Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Government IT Security 'Outstandingly Mediocre'

Posted by Zonk on from the c-minus-for-the-lose dept.

mrneutron2004 writes wrote with a link to an article on The Register, discussing an annual IT security report card handed out to the federal government. The results this year were mixed. The good news is that they graded higher than last year. The bad news? They still just rate a C-". Individual departments did better than others, but overall the results were quite poor. "Although overall security procedures improved the Department of Defense (DoD) recorded a failing F grade. Meanwhile the Department of Veterans Affairs - whose loss of laptops containing veterans' confidential data triggered a huge security breach - failed to submit a report. The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked."

57 of 86 comments (clear)

  1. Same day dupe by Anonymous Coward · · Score: 1

    http://it.slashdot.org/article.pl?sid=07/04/12/232 3232

  2. I assume... by Jck_Strw · · Score: 1, Informative

    that this is completely different than yesterday's article on the same subject?

    http://it.slashdot.org/article.pl?sid=07/04/12/232 3232

    1. Re:I assume... by RedElf · · Score: 1

      that this is completely different than yesterday's article on the same subject? You must be new here...
      --
      You know, I have one simple request. And that is to have sharks with frickin' laser beams attached to their heads!
    2. Re:I assume... by hostyle · · Score: 1

      sig quote: "The Aliens came, and..." ... you're still posting! :( Did you already explain female to them ? You moro^ALIEN_INTER(VENTION|COURSE) # what? stop introducing random new variables just cause you're on tag, muppet! I are pant!!!

      --
      Caesar si viveret, ad remum dareris.
  3. Correlation with usage of Microsoft products by SpaceLifeForm · · Score: 1

    DHS for example, is heavy into Windows.

    Any exceptions?

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
    1. Re:Correlation with usage of Microsoft products by denobug · · Score: 1

      DHS for example, is heavy into Windows.
      Any exceptions?
      It has nothing to do with Heavy Windows usage. Plenty of Corporations uses Windows heavily for their end users and are still much more secure than the government does. It's the "company" culture and the management style that should be credited for lack of security while slow to improve its current standing.
      It may help also if they learn how to keep the real talent happily working for the government agencies and not pissing them off to the private sectors, where they make far more money anyway in the first place...

    2. Re:Correlation with usage of Microsoft products by zerkon · · Score: 2, Interesting

      As far as I've seen in my military career, the AF at least uses windows exclusively. I don't think that they have anything against Linux, maybe there are just too few nerds among the top brass to even consider a change.

      My degree is in IT, and I can tell you a lot of what /.ers would consider horror stories about standing AF computer policies. As an example, my password is something like 15 characters long, has non-alphanumerics, numbers, capitals, and changes every 60 days or something like that.

      I really think the problem isn't so much an unwillingness to change as it is just the people at the top not understanding or knowing about other options and how computer security is supposed to work. And/or knee-jerk reactions by decision makers to threats without really understanding the consequences (I suppose a lot of them are nerds too, probably civilian employees, I bet I'll get a few comments saying what's wrong with a 15 character password). I tell people my PDA (nokia 770) runs Linux and they're like cool... what's that?

      I'm just hoping someday I have enough brass on my shoulders to be able to make a difference...

      --
      The Answer
    3. Re:Correlation with usage of Microsoft products by jacksonj04 · · Score: 1

      Ah, yes. Because it is the presence of Windows on the laptop which causes it to fall into the wrong hands... the fact that the asset tracking label is stuck underneath one of those Windows licence stickers and caught its evil influence...

      And who can forget that Linux never suffers this kind of poor auditing (Do you know how to generate a unique hardware hash and centrally audit it over a secure network?), and nobody wants to steal one of those nice, shiny, expensive MacBook Pros.

      --
      How many people can read hex if only you and dead people can read hex?
  4. You owe me by Bugs42 · · Score: 1

    One new sarcasm meter. Mine just blew up.

    --
    Programmer: an ingenious device that converts caffeine into code.
    1. Re:You owe me by Anonymous Coward · · Score: 1, Funny

      Ooh, a sarcasm meter. That's a useful invention.

  5. What might help by Anonymous Coward · · Score: 1, Insightful

    It would probably help if most of the security measures weren't "Unfunded mandates"... There's quite a lot that could and should be done, and plenty of items which must be met, but as long as budgets are shrinking IT will continue to get a smaller piece of the pie with which to work.

  6. The elephant in the room by toby · · Score: 1

    Did anyone stop to think that the Microshit monoculture just MIGHT be contributing to this problem?

    Question the status quo, people. (In Soviet Russia, the status quo questions YOU.)

    --
    you had me at #!
    1. Re:The elephant in the room by imemyself · · Score: 1

      I don't love MS, especially not the way in which their company operates, but it is certainly possible to have secure network running mostly MS software. The fact that some people can't do it is just a sign that they are not competent enough to do their jobs. No different than if someone running a Linux network that doesn't know what iptables is. Regardless of what tools they use, people need to be knowledgeable in them. Stupid people will make stupid decisions that will compromise security - whether they're using Windows, Linux, OS X, or OpenVMS. If anything, the government doing a piss poor job of security probably stems from the fact that it's the government. While a lot of the people working for them do a great job and really care about their work, a lot of others don't. And typically government pay is going to be quite a bit less than in the private sector. It's going to be harder for them to get a lot of skilled network security people. And that does nothing to stop administrators from making brain-dead policies or users from giving out their passwords.

      --
      Every time you post an article on Slashdot, I kill a server. Think of the servers!
    2. Re:The elephant in the room by whoever57 · · Score: 1

      but it is certainly possible to have secure network running mostly MS software. ..... Regardless of what tools they use, people need to be knowledgeable in them. Stupid people will make stupid decisions that will compromise security - whether they're using Windows, Linux, OS X, or OpenVMS.
      I'll agree that a secure Windows centric network is certainly possible, but I believe that Windows makes it much easier to make an insecure network. Take for example the autorun capability, first on CDs, now also on flash drives. The problem with Windows is that a non-default configuration and add-on software is required just to provide basic security.
      --
      The real "Libtards" are the Libertarians!
    3. Re:The elephant in the room by The_Wilschon · · Score: 1

      Question the status quo, people. (In Soviet Russia, the status quo questions YOU.)
      Ok, here goes, questioning the status quo: So, just maybe, Soviet Russia jokes aren't trite, and are actually really funny!

      Nah....
      --
      SIGSEGV caught, terminating

      wait... not that kind of sig.
    4. Re:The elephant in the room by iminplaya · · Score: 1

      Question the status quo, people.

      Okay. Where's your your next stop?

      --
      What?
    5. Re:The elephant in the room by kantier · · Score: 1

      In Soviet Russia, the status quo questions YOU

      Actually, the status quo questions YOU in corporate america too.

  7. Help Wanted by evil_Tak · · Score: 1

    One person capable of edits edited new submissions.

    1. Re:Help Wanted by JordanL · · Score: 1, Funny

      What you writes wrote makes no sense.

      --
      FanFictionRecs.net
    2. Re:Help Wanted by thatnerdguy · · Score: 1

      Damn it where are my mod points when I need them...luckily I'm not at work or I would have been getting weird looks for laughing out loud randomly.

      --
      I saw the Sign, and it opened up my eyes
  8. FISMA is not security by brennz · · Score: 2, Interesting

    The grades are on FISMA compliance which is not really the same thing as computer security. This is more about documentation than anything else.......

    It is about having documented down to the letter networks, configurations, policies and procedures for everything.

    Another weakness is how "controls" are rated. Basically, missing one little policy or procedure is rated as bad as missing something as critical as secure configurations...

    Every agency IG has a vested interest in scoring down agency efforts.

    If you look too, the ratings are biased because small agencies & independents have inordinately high ratings, while the bigger agencies/departments have far worse ratings.

    1. Re:FISMA is not security by Blakey+Rat · · Score: 2, Interesting

      The article I read had a great quote from the Congressman who initiated this program (whose name I can't remember, unfortunately.) He said that you can't possibly secure a system you don't know about, which is why the first metric is whether all networks/servers in use by the agency are documented in a centralized manner. It seems like a great first step to me.

      --
      Comment of the year
    2. Re:FISMA is not security by jotok · · Score: 1

      Mod parent up! This is true on so many levels.

      First off, there's the whole Sun Tzu thing. I find quoting Sun Tzu and the applications of "The Art of War" to network security tiresome but in this case he's right.

      Second, there are so many newfangled correlation engines on the horizon that can make Security's job a lot easier, but which require tons of metadata. You have to tell it which IP is your webserver so it will adjust its weightings. Of course before that you need to know where and what the webserver is.

      Third, simply keeping an accurate inventory has such a monumental impact on security. In six years I went to ONE site that had this. Everywhere else, it took days (and usually required hand-over-handing dusty cat5 cables) to find where the infected box was.

      I don't know if "IT guys" (meaning, availability, not security) simply don't know this, don't care, or are crippled by management. I've encountered all three in the past seven years. I am not surprised at all that .gov/.mil networks are coming up short in this regard.

  9. Re:Government by HomelessInLaJolla · · Score: 3, Funny

    The only solution is to stop giving them money and confine them to the strictest interpretation of the 9th and 10th amendments possible.

    --
    the NPG electrode was replaced with carbon blac
  10. YES and NO by hurfy · · Score: 1

    "The bad news? They still just rate a C-."

    They are letting us know that nothing has gotten better in the last 22 hours..........

    C'mon guys at least read the front page (and the little box in the corner where it clearly shows the c- story, it even has c- in headline)

    I wonder if any of the /. editors will soon be appearing on: Are you smarter than a fifth grader?

    1. Re:YES and NO by ozbon · · Score: 1

      Well, considering that the CEO of the company behind 'Girls Gone Wild' etc. has now been jailed for contempt of court, perhaps someone else will fill the gap with something like

      ' /. editors on crack ' or ' /. editors on their own site ' ?

      --
      I say we take off and nuke it from orbit. It's the only way to be sure...
  11. No Department Left Behind? by Wyzard · · Score: 2, Funny

    Clearly the White House should launch a "No Department Left Behind" initiative to improve the government's IT security grades.

    It could begin with routine penetration testing to assess how well-defended systems are against known and common attacks -- one could call this "standardized testing" to establish a minimum level of security, with budget cuts for departments that fail to keep their networks secure. The results should be reported to the taxpayers, so that we know which systems are secure and which are not, and can put public pressure on departments that aren't keeping their grades up. And of course, all IT managers should have MCSE, CCNA, RHCE, and A+ certifications, to prove that they're qualified for their jobs.

  12. The dupe is still on the front page by Tim+C · · Score: 1

    Is it too much to ask that the "editors" read their own site?

    --
    It's official. Most of you are morons.
    1. Re:The dupe is still on the front page by frank_adrian314159 · · Score: 1
      Is it too much to ask that the "editors" read their own site?

      Let's be realistic here - if you were them, would you want to? Staring failure in the face every day is not for the faint of heart...

      --
      That is all.
    2. Re:The dupe is still on the front page by Bearhouse · · Score: 1

      And for the readers to do the same (firehose)...

  13. Federal Goverment better at defending Itself... by Cr0w+T.+Trollbot · · Score: 1
    ...from malicious hacking than Slashdot is at defending itself from malicious duping.

    At least I pray to God it is. Otherwise, we're all in deep, deep trouble.

    Now you'll have to excuse me. I need to go update my will.

    Crow T. Trollbot

  14. Re:Government by rbannon · · Score: 1, Informative

    Well, don't they print the money? Tax or no tax, these guys are bent on taking your labor. We're all slaves!

  15. But Windows is sold as software for the unskilled by BroncoInCalifornia · · Score: 1

    ...it is certainly possible to have secure network running mostly MS software. The fact that some people can't do it is just a sign that they are not competent enough to do their jobs.

    But Microsoft sells itself as the software for dumb people who have no technical expertise. You have seen the adverts on TV with the ordinary schlebs in an office environment all happier than a pig in mud puddle. They are happy because they can use computers with Microsoft software even though they do not know jack.

    Microsoft uses essentially the same sales pitch to the captains of industry who decide what goes into the corporate computing infrastructure. They tell them " Hey look -- you do not need the level of expertise found for our software that you need for say a Unix set up. "Ordinary people" [ read inexpensive people with just a moderate skill level ] can keep it working.

    It should then not be a surprise that these "ordinary people" can not secure the computer network.

    --

    Religion is the main cause of atheism.

  16. Re:Government by HomelessInLaJolla · · Score: 4, Insightful
    There's a fine point there. No, the government does not print the money. The government buys the printed money from the Federal Reserve, which is a coalition of private bankers. When we look at the federal debt, and see that the federal government is $8.8 trillion dollars in debt, it's no different than a home loan. The federal government is $8.8 trillion dollars in debt to a bank which is allowed to set all the terms of repayment--including the interest rates used for all other major financial transactions in the nation.

    We're all slaves! Yes, yes, yes we are.
    --
    the NPG electrode was replaced with carbon blac
  17. 'Outstandingly Mediocre' by SuluSulu · · Score: 1

    Only in government could mediocre be considered outstanding. :/

    1. Re:'Outstandingly Mediocre' by Tablizer · · Score: 1

      Only in government could mediocre be considered outstanding.

      Indeed. I would be more shocked if they got an "A". Now that would warrant an investigation. If the gov't get's an A, it means one of:

      1. They have way too big a budget
      2. Somebody bribed the graders
      3. Somebody is trying to hide something else or compensate for a separate weakness or screw-up by making another section do really well.

      --
      Table-ized A.I.
  18. Re:Dupe by abshnasko · · Score: 1

    Apparently some of the editors don't actually read Slashdot.

  19. Crawl Before Run by occamboy · · Score: 1

    Since the recent news tells us the White House can't even keep it's own email under control I can't imagine that they could defend against even an eleven-year-old script kiddie with a TRS-80.

    1. Re:Crawl Before Run by Frumious+Wombat · · Score: 1

      Allow the NSA to deputize the USMC to respond to break-ins. That will be one script-kiddie with a story to tell the next day at school. (or at his 45 year class reunion when he finally gets released). Both of those organizations are generally considered highly competent in their area of expertise. (electronic security and blowing things up, respectively)

      --
      the more accurate the calculations became, the more the concepts tended to vanish into thin air. R. S. Mulliken
  20. Hunn?? I dont get it Bob. by k1e0x · · Score: 1

    Meanwhile, the government goons over at the FBI are still trying to figure out email working..

    --
    Bringing liberty to the masses. - http://freetalklive.com/
  21. Windows by slayermet420 · · Score: 3, Interesting

    As an active duty US Marine, I honestly feel that the big problem is the Windows culture, including the fact that the majority of the Marine Corps is using Windows 2000, with IE 6. Of course, it's viewed as too difficult to use XP, or at least that's the excuse. And until then, IE 7 will never be seen by the Marine Corps. And of course, user training is incredibly low. The majority of users know very little about computers, and don't get much training, if any at all. I'm definitely not surprised that the DoD got an "F" on security.

    --
    Geeks strike again 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:Windows by Bios_Hakr · · Score: 3, Interesting

      That's kind of a cop-out. Just saying that a platform leads to insecurity is missing a big part of the problem.

      I've worked with USMC, USAF, and NATO workstations and servers. Both CLASS and UNCLASS.

      The first thing the DoD does right is to remove desktop admin rights. I love the fact that we lock workstations pretty hard. If your shop follows the NSA guidelines for Win2k, it's pretty solid. Ideally, the user cannot WRITE to any part of the drive other than his home folders. Of course, a rights-elevating script can destroy that.

      The USMC started enforcing standard text emails. They also push cryptographic signing and public-key encryption. Fery few civilian companies do that.

      The second thing the DoD does right is in user training. We (used to) regularly call people and ask for their password. If they gave it out, their commander got bitched at. He usually ensured that everyone came in on Saturday to practice not giving out passwords...

      The DoD also tends to filter out web sites. There are some places that only allow .mil/gov access. More common is blocking of Asian and Eastern-European IP addresses at the gateway routers. If a phishing site is identified, we usually block entire Class-Cs without a second thought. If the users have a problem, we whitelist on an as-needed basis.

      The DoD also filters email attachments. Sometimes this is strange. I can send a Word document with 9000 macros, but a basic Visio diagram gets blocked. Zipping, Raring, or Taring a file isn't usually enough to get through the filters.

      The DoD also segregates their critical communications. Everyone loves email and Google, but we can still deploy bombs and bullets without Wikipedia. All our *good stuff* is completely inaccessible from the internets.

      The biggest flaw is, as you said, using outdated software. However, there is no easy way around this. Once MS releases a patch, the DoD has to decide if it's needed. Then they have to decide if it will break anything. Form there, they filter it to the USMC. They decide if they need it and if it will break anything. This continues to happen all the way down to the Base communication support people. By that time, the exploit has been in the wild for a few months.

      The only real alternative is to *cowboy* your way through the patches and hope that nothing breaks.

      --
      I'd rather you do it wrong, than for me to have to do it at all.
    2. Re:Windows by slayermet420 · · Score: 1

      You do make a lot of great points. Up until recently the workstations being locked wasn't true, at least with the Marine Corps. With the change-over to the Navy-Marine Corps Intranet (NMCI), that all changed. New computers, new restrictions. With my old computer, I had it cracked, and was running Firefox, and was an Admin on every computer in my shop. It's always good to get in good with the tech guys. But like I said, this is all gone. And yes, everything is encrypted now. We're even using crypto logins. We have to log in using a PIN based off of our ID cards. It's much more secure, with out a doubt. As for user training, like I said, from my experience, it's very low. I've never had any sort of training. Everything I've learned was picked up along the way. And I agree that disabling websites is a definite help, despite irritating people like me. But for the lusers who don't know any better, it's definitely a good thing. Also, the fact that our networks are completely isolated is a major plus. I spent about 2 years as a Maintenance Data Analyst working with a UNIX based system, and couldn't even ping that system from my home internet, despite being on base. And as for patches, we're on a slightly different system than what you discussed. We're basically given software pushes, updated whenever the main network feels we need it. It's out of the hands of base support people. After looking through all this, I do have to agree with you that we are pretty secure. It's definitely a fairly isolated system.

      --
      Geeks strike again 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  22. Relative to what? by djpretzel · · Score: 2, Insightful

    While from my experience a lot of fed workstations and servers are indeed running Windows, they have it so locked down and neutered that it's almost secure by virtue of being unusable. I've witnessed some pretty Draconian measures for locking down machines, red tape up the wazoo for change management, and detailed Certification & Accreditation procedures for moving IT systems into production and changing them. Relative to quite a bit of what I've seen in private industry, there's actually better security measures in place at multiple levels... Furthermore, in many cases security policies and systems themselves are being developed and certified by private industry contractors, many of whom are really rather sharp. They have no interest in being lazy when it comes to finding things to make more secure or criticize, because it means more revenue. I'd question how most private companies would fair if analyzed under these same FISMA regulations, or - since the article's on The Register - how the British government would rate.

  23. Outstandingly Mediocre!!! by smaddox · · Score: 1

    Hey, thats better than just regular ol' Mediocre isn't it?

  24. US Government backbone is by iminplaya · · Score: 1

    outstandingly supple, but not too many people are getting very excited about it.

    --
    What?
  25. It's the standard stupid by gumbi+west · · Score: 1
    Okay, seriously though, almost none of the lost laptops is actually lost, it just isn't documented correctly in the system.

    These standards are completely silly and represent the worst of government--it's all command and control, central clearing houses, et cetera. When the federal government does the best is when it says

    1. you must write down a plan for serious issue x
    2. you must follow your plan
    3. Someone from another orginization will come around from time to time and make sure the plan was good and that it is being followed
    This rule amounts to just this:
    1. There is only one good plan and we have it, you will adapt
    This is then followed by confusion as to why adaptation is slow and not as they expected. The simple fact is that there are special circumstances, and the people doing the work usually know best how to do it. They are the ones that can best turn the spirit of the rule into the letter of the rule for their situation. They can minimize unintended consequences.
  26. Accurately Hilarious by Zaphenath · · Score: 1

    Outstandingly Mediocre is such a great-sounding phrase. It makes me think of a documentary that would play with dramatic music and an overly serious narrator.

  27. But Paul Ohm Says No Super Hackers by NeverVotedBush · · Score: 1

    I bet everyone is breathing easier now, huh?

  28. Re:Government by omeomi · · Score: 2, Funny

    When we look at the federal debt, and see that the federal government is $8.8 trillion dollars in debt, it's no different than a home loan.

    I wonder what will happen when the government can't make the payments, and the banks foreclose and take the country away on the back of a really big truck...it'd make a good reality show, anyway...

    --
    ZuluPad, the wiki notepad on crack
  29. Am i the only one that sees this as a good thing? by casings · · Score: 1

    Honestly now, am I the only one who see's that the DoD is vulnerable to attacks from outside the net, as a good thing?

    This provides the best oversight by the civilians, not purely agents of a government.

    This would limit the size and capability of our government and put it as similar to individual power.

    The other hand is what happens if a script kiddie takes control where a civil oversight member cannot. Who would you rather your information be held by, the government or some 15 year old?

  30. Re:Do we really want Universal Health Care? by DaMattster · · Score: 1

    Well, data can be used for both good and bad purposes. I tend to lean a bit to the left and I think Universal Healthcare is a wise and necessary move. Due to the fact that many employers are not providing healthcare benefits, what is a hard working, sick person to do. If control is privatized, there will also be opportunity for rampant abuse. There is no easy method for oversight but something needs to be done. I welcome ideas

  31. Securities abound. by stunt_penguin · · Score: 1

    Outstandingly mediocre IT security? Sounds a lot like U.S National Security and Social Security :)

    --
    When the posters fear their moderators, there is tyranny; when the moderators fears the posters, there is liberty.
  32. Re:Government by HomelessInLaJolla · · Score: 1

    I wonder what will happen when the government can't make the payments Taxes go up, every year.

    the banks foreclose and take the country away The banks don't want to foreclose. This is their way of preserving their income. They have a system where rent is collected, automatically, from 301 million people. The politicians are paid handsomely to continue to keep up the ruse. Why would they want to foreclose?
    --
    the NPG electrode was replaced with carbon blac
  33. Re:Government by HomelessInLaJolla · · Score: 1

    Every generation needs a scapegoat--someone to discriminate against. In history it has been people with disabilities, and women, and blacks, and after Vietnam it was veterans...

    In today's society the easiest discrimination target for the people to vent their hate is homeless people.

    --
    the NPG electrode was replaced with carbon blac
  34. Department of Defence by Tempest451 · · Score: 1

    As a DoD Network Specialist, I can say that the DoD has one of the most secure networks in the world. As it has been said, our users have to go through training before they are allowed to use Classed and Unclassed terminals, regular refresher training, and annual reviews. Most military bases have larger network infrastructures that a lot of international corporations and we maintain a staff that monitors network activity 24/7. As far as our use of Microsoft products, those have to be certified by DoD standards before they are adopted, including any subsequent updates. As with any security scheme, it is always susceptible to human error and that is what we constantly (painfully) try to improve.

  35. Re:Government by omeomi · · Score: 1

    Why would they want to foreclose?

    Twas a joke...

    --
    ZuluPad, the wiki notepad on crack