOH!

    --
    stuff |
  3. If it were only so simple by stratjakt · · Score: 3, Insightful

    Letter grades and color coded terror levels.

    I like how they think they have to kindergarten-up government to teach it to the people.

    I've worked on a few different government 'nets. It's always just a little bit more complicated than that.

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:If it were only so simple by Anonymous Coward · · Score: 5, Interesting

      Naw, I work with the government too and most of the problems really are quite simple (or at least no more complicated than most). It's all the paperwork and bureaucracy that makes it complicated. Oh sure, we COULD just go to the store and buy the thing, but instead we'll fill out form 361-B in triplicate, ensuring one is in English, one is in French and the other is in some language only three people in the world can speak (meaning you'll have to get approval and fill out more paperwork to fly them in to finish that section the form) and then wait 4-6 months for the document and its approval to weave it's way through the maze of middle management. Oh well, at least it keeps me and many other workers employed.

    2. Re:If it were only so simple by cyphercell · · Score: 4, Funny

      For god's sake will someone quit giving that one asshole gold stars?

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
  4. heh by AdebisiTheGamer · · Score: 4, Funny

    "The Department of Homeland Security earned a D" Irony?

    --
    Adebisi
  5. Government to use Full Disk Encryption on computer by stonebeat.org · · Score: 4, Informative

    This is why there is a 90-day project currently in progress to select a Full Disk Encryption suites for all government owned computers. A Request for Quotation (RFQ) has already gone out on the April 12, 2007. See http://www.herbb.hanscom.af.mil/download.asp?rfp=R 1450&FileName=NOTICE_OF_AVAILABILITY_OF_A_SOLICITA TION_2.doc

    --


    Consensus is good, but informed dictatorship is better
  6. Hacking the grades by Anonymous Coward · · Score: 5, Funny

    Eight agencies earned A grades At least now we know which agencies are capable of hacking into the system to change their grades:

    1) Central Intelligence Agency
    2) National Security Agency
    3) Office of Naval Intelligence
    4) National Reconnaissance Office
    5) Defense Intelligence Agency
    6) National Geospatial-Intelligence Agency
    7) Army Intelligence
    8) Air Intelligence Agency
  7. no wonder DoJ got an A by RelliK · · Score: 3, Funny

    Their security system is so good, it regularly deletes all email, just so that no one else gets it.

    --
    ___
    If you think big enough, you'll never have to do it.
  8. Perl scripts and default passwords? by AHuxley · · Score: 3, Interesting

    Read up on what Gary McKinnon http://en.wikipedia.org/wiki/Gary_McKinnon found.
    Just like in the control room for Springfield's reactor in Last Exit To Springfield (9F15).
    The US has all the Get Smart like security, but then has the dilapidated MS door wide open for any and all.

    --
    Domestic spying is now "Benign Information Gathering"
  9. Turbo Tax vs. IRS by Anonymous Coward · · Score: 3, Informative

    Yesterday, we have a story where Turbo Tax's online system exposed a few tax forms for returns with similar names.

    Last Friday, it was reported that the IRS lost 490 computers with potentially millions of taxpayer records. (The IRS is not sure what was lost.)

    Tell me why the latter isn't a bigger story?

    Answer: With TJ Max, Georgia CHIP, the CIA, and Los Alamos were all desensitized to the daily reports.

  10. I am not surprised by Mike_ya · · Score: 5, Interesting

    I suspect this also includes government networks run by contractors.

    A while back I use to be friends with someone who worked for one of these companies that do contract work for the government, for one of those agencies that require Secret or Top Secret clearance along with requiring routine polygraph tests.

    I was told stories on occasion how IT jobs would come open and be filled not with individuals that had the technical qualifications but those that had the security clearance.

    Heck, my friend who had a clearance and did clerical work was promoted to run the Help Desk and was giving a book to learn on the job. Then again a few years later to administer servers spread around the globe, with no formal training.

    I was told the contracting companies would not hire individuals for the clearance jobs unless they already had the clearance. The clearance trumped any sort of job qualification.

    If this has changed since 9/11 I don't know.

    1. Re:I am not surprised by QuasiEvil · · Score: 3, Informative

      >If this has changed since 9/11 I don't know.

      A couple friends of mine recently hired on with a growing government contract IT firm out here. The HR department didn't even really care about the resume, but rather the fact that two of them already had clearances. According to them, they work with some utter idiots, but they're qualified to see almost anything, so they keep them around.

    2. Re:I am not surprised by cyphercell · · Score: 3, Insightful

      funny, the security clearances are making the system insecure, me thinks something is broken.

      --
      Under the influence of Post-Cyberpunk Gonzo Journalism
  11. Don't believe it by Spazmania · · Score: 3, Interesting

    As someone dealing with a security audit right now, all I can say is: don't believe a word of it. The auditors tick off items on a checklist. Telnet running? Lose points. Telnet running on your Cisco routers in a configuration where a man-in-the-middle attack is impossible? Its Telnet. Lose points. Telnet running in an impregnable fashion because that's what the vendor offers for remote access and you locked it down damn tight to compensate? Its Telnet. Lose points.

    Damn auditors.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  12. What a scam... by eklitzke · · Score: 3, Insightful

    I don't understand the attraction to full disk encryption. Sure, it will prevent a would be thief from reading some of your personal emails or getting access to your credit card information. But all the good secrets are on servers and corporate networks, not on people's laptops. And if the secrets are really good, you're not going to be able to just get to them just by stealing someone's laptop.

    For example, where I work, to get onto the corporate intranet you need to actually be physically connected to the corporate network, or you need to access it via a VPN. To get on the VPN, you need the group password and your individual password. The group password is static, but your own password is a combination of a PIN plus the sequence of digits on the RSA SecurID card you're issued, which change every sixty seconds. This is a really standard setup, and means that to get anywhere you would need to steal my laptop (to get the group password), know my PIN, _and_ steal my SecurID card. Actually, you would _also_ need my corporate username and passphrase, but if you're good enough to get all of the above I assume you can get those too.

    If you want to secure email (or whatever), that's easy too. To get to the mail servers you need to be on the VPN, which is already a pretty good start. At that point all you need to do is make sure that all the really sensitive email accounts are local delivery only (i.e. no POP/Exchange/IMAP access). To read email you get a web based email solution or a shell account on the mail server. Either way you log in by connecting to the VPN and doing your normal Kerberos authentication. Obviously web mail presents a bit of a problem in the way of the browser cache, but it's fairly simple to lock down a shell account in such a way that users can't connect out from the account (or scp files).

    Anyway, adding full disk encryption to this is a joke. It's a scam to let the companies that provide the disk encryption hardware/software make a lot of easy money. If you were doing things right in the first place it would be a _lot_ easier for someone to get the encryption password than it would be for them to get to your sensitive data. Instead of paying hundreds of thousands of dollars on a proprietary disk encryption solution, get some competent system administrators.

    --
    #include ".signature"