US Government IT Security 'Outstandingly Mediocre'

mrneutron2004 writes wrote with a link to an article on The Register, discussing an annual IT security report card handed out to the federal government. The results this year were mixed. The good news is that they graded higher than last year. The bad news? They still just rate a C-". Individual departments did better than others, but overall the results were quite poor. "Although overall security procedures improved the Department of Defense (DoD) recorded a failing F grade. Meanwhile the Department of Veterans Affairs - whose loss of laptops containing veterans' confidential data triggered a huge security breach - failed to submit a report. The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked."

FISMA is not security

[brennz]

The grades are on FISMA compliance which is not really the same thing as computer security. This is more about documentation than anything else.......

It is about having documented down to the letter networks, configurations, policies and procedures for everything.

Another weakness is how "controls" are rated. Basically, missing one little policy or procedure is rated as bad as missing something as critical as secure configurations...

Every agency IG has a vested interest in scoring down agency efforts.

If you look too, the ratings are biased because small agencies & independents have inordinately high ratings, while the bigger agencies/departments have far worse ratings.

Re:FISMA is not security

[Blakey+Rat]

The article I read had a great quote from the Congressman who initiated this program (whose name I can't remember, unfortunately.) He said that you can't possibly secure a system you don't know about, which is why the first metric is whether all networks/servers in use by the agency are documented in a centralized manner. It seems like a great first step to me.

Windows

[slayermet420]

As an active duty US Marine, I honestly feel that the big problem is the Windows culture, including the fact that the majority of the Marine Corps is using Windows 2000, with IE 6. Of course, it's viewed as too difficult to use XP, or at least that's the excuse. And until then, IE 7 will never be seen by the Marine Corps. And of course, user training is incredibly low. The majority of users know very little about computers, and don't get much training, if any at all. I'm definitely not surprised that the DoD got an "F" on security.

Re:Windows

[Bios_Hakr]

That's kind of a cop-out. Just saying that a platform leads to insecurity is missing a big part of the problem.

I've worked with USMC, USAF, and NATO workstations and servers. Both CLASS and UNCLASS.

The first thing the DoD does right is to remove desktop admin rights. I love the fact that we lock workstations pretty hard. If your shop follows the NSA guidelines for Win2k, it's pretty solid. Ideally, the user cannot WRITE to any part of the drive other than his home folders. Of course, a rights-elevating script can destroy that.

The USMC started enforcing standard text emails. They also push cryptographic signing and public-key encryption. Fery few civilian companies do that.

The second thing the DoD does right is in user training. We (used to) regularly call people and ask for their password. If they gave it out, their commander got bitched at. He usually ensured that everyone came in on Saturday to practice not giving out passwords...

The DoD also tends to filter out web sites. There are some places that only allow .mil/gov access. More common is blocking of Asian and Eastern-European IP addresses at the gateway routers. If a phishing site is identified, we usually block entire Class-Cs without a second thought. If the users have a problem, we whitelist on an as-needed basis.

The DoD also filters email attachments. Sometimes this is strange. I can send a Word document with 9000 macros, but a basic Visio diagram gets blocked. Zipping, Raring, or Taring a file isn't usually enough to get through the filters.

The DoD also segregates their critical communications. Everyone loves email and Google, but we can still deploy bombs and bullets without Wikipedia. All our *good stuff* is completely inaccessible from the internets.

The biggest flaw is, as you said, using outdated software. However, there is no easy way around this. Once MS releases a patch, the DoD has to decide if it's needed. Then they have to decide if it will break anything. Form there, they filter it to the USMC. They decide if they need it and if it will break anything. This continues to happen all the way down to the Base communication support people. By that time, the exploit has been in the wild for a few months.

The only real alternative is to *cowboy* your way through the patches and hope that nothing breaks.

Re:Correlation with usage of Microsoft products

[zerkon]

As far as I've seen in my military career, the AF at least uses windows exclusively. I don't think that they have anything against Linux, maybe there are just too few nerds among the top brass to even consider a change.

My degree is in IT, and I can tell you a lot of what /.ers would consider horror stories about standing AF computer policies. As an example, my password is something like 15 characters long, has non-alphanumerics, numbers, capitals, and changes every 60 days or something like that.

I really think the problem isn't so much an unwillingness to change as it is just the people at the top not understanding or knowing about other options and how computer security is supposed to work. And/or knee-jerk reactions by decision makers to threats without really understanding the consequences (I suppose a lot of them are nerds too, probably civilian employees, I bet I'll get a few comments saying what's wrong with a 15 character password). I tell people my PDA (nokia 770) runs Linux and they're like cool... what's that?

I'm just hoping someday I have enough brass on my shoulders to be able to make a difference...