Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

US Government IT Security 'Outstandingly Mediocre'

Posted by Zonk on Fri Apr 13, 2007 05:59 PM
from the c-minus-for-the-lose dept.
mrneutron2004 writes wrote with a link to an article on The Register, discussing an annual IT security report card handed out to the federal government. The results this year were mixed. The good news is that they graded higher than last year. The bad news? They still just rate a C-". Individual departments did better than others, but overall the results were quite poor. "Although overall security procedures improved the Department of Defense (DoD) recorded a failing F grade. Meanwhile the Department of Veterans Affairs - whose loss of laptops containing veterans' confidential data triggered a huge security breach - failed to submit a report. The Nuclear Regulatory Commission, another agency that has trouble keeping track of its PCs, flunked."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • DHS for example, is heavy into Windows.

    Any exceptions?
    • Re: (Score:3, Interesting)

      As far as I've seen in my military career, the AF at least uses windows exclusively. I don't think that they have anything against Linux, maybe there are just too few nerds among the top brass to even consider a change.

      My degree is in IT, and I can tell you a lot of what /.ers would consider horror stories about standing AF computer policies. As an example, my password is something like 15 characters long, has non-alphanumerics, numbers, capitals, and changes every 60 days or something like that.

      I reall
  • Did anyone stop to think that the Microshit monoculture just MIGHT be contributing to this problem?

    Question the status quo, people. (In Soviet Russia, the status quo questions YOU.)
    • I don't love MS, especially not the way in which their company operates, but it is certainly possible to have secure network running mostly MS software. The fact that some people can't do it is just a sign that they are not competent enough to do their jobs. No different than if someone running a Linux network that doesn't know what iptables is. Regardless of what tools they use, people need to be knowledgeable in them. Stupid people will make stupid decisions that will compromise security - whether the
      • but it is certainly possible to have secure network running mostly MS software. ..... Regardless of what tools they use, people need to be knowledgeable in them. Stupid people will make stupid decisions that will compromise security - whether they're using Windows, Linux, OS X, or OpenVMS.

        I'll agree that a secure Windows centric network is certainly possible, but I believe that Windows makes it much easier to make an insecure network. Take for example the autorun capability, first on CDs, now also on fl

      • ...it is certainly possible to have secure network running mostly MS software. The fact that some people can't do it is just a sign that they are not competent enough to do their jobs.

        But Microsoft sells itself as the software for dumb people who have no technical expertise. You have seen the adverts on TV with the ordinary schlebs in an office environment all happier than a pig in mud puddle. They are happy because they can use computers with Microsoft software even though they do not know jack.

    • Question the status quo, people. (In Soviet Russia, the status quo questions YOU.)
      Ok, here goes, questioning the status quo: So, just maybe, Soviet Russia jokes aren't trite, and are actually really funny!

      Nah....
  • by brennz (715237) on Friday April 13 2007, @06:33PM (#18725769)
    The grades are on FISMA compliance which is not really the same thing as computer security. This is more about documentation than anything else.......

    It is about having documented down to the letter networks, configurations, policies and procedures for everything.

    Another weakness is how "controls" are rated. Basically, missing one little policy or procedure is rated as bad as missing something as critical as secure configurations...

    Every agency IG has a vested interest in scoring down agency efforts.

    If you look too, the ratings are biased because small agencies & independents have inordinately high ratings, while the bigger agencies/departments have far worse ratings.
    • Re: (Score:3, Interesting)

      The article I read had a great quote from the Congressman who initiated this program (whose name I can't remember, unfortunately.) He said that you can't possibly secure a system you don't know about, which is why the first metric is whether all networks/servers in use by the agency are documented in a centralized manner. It seems like a great first step to me.
      • Mod parent up! This is true on so many levels.

        First off, there's the whole Sun Tzu thing. I find quoting Sun Tzu and the applications of "The Art of War" to network security tiresome but in this case he's right.

        Second, there are so many newfangled correlation engines on the horizon that can make Security's job a lot easier, but which require tons of metadata. You have to tell it which IP is your webserver so it will adjust its weightings. Of course before that you need to know where and what the webserv
  • by Wyzard (110714) on Friday April 13 2007, @06:38PM (#18725835) Homepage

    Clearly the White House should launch a "No Department Left Behind" initiative to improve the government's IT security grades.

    It could begin with routine penetration testing to assess how well-defended systems are against known and common attacks -- one could call this "standardized testing" to establish a minimum level of security, with budget cuts for departments that fail to keep their networks secure. The results should be reported to the taxpayers, so that we know which systems are secure and which are not, and can put public pressure on departments that aren't keeping their grades up. And of course, all IT managers should have MCSE, CCNA, RHCE, and A+ certifications, to prove that they're qualified for their jobs.

    • Since the recent news tells us the White House can't even keep it's own email under control I can't imagine that they could defend against even an eleven-year-old script kiddie with a TRS-80.
      • Allow the NSA to deputize the USMC to respond to break-ins. That will be one script-kiddie with a story to tell the next day at school. (or at his 45 year class reunion when he finally gets released). Both of those organizations are generally considered highly competent in their area of expertise. (electronic security and blowing things up, respectively)
  • Is it too much to ask that the "editors" read their own site?
    • Is it too much to ask that the "editors" read their own site?

      Let's be realistic here - if you were them, would you want to? Staring failure in the face every day is not for the faint of heart...

  • ...from malicious hacking than Slashdot is at defending itself from malicious duping.

    At least I pray to God it is. Otherwise, we're all in deep, deep trouble.

    Now you'll have to excuse me. I need to go update my will.

    Crow T. Trollbot

  • Windows (Score:3, Interesting)

    by slayermet420 (1053520) on Friday April 13 2007, @07:28PM (#18726483) Journal
    As an active duty US Marine, I honestly feel that the big problem is the Windows culture, including the fact that the majority of the Marine Corps is using Windows 2000, with IE 6. Of course, it's viewed as too difficult to use XP, or at least that's the excuse. And until then, IE 7 will never be seen by the Marine Corps. And of course, user training is incredibly low. The majority of users know very little about computers, and don't get much training, if any at all. I'm definitely not surprised that the DoD got an "F" on security.
    • Re:Windows (Score:4, Interesting)

      by Bios_Hakr (68586) <[xptical] [at] [gmail.com]> on Friday April 13 2007, @08:29PM (#18727069) Homepage
      That's kind of a cop-out. Just saying that a platform leads to insecurity is missing a big part of the problem.

      I've worked with USMC, USAF, and NATO workstations and servers. Both CLASS and UNCLASS.

      The first thing the DoD does right is to remove desktop admin rights. I love the fact that we lock workstations pretty hard. If your shop follows the NSA guidelines for Win2k, it's pretty solid. Ideally, the user cannot WRITE to any part of the drive other than his home folders. Of course, a rights-elevating script can destroy that.

      The USMC started enforcing standard text emails. They also push cryptographic signing and public-key encryption. Fery few civilian companies do that.

      The second thing the DoD does right is in user training. We (used to) regularly call people and ask for their password. If they gave it out, their commander got bitched at. He usually ensured that everyone came in on Saturday to practice not giving out passwords...

      The DoD also tends to filter out web sites. There are some places that only allow .mil/gov access. More common is blocking of Asian and Eastern-European IP addresses at the gateway routers. If a phishing site is identified, we usually block entire Class-Cs without a second thought. If the users have a problem, we whitelist on an as-needed basis.

      The DoD also filters email attachments. Sometimes this is strange. I can send a Word document with 9000 macros, but a basic Visio diagram gets blocked. Zipping, Raring, or Taring a file isn't usually enough to get through the filters.

      The DoD also segregates their critical communications. Everyone loves email and Google, but we can still deploy bombs and bullets without Wikipedia. All our *good stuff* is completely inaccessible from the internets.

      The biggest flaw is, as you said, using outdated software. However, there is no easy way around this. Once MS releases a patch, the DoD has to decide if it's needed. Then they have to decide if it will break anything. Form there, they filter it to the USMC. They decide if they need it and if it will break anything. This continues to happen all the way down to the Base communication support people. By that time, the exploit has been in the wild for a few months.

      The only real alternative is to *cowboy* your way through the patches and hope that nothing breaks.
  • While from my experience a lot of fed workstations and servers are indeed running Windows, they have it so locked down and neutered that it's almost secure by virtue of being unusable. I've witnessed some pretty Draconian measures for locking down machines, red tape up the wazoo for change management, and detailed Certification & Accreditation procedures for moving IT systems into production and changing them. Relative to quite a bit of what I've seen in private industry, there's actually better secur
    • The only solution is to stop giving them money and confine them to the strictest interpretation of the 9th and 10th amendments possible.
        • Re:Government (Score:5, Insightful)

          There's a fine point there. No, the government does not print the money. The government buys the printed money from the Federal Reserve, which is a coalition of private bankers. When we look at the federal debt, and see that the federal government is $8.8 trillion dollars in debt, it's no different than a home loan. The federal government is $8.8 trillion dollars in debt to a bank which is allowed to set all the terms of repayment--including the interest rates used for all other major financial transactions in the nation.

          We're all slaves!
          Yes [slashdot.org], yes [slashdot.org], yes [slashdot.org] we [slashdot.org] are [slashdot.org].
          • When we look at the federal debt, and see that the federal government is $8.8 trillion dollars in debt, it's no different than a home loan.

            I wonder what will happen when the government can't make the payments, and the banks foreclose and take the country away on the back of a really big truck...it'd make a good reality show, anyway...
    • Okay, seriously though, almost none of the lost laptops is actually lost, it just isn't documented correctly in the system.

      These standards are completely silly and represent the worst of government--it's all command and control, central clearing houses, et cetera. When the federal government does the best is when it says

      1. you must write down a plan for serious issue x
      2. you must follow your plan
      3. Someone from another orginization will come around from time to time and make sure the plan was good and that it i
    • "The bad news? They still just rate a C-."

      They are letting us know that nothing has gotten better in the last 22 hours..........

      C'mon guys at least read the front page (and the little box in the corner where it clearly shows the c- story, it even has c- in headline)

      I wonder if any of the /. editors will soon be appearing on: Are you smarter than a fifth grader?