Re: Agencies flunk security review

[InfoSec News <isn () c4i org>]

Forwarded from: Jay D. Dyson <jdyson () treachery net>

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 14 Nov 2001, InfoSec News wrote:

> > A House panel last week gave two-thirds of all federal agencies a
> > failing grade for efforts to secure information systems a worse
> > showing than last year attributed to greater awareness of security
> > vulnerabilities.
<snip>

> I have done direct consulting for two agencies listed above, and work
> with several people that handle a healthy amount of some aspects of
> security of a third, so my comments are based on that. 

        Unless I'm sorely mistaken, I believe the lower grades are also
courtesy of the Code Red and Nimda aftermath.  Loads of government systems
were hit hard by those worms.  Thus, what was once considered a "minor
risk" (running IIS) became weighted as a "serious risk" by the auditors.
This one factor is enough to push the grades down on an appreciable level.

> Second, several of these agencies still have too many layers of
> beauracracy that impede network security. The big wigs of these agencies
> who hand down these over simplified report card style grading are often
> the cause of problems. They want X security, with Y budget, in Z time.. 
> and they want to be able to remotely pop their mail from home, firewall
> be damned. The problem is, X is too high, Y is too low, and Z is often
> barely enough time to write an RFP let alone complete the job.

        There's also the problem of fiefdoms on both the intra- and
inter-agency level.  To put it bluntly, too many people who know too
little about genuine security (but who have the magic letters "Ph.D" after
their names) are calling the shots in government circles.  Those of us who
push for meaningful security are consistently ignored.  I personally have
made proposals for counter-measures to deal with Code Red, Nimda and a
host of other plagues that visit government centers on a regular basis. 
In the end, apart from my own independent projects, nothing meaningful is
done.  Hell, even a most recent attempt to even ID webservers and their
operating systems across one agency was cut short because one Ph.D (whose
systems were so horribly misconfigured that they croaked under an nmap -O
scan) griped about the scans. 

        We're supposed to secure the systems and we can't even
aggressively scan our own networks?  Please. 

> And to pick on a single agency above (that i do not consult for =), I
> don't have a clue how they could give NASA a C while failing some of the
> other agencies. Three nasa machines have been hacked and defaced in the
> last six days. That is three security incidents that the public is aware
> about, all happening within a week of NASA getting a 'C'.. 

        Careful.  People who point out such things are quickly labelled as
having a "bad attitude" in government circles.

        Sounds funny, but it's not.

- -Jay

  (    (                                                        _______
  ))   ))  .--"There's always time for a good cup of coffee"--.  >====<--.
C|~~|C|~~|(>------ Jay D. Dyson -- jdyson () treachery net ------<)|    = |-'
 `--' `--' `-Terrorists prefer victims who don't strike back.-' `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO/KdNblDRyqRQ2a9AQEYaQP/Y+ZmYXc8DZOSc3kT/lnZ4qJYKiqPA8ns
hINlDbYI/f+5xZLvPzLuHFhd3mlXgwoQLjx9VmrUyTDPdjlGfb7STdpSSJkrhP2t
JSiGp40kquko3xbEaXkVrawCL7EGuhoj4jWGRfqQ4WjSYIyth13JdEUntsG2Hkqs
X2SaFGoC9Q0=
=6BNN
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.