Uncle Sam Earns C-minus Grade for PC Security

An anonymous reader writes "Twenty-four federal departments and agencies earned a collective grade of C-minus last year for their performance in meeting computer and network security requirements, according to marks handed out by a key congressional oversight committee today. The government-wide grade is up slightly from the 2005, when it earned an overall grade of D+. Eight agencies earned A grades, while as many warranted failing marks. '..the Department of Defense led a group of eight agencies that received failing marks for computer security. Also receiving that dubious distinction were the departments of Agriculture, Commerce, Education, Interior, State and Treasury, as well as the Nuclear Regulatory Commission. The Department of Homeland Security earned a D, although its overall performance improved since 2005. The Department of Veterans Affairs did not provide enough data to earn a grade. In 2005, it received an F.'"

But it was a strong improving "F"

[Danathar]

I heard on the radio that some gov spokesperson for DOD said

But it's a strong improving "F" ...LOL

I don't recall that ever working with mom "But Mom...it's an improved F over the last F I got"

Re:

[renegadesx]

I heard the report card that said "Uncle Sam could do better if he applied himself more"

Also take into account..

[priestx]

The infrastructure to the DoD's system extends far beyond it's headquarters.

Re:

[PPH]

All the more reason for them to be on their toes with respect to this issue.

Damn! Now where did we put the laptop with the launch codes?

of course D of VA didn't provide data

[192939495969798999]

They didn't have any data, since all of it was stolen last year! DOH!

If it were only so simple

[stratjakt]

Letter grades and color coded terror levels.

I like how they think they have to kindergarten-up government to teach it to the people.

I've worked on a few different government 'nets. It's always just a little bit more complicated than that.

Re:If it were only so simple

[Anonymous Coward]

Naw, I work with the government too and most of the problems really are quite simple (or at least no more complicated than most). It's all the paperwork and bureaucracy that makes it complicated. Oh sure, we COULD just go to the store and buy the thing, but instead we'll fill out form 361-B in triplicate, ensuring one is in English, one is in French and the other is in some language only three people in the world can speak (meaning you'll have to get approval and fill out more paperwork to fly them in to finish that section the form) and then wait 4-6 months for the document and its approval to weave it's way through the maze of middle management. Oh well, at least it keeps me and many other workers employed.

Re:

[feepness]

Naw, I work with the government too and most of the problems really are quite simple (or at least no more complicated than most). It's all the paperwork and bureaucracy that makes it complicated. Oh sure, we COULD just go to the store and buy the thing, but instead we'll fill out form 361-B in triplicate, ensuring one is in English, one is in French and the other is in some language only three people in the world can speak (meaning you'll have to get approval and fill out more paperwork to fly them in to fi

Re:

[thealsir]

A lot of who provide many of the things we use.

Re:

[kabocox]

Oh sure, we COULD just go to the store and buy the thing, but instead we'll fill out form 361-B in triplicate, ensuring one is in English, one is in French and the other is in some language only three people in the world can speak (meaning you'll have to get approval and fill out more paperwork to fly them in to finish that section the form) and then wait 4-6 months for the document and its approval to weave it's way through the maze of middle management. Oh well, at least it keeps me and many other workers

Re:If it were only so simple

[cyphercell]

For god's sake will someone quit giving that one asshole gold stars?

Re:

[loganrapp]

No kidding. It's like Mario Party. [penny-arcade.com]

Re:

[Opportunist]

If he's a big enough asshole, he'll even get four or five stars. And the title "General" to boot.

Because the corporate world is more complicated?

[kria]

I almost said the "real world", but decided that was unfair to the government.

Anyway, at work, on my performance review I get a "does not meet", "meets", "exceeds" or "far exceeds" expectations. That's even more simplistic than a letter grade.

I work at a defense contractor. The scores given for performance of a project are similar; very, very simple.

I'm sure that like both of those examples, the departments were given detailed descriptions of what was wrong and was right, probably with each area having a

Re:

[Duggeek]

Per Parent:

I like how they think they have to kindergarten-up government to teach it to the people.

Indeed.

The other side-effect of that is how the children can see how upside-down the government is without having it explained by their parents. Brilliant!

From TFA:

...the Department of Defense led a group of eight agencies that received failing marks for computer security.

Nice to know that the administrative branch of the Most Powerful Military in The World is using "passwordxx" for their passwords.

Wake me when they open-source the government; should have been GPL'd years ago. (right around 2000, I believe)

they're good at sharing

[User 956]

Twenty-four federal departments and agencies earned a collective grade of C-minus last year for their performance in meeting computer and network security requirements

It sounds like their security is more "social" than they'd like!

Re:

[porcupine8]

But ironically, the Social Security Administration was one of the eight As.

left behind

[simonharvey]

Twenty-four federal departments and agencies earned a collective grade of C-minus last year for their performance in meeting computer and network security requirements.

and even that was due to the 'no child left behind' educational policies of GWB.

Sad, very sad.

Re:

[stewbacca]

No Child Left Behind is not Bush's baby, it is merely an extension of an early 1970s act that was re-ratified under Clinton, then re-ratified with yet another new name under Bush. It has been a lame law for over 30 years, but people like to think the government is doing something about something...even if the problem really doesn't exist.

heh

[AdebisiTheGamer]

"The Department of Homeland Security earned a D" Irony?

Re:

[moeinvt]

"The Department of Homeland Security earned a D" Irony?

Yeah, they aggregated a bunch of agencies, personnel and IT systems and then made them collectively less "secure". Let's call it the "Department of Homeland Exposure" or something.

Government to use Full Disk Encryption on computer

[stonebeat.org]

This is why there is a 90-day project currently in progress to select a Full Disk Encryption suites [full-disk-encryption.net] for all government owned computers. A Request for Quotation (RFQ) has already gone out on the April 12, 2007. See http://www.herbb.hanscom.af.mil/download.asp?rfp=R 1450&FileName=NOTICE_OF_AVAILABILITY_OF_A_SOLICITA TION_2.doc [af.mil]

What a scam...

[eklitzke]

I don't understand the attraction to full disk encryption. Sure, it will prevent a would be thief from reading some of your personal emails or getting access to your credit card information. But all the good secrets are on servers and corporate networks, not on people's laptops. And if the secrets are really good, you're not going to be able to just get to them just by stealing someone's laptop.

For example, where I work, to get onto the corporate intranet you need to actually be physically connected to the corporate network, or you need to access it via a VPN. To get on the VPN, you need the group password and your individual password. The group password is static, but your own password is a combination of a PIN plus the sequence of digits on the RSA SecurID card you're issued, which change every sixty seconds. This is a really standard setup, and means that to get anywhere you would need to steal my laptop (to get the group password), know my PIN, _and_ steal my SecurID card. Actually, you would _also_ need my corporate username and passphrase, but if you're good enough to get all of the above I assume you can get those too.

If you want to secure email (or whatever), that's easy too. To get to the mail servers you need to be on the VPN, which is already a pretty good start. At that point all you need to do is make sure that all the really sensitive email accounts are local delivery only (i.e. no POP/Exchange/IMAP access). To read email you get a web based email solution or a shell account on the mail server. Either way you log in by connecting to the VPN and doing your normal Kerberos authentication. Obviously web mail presents a bit of a problem in the way of the browser cache, but it's fairly simple to lock down a shell account in such a way that users can't connect out from the account (or scp files).

Anyway, adding full disk encryption to this is a joke. It's a scam to let the companies that provide the disk encryption hardware/software make a lot of easy money. If you were doing things right in the first place it would be a _lot_ easier for someone to get the encryption password than it would be for them to get to your sensitive data. Instead of paying hundreds of thousands of dollars on a proprietary disk encryption solution, get some competent system administrators.

There is a place for disk encryption

[curlynoodle]

Many organizations do not have, nor want, VPN access to their corporate network. First, its offers another conduit for exploitation. A poorly managed VPN, much like wireless, is just another way malicious people can get at your data. I do agree that a properly implemented, and administered, VPN can be a very useful tool. However, that requires time and money. The biggest road block is the maintenance aspect. Remember, management often view IT services as a facilities expense, much like simple electric

Those passwords are on the laptops

[Anonymous Coward]

It is trivial to break in to a laptop when one has unrestricted physical access.

It is usually non-trivial to break into a server that is in a data-center behind firewalls given zero-knowledge.

Fortunately for the bad-guys, laptops have been proven over and over to contain network information, passwords, and raw protected data:

Chicago Public Schools [theregister.co.uk]
FBI [cnn.com]
Boeing [nwsource.com]
Starbucks [usatoday.com]
Towers Perrin [wsj.com]
US Commerce Department [msn.com]
US Department of Transportation and Sovereign Bank, et al. [trustoncorp.com]
US Navy [securityfocus.com]
US Department of Veteran Affairs [securityfocus.com]
Federal Trade [washingtonpost.com]

Hacking the grades

[Anonymous Coward]

Eight agencies earned A grades

At least now we know which agencies are capable of hacking into the system to change their grades:

1) Central Intelligence Agency
2) National Security Agency
3) Office of Naval Intelligence
4) National Reconnaissance Office
5) Defense Intelligence Agency
6) National Geospatial-Intelligence Agency
7) Army Intelligence
8) Air Intelligence Agency

Re:

[Midnight Warrior]

Funny, yes, but when I RTFA, those agencies weren't even listed.... And the real report doesn't list them either.

Re:

[ralewi1]

In reading the article, paragraph two states that the Department of Defense led the list of failing agencies. DoD is made up of NSA, ONI, NRO, DIA, NGIA, "Army Intelligence" (INSCOM) and AIA, as well as a myriad assortment of other entities, big and small. So, if 2 through 7 in coward's list of "agencies" hacked, they only looked out for themselves, sabotaged each other, or hid under a rock.

Re:

[BlueTrin]

Or maybe you know which agencies are capable to hack other agencies grades ? :)

Re:

[kabocox]

Eight agencies earned A grades
At least now we know which agencies are capable of hacking into the system to change their grades:

They were all Intelligence Agencies so they should be smart enough for that!

no wonder DoJ got an A

[RelliK]

Their security system is so good, it regularly deletes all email, just so that no one else gets it.

Re:

[El_Oscuro]

They think [gwu.edu] they deleted it, the same way you thought [arstechnica.com] you voted.

got backups?

Well...

[rsilvergun]

if it was good enough for our president...

Re:

[cyphercell]

...your not thinking about dating Monika Lewinsky are you?

Perl scripts and default passwords?

[AHuxley]

Read up on what Gary McKinnon http://en.wikipedia.org/wiki/Gary_McKinnon [wikipedia.org] found.
Just like in the control room for Springfield's reactor in Last Exit To Springfield (9F15).
The US has all the Get Smart like security, but then has the dilapidated MS door wide open for any and all.

Re:

[cyphercell]

...to enable any interested citizen to add to the creation of new policy as with a wiki document.

Unfortunately it looks like I could just implement a polka dot day policy and it would sit there until someone took it down. No hacking necessary. :)

Re:

[cyphercell]

w5tf?

Turbo Tax vs. IRS

[Anonymous Coward]

Yesterday, we have a story where Turbo Tax's online system exposed a few tax forms for returns with similar names.

Last Friday, it was reported [arstechnica.com] that the IRS lost 490 computers with potentially millions of taxpayer records. (The IRS is not sure what was lost.)

Tell me why the latter isn't a bigger story?

Answer: With TJ Max, Georgia CHIP, the CIA, and Los Alamos were all desensitized to the daily reports.

Not surprised

[jlindy]

We shouldn't be surprised by this. Considering the size of the federal gov't it's safe to assume that they're a representative cross section of the population. If it's true that 25% of the computer in this country are part of a botnet, (http://it.slashdot.org/article.pl?sid=07/01/26/22 29203 ) then the gov't. is on par with the rest of the country.

Re:

[Kandenshi]

Size != representativeness.

I could make a list of 25 million of the richest Americans and despite it's large size it'd be fairly unrepresentative list.

The government too isn't a randomly chosen sample. They're obviously the most competent, smartest and generally rationally-minded amongst us. If they weren't they wouldn't get elected.

We should expect better behaviour from them than we expect from Joe six-pack. Hell, what does Joe have to worry about computer security for? To protect his game of solitaire

Re:

[YrWrstNtmr]

The government too isn't a randomly chosen sample. They're obviously the most competent, smartest and generally rationally-minded amongst us. If they weren't they wouldn't get elected.

99% of people that work in 'the government' aren't elected.

Grades

[cyphercell]

The Department of Veterans Affairs did not provide enough data to earn a grade.

I've had grades like that, you know where you just didn't show up or didn't do the homework, I kinda wonder what happened here.

Re:

[warpuck]

The VA office I work in has a Printer/Copier/Scanner/Scanner to Email/Fax to Email, Store and Foward, reprint on demand and remote and local authorization codes. It has four cascading paper drawers. This is a rented $12,000 machine. It is not hooked to the network, because information management doesn't know how. (most of the IRM techs act like it someone elses job to RTFM). IRM wont let the contractor hook it up under supervision, probably cause they don't know what they are supervising. IRM techs are eit

Woohoo!

[DavidHumus]

A "C" - that's great!

We're all the way up to average!

We (kind of) rock!

Re:

[QuasiEvil]

C is for Cookie, that's good enough for me!

At least that was my motto when it came to grades... :)

I am not surprised

[Mike_ya]

I suspect this also includes government networks run by contractors.

A while back I use to be friends with someone who worked for one of these companies that do contract work for the government, for one of those agencies that require Secret or Top Secret clearance along with requiring routine polygraph tests.

I was told stories on occasion how IT jobs would come open and be filled not with individuals that had the technical qualifications but those that had the security clearance.

Heck, my friend who had a clearance and did clerical work was promoted to run the Help Desk and was giving a book to learn on the job. Then again a few years later to administer servers spread around the globe, with no formal training.

I was told the contracting companies would not hire individuals for the clearance jobs unless they already had the clearance. The clearance trumped any sort of job qualification.

If this has changed since 9/11 I don't know.

Re:I am not surprised

[QuasiEvil]

>If this has changed since 9/11 I don't know.

A couple friends of mine recently hired on with a growing government contract IT firm out here. The HR department didn't even really care about the resume, but rather the fact that two of them already had clearances. According to them, they work with some utter idiots, but they're qualified to see almost anything, so they keep them around.

Re:I am not surprised

[cyphercell]

funny, the security clearances are making the system insecure, me thinks something is broken.

Re:

[Anonymous Coward]

I suspect there is reason to their madness. Getting clearance for an individual costs quite a bit of money - in the order of a few thousand dollars I'm told, depending on clearance level - and requires a lot of time - some people I know had to wait a few months for their secret clearance. Not that this really should be an excuse for hiring knowledgeable people, but I can see it being a factor. Do you really want to spend a few thousand dollars and wait three months just to find out someone isn't right fo

Re:

[mu51c10rd]

I just left the civil service, working in DoD. I saw plenty of contractors, including the security teams ( security and accreditation process people) have complete ignorance of technology. They were hired because they held a 3C0 AFSC (if that) and a clearance. Their idea of security is running off of a checklist, with no thought given to new exploits in the wild. The checklists usually ran something like: 1. Antivirus up to date? 2. No Guest User? etc. These same people have caused there to be plenty of NT

Surprise!

[session_start]

You mean _Another_ governmental department is not as secure as the rest of the world?!
Note sarcasm...

My 17 year old sister has better security on her ME box...

Don't believe it

[Spazmania]

As someone dealing with a security audit right now, all I can say is: don't believe a word of it. The auditors tick off items on a checklist. Telnet running? Lose points. Telnet running on your Cisco routers in a configuration where a man-in-the-middle attack is impossible? Its Telnet. Lose points. Telnet running in an impregnable fashion because that's what the vendor offers for remote access and you locked it down damn tight to compensate? Its Telnet. Lose points.

Damn auditors.

Re:

[qzulla]

You are running telnet in any shape or form?

Lose points.

qz

Re:

[Gyorg_Lavode]

I'll assume parent is a joke. What if Telnet is running on a network contained in a single room where only people with system administrator privileges have access to the space? What if there is no routing from that network to outside networks and outside networks are only accessable through dual homed computers with application layer translators which have been locked down to the outside? Is telnet still a risk? You have to consider the setting the vulnerability is in. Otherwise the assessment is simpl

Re:

[Spazmania]

Generally speaking, telnet is a poor application to run for anything in this day and age. Generally speaking.

And that's the point: the auditors are generally speaking. They don't consider the context. Ever.

Suppose you use telnet in a strictly switched network where the physical plant is secured and under your control, the destination MAC is locked to the port and an automated watcher drops any ports that incorrectly arp for a protected address? An analysis of that design would have to conclude that telnet i

F is for "Karl"

[Doc Ruby]

Is it insecurity when the Republicy government deletes over 5 million emails it's legally required to archive, to hide evidence of Republicy crimes? How about when the Republicy government lets its boss, Karl Rove, circumvent all White House security to do 95% of his emailing through Republicy laptops and servers, to hide evidence of Republicy crimes?

The answer starts with "F".

Well

[ShooterNeo]

So there I was, at my local national guard Armory, while a non-commissioned officer used his login and password to sign in. While at drill, it has been remarked that the computers are completely 'locked down', so much so that they are remotely maintained and local users can do nothing on them.

SO...guess what. One of their clueless Sgts wanted to transfer files from one box to another. He goes into network neighborhood...where EVERY WINDOWS BOX IN THE ENTIRE STATE IS ON THE SAME LAN!!!! I was like "uh...

The grading seems skewed

[Gyorg_Lavode]

So the agencies were all graded on their self-reporting of their own security... I think I'm seeing the problem here. My guess is the DoD and other high-profile agencies got poorer marks because they grade themselves harder. I have seen many times where a group gets a bunch of security requirements and responds back, "yeah, we meet those."

And even legitimate reporting of FISMA requirements is damn near pointless. Q: "Do you have a firewall?" A: "yes! It's default allow with no rules but the requirement sais firewall." Q "Do you have an IDS?" A: "Yes! It has the default rule set, no one monitoring it, and we don't even know if you can access the logs but it's there." I have seen that answer, literally, on a system that people would simple assume had someone personally approving every packet.

In the end, it's damn near impossible to tell who's secure and who isn't without having a single team do unannounced pen tests on everything and reporting how they compare. And there are so many problems with that approach I don't know where to start. But you will always have teams that lock a system down so tight water doesn't get in yet fail requirements. You have people who meet the letter of requirements yet add no measurable security. And you will have the people who simply lie because they can't be bothered to hire someone competant to do the reporting.

Re:

[saverio911]

Actually the grades are created by the GAO in conjunction with each Department's Inspector General. They audit a cross section of the assessments submitted by the system owners for each Department. And by "audit" I mean they show up at the site with the report and go through a physical verification of all the details entered. Nothing makes a government Sysadmin's day like having an auditor shoulder surf while they go over server settings for 8 hours. I have been through it.

Doesn't matter...

[davidmillions.com]

If they get hacked it's our money anyway...

Uncle Sam's Wife.....

[ruffnsc]

Got an F in Sex........says her drivers license. Ba dum dum :)

Just so I get this straight

[Opportunist]

The organisations who want to have minute detail information about pretty much every inch of our life and promises us that it would never ever be used for malicious plans is unable to keep this information secure? In that case, it's pretty much a given that said information can and will be abused. It's even easy to abuse it themselves, if they need to, they'll simply claim it's been stolen and "outsource" the actual deed.

But at least I can sleep well again. An agency that well organized is no threat to my s

Wonderful..

[Mockylock]

I'm sure that they would rather write laws and point fingers at who's fault it is, rather than address it. I'm sure if the media said it would save lives, it would be George Bush's fault and Democrats would address it.

Bogus exercise in paper security

[JimmytheGeek]

I'm not exactly a anti-government nutcase, but I do recognize where a legislature + bureaucracy routinely fsck up. Hell, even smart people screw up security assessments.

I agree with Richard Bejtlich's assessment: FISMA is a jobs program for unskilled "security consultants" who can not themselves 'operationally defend' system or network assets. That is to say, it's a boon for paper pushing drones wasting the time of the geeks at the sharp end who can actually make a difference if let alone.

Bejtlich writes

24 security breaches

[KIAaze]

Interesting.
This makes "24" even more credible. There are always some security breaches, moles, stolen keycards and laptops...
I really wonder why there still hasn't been a major terrorist attack on the USA except for 9/11.
Maybe they'll wait for the national internet reboot (yes, national, that's what slashdot said ^^) to exploit more security breaches.