Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security United States

U.S. Agencies Earn D+ on Computer Security 190

Posted by CowboyNeal from the but-it-still-passes dept.
MirrororriM writes "Seven of the 24 largest agencies received failing grades, including the departments of Energy and Homeland Security. The Homeland Security Department encompasses dozens of agencies and offices previously elsewhere in government but also includes the National Cyber Security Division, responsible for improving the security of the country's computer networks. 'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'"
This discussion has been archived. No new comments can be posted.

U.S. Agencies Earn D+ on Computer Security More

U.S. Agencies Earn D+ on Computer Security

Comments Filter:

  • Re:FOIA makes computer security mute (Score:1, Informative)

    by Anonymous Coward on Thursday February 17, 2005 @10:35PM (#11707321)
    (In reference to the Apple security comment)

    Security through obscurity isn't a good security tactic.

  • US Agencies Responsible for "Dupe" Stories (Score:5, Informative)

    by lukewarmfusion ( 726141 ) on Thursday February 17, 2005 @10:37PM (#11707337) Homepage Journal
    Dec 10, 2003: U.S. Agencies Earn "D" For Computer Security [slashdot.org]

    No, that's not a dupe. Yes, US Agencies have earned low "grades" for security for years. Considering that many of them were started for the purpose of increasing security, this begins to qualify as a complete FAILURE on their part (regardless of whether it's an F or a D+ or whatever).

  • tax (Score:1, Informative)

    by Anonymous Coward on Thursday February 17, 2005 @10:47PM (#11707399)
    'Several agencies continue to receive failing grades, and that's unacceptable,' said Rep. Tom Davis, R-Va., the committee's chairman. 'We're also seeing some exceptional turnarounds.'

    Rep. Davis continues, "These turnarounds will assist us to more effectively collect tax, which is, afterall, the reason why we're here. The less we spend on computer security breaches, the more we can spend on programs that justify the collection of tax."

  • Failed What Exactly? (Score:5, Informative)

    by Petsection ( 165426 ) on Thursday February 17, 2005 @10:48PM (#11707404)
    Maybe I could get a little more concerned about this is they let us know what the test was? When you are talking about government agencies, the words a computer and network security test could mean quite a few things. 10/200 computer are still running Win3.1 - you get a D+. You are missing meta tags on your intranet - D+.

    Hard to have any kind of opinion about that article unless they tell us more about this magical test.

  • Re:FOIA makes computer security mute (Score:5, Informative)

    by GileadGreene ( 539584 ) on Thursday February 17, 2005 @10:51PM (#11707421) Homepage
    I think that you mean moot [wiktionary.org], not mute [wiktionary.org].

    Besides, FOIA does not mean that you can get all of the information that you want from the government. FOIA requests can be refused for a variety of reasons (these reasons are specified in the act [usdoj.gov]). Requests for "sensitive" data are often refused. So computer security isn't moot anyway.

  • Original Report Card (Score:5, Informative)

    by bornholtz ( 94540 ) on Thursday February 17, 2005 @10:57PM (#11707460)
    Here is a link to the full scorecard and the reporting methodology

    Committee on Government Reform [house.gov]

  • Re:Psst... (Score:5, Informative)

    by perlionex ( 703104 ) * <joseph AT ganfamily DOT com> on Thursday February 17, 2005 @11:09PM (#11707549)
    D isn't failing

    You're right, it isn't. The agencies that failed got F. I was going to make a spiel on how /.ers never read the article, when I realised that the article didn't clearly state this.

    More info in links below:

    Washington Post [washingtonpost.com]

    Report Card [house.gov]

    Statement and links [house.gov]

  • As a government contractor.... (Score:5, Informative)

    by Anonymous Coward on Friday February 18, 2005 @01:30AM (#11708390)

    I work at as a government contractor in IT, in a large government agency. We don't handle secrets, so there is not a huge (legal) impetus for security there--that is, we're about as interested in it as any major corporation. Lives aren't at stake, like they might be at the NSA.

    That said, the agent officially in charge of security in my division is as dumb as a bag of nails. How they got that position I don't know--but I understand that it's not uncommon to take, essentially, someone in a bureaucratic position, give them a few night classes, and then they can call themselves chief of security.

    My officer is long on procedure--many meetings are attended in which they take copious notes on procedure--and then those procedures are handed down to us to implement. However, since the officer themself isn't technical, a great many gaps can occur between implementation and actual security need. Quite a few things are overlooked, which everyone in the trenches recognize as an issue, yet we don't have the authority to fix it ourselves; but on the other hand, there are often draconian implementations of security put in place, which have no real effect other than to frustrate the users who then circumvent it.

    Case in point: all users are required to use strong passwords, mixed case, number, punctuation, of over 7 characters; these passwords are rotated every 90 days. That's all pretty typical. But oh--our email is IMAP, and it's not over SSL. And you can get connected outside of our firewall. So all of the users with laptops merrily connect from home, sending this super strong password, in the clear, every night. Totally defeating the purpose. While I've recognized this issue, and made my immediate superiors aware, the person that could implement a change in policy is 6 levels above us; and our designated security officer is not technical enough to explain the issue to the folks who would listen. So it gets dropped, until it winds up on a report like this.

    Essentially--it's a checkbox method of management. Our officer has boxes to check, and they get checked off. Which means we're secure. Except real security preparedness requires thinking like a burglar, and thinking "out of the box"--but the folks that do aren't the same that make policy.

    That's at least the case at my institution. I hate to think that it might be the same where there are actual lives at stake--but who really knows?

  • No surprises (Score:2, Informative)

    by Anonymous Coward on Friday February 18, 2005 @07:54AM (#11710252)
    I used to be employed at a large government agency in Washington, DC. There was no security in the building until you got onto the floor I was working. One day, I forgot my badge so I couldn't get in the door. Standing next to the elevators, I waited for someone to let me in even though it was pretty early in the morning and most people didn't arrive until after 9am. Finally, someone else showed up and showed me that you don't really need a badge. He passed his credit card along the door jamb and the door latch opened up just like in a bad spy movie. There were no cameras, nothing.

    Also, we had a lot of private consultants who were using laptops to dial back to their respective firms. Since said laptops were simultaneously connected to the LAN, they basically did an end-run around our firewall and created a vulnerability....assuming we had a firewall which we didn't. The place was pathetic yet still required the Top Secret clearance, etc., etc., etc.

Slashdot Top Deals

They are relatively good but absolutely terrible. -- Alan Kay, commenting on Apollos

Close