Slashdot Mirror
US Government IT Security 'Outstandingly Mediocre'
mrneutron2004 writes wrote with a link to an article on The Register, discussing an annual IT security report card handed out to the federal government. The results this year were mixed. The good news is that they graded higher than last year. The bad news? They still just rate a C-". Individual departments did better than others, but overall the results were quite poor. "Although overall security procedures improved the Department of Defense (DoD) recorded a failing F grade. Meanwhile the Department of Veterans Affairs - whose loss of laptops containing veterans' confidential data triggered a huge security breach - failed to submit a report. The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked."
http://it.slashdot.org/article.pl?sid=07/04/12/232 3232
that this is completely different than yesterday's article on the same subject?
2 3232
http://it.slashdot.org/article.pl?sid=07/04/12/23
The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked.
I realize the two are not tied but please - if you're going to push for more nuclear plants and recycling of nuclear material (with weapons grade material as a side effect), could you please keep track of your computers? If nothing else, it's a major PR blunder that will be used by people already irrationally against nuclear power.
Consistently the worst stories and crap and misinformation on the web. They are traffic whores. I don't even know what this article means and I don't care. I don't even know why I'm posting anything about it. Move along.
'Outstandingly Mediocre' sues for defamation.
DHS for example, is heavy into Windows.
Any exceptions?
You are being MICROattacked, from various angles, in a SOFT manner.
Tada.
Please help metamoderate.
One new sarcasm meter. Mine just blew up.
Programmer: an ingenious device that converts caffeine into code.
Slashdot Dupe Detection 'Outstandingly Mediocre'
I think there was just a glitch in the matrix
It would probably help if most of the security measures weren't "Unfunded mandates"... There's quite a lot that could and should be done, and plenty of items which must be met, but as long as budgets are shrinking IT will continue to get a smaller piece of the pie with which to work.
Are you implying that Unix/Linux can't be unpatched or set up poorly?
Is there any other government in the world that actually publishes the fact that they suck
at network security?
I certainly haven't seen any from those bastions of freedom and openeness in the EU.
Did anyone stop to think that the Microshit monoculture just MIGHT be contributing to this problem?
Question the status quo, people. (In Soviet Russia, the status quo questions YOU.)
you had me at #!
One person capable of edits edited new submissions.
The grades are on FISMA compliance which is not really the same thing as computer security. This is more about documentation than anything else.......
It is about having documented down to the letter networks, configurations, policies and procedures for everything.
Another weakness is how "controls" are rated. Basically, missing one little policy or procedure is rated as bad as missing something as critical as secure configurations...
Every agency IG has a vested interest in scoring down agency efforts.
If you look too, the ratings are biased because small agencies & independents have inordinately high ratings, while the bigger agencies/departments have far worse ratings.
The only solution is to stop giving them money and confine them to the strictest interpretation of the 9th and 10th amendments possible.
the NPG electrode was replaced with carbon blac
"The bad news? They still just rate a C-."
/. editors will soon be appearing on: Are you smarter than a fifth grader?
They are letting us know that nothing has gotten better in the last 22 hours..........
C'mon guys at least read the front page (and the little box in the corner where it clearly shows the c- story, it even has c- in headline)
I wonder if any of the
Clearly the White House should launch a "No Department Left Behind" initiative to improve the government's IT security grades.
It could begin with routine penetration testing to assess how well-defended systems are against known and common attacks -- one could call this "standardized testing" to establish a minimum level of security, with budget cuts for departments that fail to keep their networks secure. The results should be reported to the taxpayers, so that we know which systems are secure and which are not, and can put public pressure on departments that aren't keeping their grades up. And of course, all IT managers should have MCSE, CCNA, RHCE, and A+ certifications, to prove that they're qualified for their jobs.
... I get a headache when otherwise intelligent folks want the government to run things (like health care). Does the federal government do *anything* well? Other than spend money? You can;t even point to any aerospace stuff because that's mostly contracted out.
Is it too much to ask that the "editors" read their own site?
It's official. Most of you are morons.
At least I pray to God it is. Otherwise, we're all in deep, deep trouble.
Now you'll have to excuse me. I need to go update my will.
Crow T. Trollbot
Well, don't they print the money? Tax or no tax, these guys are bent on taking your labor. We're all slaves!
But Microsoft sells itself as the software for dumb people who have no technical expertise. You have seen the adverts on TV with the ordinary schlebs in an office environment all happier than a pig in mud puddle. They are happy because they can use computers with Microsoft software even though they do not know jack.
Microsoft uses essentially the same sales pitch to the captains of industry who decide what goes into the corporate computing infrastructure. They tell them " Hey look -- you do not need the level of expertise found for our software that you need for say a Unix set up. "Ordinary people" [ read inexpensive people with just a moderate skill level ] can keep it working.
It should then not be a surprise that these "ordinary people" can not secure the computer network.
Religion is the main cause of atheism.
the NPG electrode was replaced with carbon blac
Only in government could mediocre be considered outstanding. :/
Since the recent news tells us the White House can't even keep it's own email under control I can't imagine that they could defend against even an eleven-year-old script kiddie with a TRS-80.
Meanwhile, the government goons over at the FBI are still trying to figure out email working..
Bringing liberty to the masses. - http://freetalklive.com/
As an active duty US Marine, I honestly feel that the big problem is the Windows culture, including the fact that the majority of the Marine Corps is using Windows 2000, with IE 6. Of course, it's viewed as too difficult to use XP, or at least that's the excuse. And until then, IE 7 will never be seen by the Marine Corps. And of course, user training is incredibly low. The majority of users know very little about computers, and don't get much training, if any at all. I'm definitely not surprised that the DoD got an "F" on security.
Geeks strike again 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
While from my experience a lot of fed workstations and servers are indeed running Windows, they have it so locked down and neutered that it's almost secure by virtue of being unusable. I've witnessed some pretty Draconian measures for locking down machines, red tape up the wazoo for change management, and detailed Certification & Accreditation procedures for moving IT systems into production and changing them. Relative to quite a bit of what I've seen in private industry, there's actually better security measures in place at multiple levels... Furthermore, in many cases security policies and systems themselves are being developed and certified by private industry contractors, many of whom are really rather sharp. They have no interest in being lazy when it comes to finding things to make more secure or criticize, because it means more revenue. I'd question how most private companies would fair if analyzed under these same FISMA regulations, or - since the article's on The Register - how the British government would rate.
It should be no surprise that the gub'mint got the security thing so poorly. Mediocrity (actually worse) seems to be Standard Operating Procedure across government departments, and I don't think we should be fooled into thinking that it's only IT security where such standards of acheivement are met. Yes? Is anyone surprised?
Please keep that in mind when recommending other "solutions" for the government to embrace (it's got to be better than what we have now).
Hey, thats better than just regular ol' Mediocre isn't it?
I think Slashdot's dupe detection only got a C- ... :-)
These are places where Firehose is useful! Mod this story down to remove from first page.
:)
Yes, bragging about lameness of editors is not enough. It is already a known fact
outstandingly supple, but not too many people are getting very excited about it.
What?
These standards are completely silly and represent the worst of government--it's all command and control, central clearing houses, et cetera. When the federal government does the best is when it says
- you must write down a plan for serious issue x
- you must follow your plan
- Someone from another orginization will come around from time to time and make sure the plan was good and that it is being followed
This rule amounts to just this:- There is only one good plan and we have it, you will adapt
This is then followed by confusion as to why adaptation is slow and not as they expected. The simple fact is that there are special circumstances, and the people doing the work usually know best how to do it. They are the ones that can best turn the spirit of the rule into the letter of the rule for their situation. They can minimize unintended consequences.Outstandingly Mediocre is such a great-sounding phrase. It makes me think of a documentary that would play with dramatic music and an overly serious narrator.
I bet everyone is breathing easier now, huh?
When we look at the federal debt, and see that the federal government is $8.8 trillion dollars in debt, it's no different than a home loan.
I wonder what will happen when the government can't make the payments, and the banks foreclose and take the country away on the back of a really big truck...it'd make a good reality show, anyway...
ZuluPad, the wiki notepad on crack
After reading this, does anyone really want government controlling our entire health care system?
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
As Thomas Jefferson loving declared "Every generation needs a new revolution."
Social liberal, fiscal conservative, always sarcastic.
Honestly now, am I the only one who see's that the DoD is vulnerable to attacks from outside the net, as a good thing?
This provides the best oversight by the civilians, not purely agents of a government.
This would limit the size and capability of our government and put it as similar to individual power.
The other hand is what happens if a script kiddie takes control where a civil oversight member cannot. Who would you rather your information be held by, the government or some 15 year old?
Outstandingly mediocre IT security? Sounds a lot like U.S National Security and Social Security :)
When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
I'll ignore the fact Windows isn't really software as such; it's an Operating System.
;)
While your point is correct - Windows and other Microsoft products are marketed as the easy solution to your problems, even to the extent of Apple products - Your entire thought process behind it is wrong.
A teacher at a school, say, is hired on the ability to perform as a teacher. This teacher will inevitably use a computer on a day to day basis in this day and age, regardless of whether it's Windows, OS X, or what I'm assuming is your favourite, a Unix setup. Depending on the teacher's role within the school, he or she may have a requirement for a higher level of access; Maybe this teacher is in charge of organising the field trips or something like that.
It is not a condition of employment that this teacher be a master of all things technical. It probably isn't even a condition of employment that this teacher knows how to turn on a computer; he or she will be told how to do what is required. Someone with extensive knowledge in the field of IT may be looked upon favourably, and probably would, but it is not the primary reason for hire.
Now the Tech Guys (and Gals, we don't forget you, even though we do sometimes doubt your existance), the guys behind the infrastructure, in the messiest room in the entire school, that's a different story. This is where the security of the network initially stems from.
The security is only as good as it's weakest link. Usually it's the user, as you're implying. It is the job of the Network Administrators to prevent the users from even being a link. A properly set up network will restrict these users - in this case, the teacher - to the barest minimum. If there is Network Administrator that doesn't have at least two accounts for themselves, one with administrative rights and one with the barest of rights for general use, that should raise some red flags.
Security on pretty much any setup is pretty damn possible. While some things may be inherently more secure than others (I'm not going to debate which setup is more secure, no Fan-Boy wars thanks), A fairly even level of security can be achieved on any platform.
The real issue in this case comes more with the general stupidity of the employees, not with the inability to fully comprehend what they are using as an Operating System. They don't need to comprehend it, and in a lot of cases comprehending it can actually be counter-productive. That's why we always kept the Network Administrators at school on their toes. I'm sure they would have loved it if we simply used the system, instead of 'helping them find security holes.'
But I seem to get the idea you don't want to discuss that general stupidity. You don't want to talk of people who lose (or 'lose') laptops outside of work, or people who are fooled into providing sensitive data. You seem to flame Microsoft quite a bit and manage to stay on topic. Nice work
the NPG electrode was replaced with carbon blac
Every generation needs a scapegoat--someone to discriminate against. In history it has been people with disabilities, and women, and blacks, and after Vietnam it was veterans...
In today's society the easiest discrimination target for the people to vent their hate is homeless people.
the NPG electrode was replaced with carbon blac
You sir (or madam) are correct. While this does not have significant relevence from an IT perspective, its easiest to discriminate against the weakest class, and those who can't afford food and shelter (the most basic needs of life, as opposed to the wants of life such as a faster internet) can't defend themselves. So cities like Chicago simply maintain the status quo because its easier than tackling the problem, which in turn causes well off residents to move to the suburbs, which depresses city property values, which decreases the city's tax revenues, which makes it even harder to fix the problem in future years.
Social liberal, fiscal conservative, always sarcastic.
As a DoD Network Specialist, I can say that the DoD has one of the most secure networks in the world. As it has been said, our users have to go through training before they are allowed to use Classed and Unclassed terminals, regular refresher training, and annual reviews. Most military bases have larger network infrastructures that a lot of international corporations and we maintain a staff that monitors network activity 24/7. As far as our use of Microsoft products, those have to be certified by DoD standards before they are adopted, including any subsequent updates. As with any security scheme, it is always susceptible to human error and that is what we constantly (painfully) try to improve.
Why would they want to foreclose?
Twas a joke...
ZuluPad, the wiki notepad on crack