U.S. Government Flunks Computer Security Tests

[InfoSec News <isn () c4i org>]

Forwarded from: Elyn Wollensky <elyn () consect com>

http://www.washingtonpost.com/wp-dyn/articles/A9496-2002Nov19.html

By Brian Krebs
washingtonpost.com Staff Writer
Tuesday, November 19, 2002

The U.S. government has earned failing marks for computer security for
the second year in a row, according to a report released today by a
congressional oversight committee.

Nearly two-thirds of the federal government's 24 major agencies
flunked the General Accounting Office's (GAO) latest "computer
security report card," according to a House Government Reform
subcommittee. The Departments of Justice, Defense, Energy and Treasury
earned flunking grades, with the Department of Transportation earning
the lowest score.

The Social Security Administration won the highest mark, with a 
"B minus."

The report comes at a time when the Bush administration worries that
international terrorist groups like Al Qaeda not are planning attacks
against U.S. citizens, but intend to disrupt or disable the Internet
and other global communications networks.

Former Sen. Gary Hart (D), now co-chairman of the U.S. Commission on
National Security/21st Century, has said that the government has not
paid as much attention to "cyber-threats" as it should.

Rep. Stephen Horn (R-Calif.), who commissioned the GAO report, said he
was "disappointed" in its results.

"Sept. 11 taught us that we must be prepared for attack. We cannot
allow government operations to be compromised or crippled because we
failed to heed that lesson," said Horn, who chairs the House
Government Reform subcommittee on government efficiency, financial
management and intergovernmental relations.

The grades were based on data the agencies gave to the White House
Office of Management and Budget as required under a law passed two
years ago.

Congressional investigators from the GAO used the information to
determine whether agencies met network security standards, such as
limiting access to privileged data and eliminating easily-guessed
passwords.

The GAO noted marginal improvement in computer security at a few
agencies, but said all 24 agencies continue to have "significant
information security weaknesses that place a broad array of federal
operations and assets at risk of fraud, misuse, and disruption."

The GAO based its assessment on the results of penetration testing and
assessments of how well agencies met standard network security
measures, such as limiting access to privileged data and eliminating
easily-guessed passwords.

In February, the GAO reported that the Internal Revenue Service (IRS)
failed to restrict access to sensitive computers on its network and
exposed confidential taxpayer information to the public.

GAO Information Security Director Robert Dacey said the finding of
additional areas of weakness at some agencies does not necessarily
mean that information security at federal agencies is getting worse,
but may instead reflect a growing awareness of security holes.

Nevertheless, "the results leave no doubt that serious, pervasive
weaknesses persist," Dacey said in the GAO report.

Alan Paller, research director for the SANS Institute, a nonprofit
security consortium based in Bethesda, Md., said the GAO's annual
review process reinforces the wrong behavior.

"There is a huge amount of money being spent on consultants for these
thick, agency-specific reports. But the fact that these scores aren't
getting better shows that while the law has impacted the reporting
process, it hasn't really affected security," Paller said. "This
simply measures how well agencies write reports - not the actual
security of their systems."

Here is a list of what grades the GAO assigned to the agencies:

B minus: Social Security Administration

C plus: Labor Dept.

C: Nuclear Regulatory Commission

D plus: Commerce Dept., NASA

D: Education Dept., General Services Administration

D minus: Environmental Protection Agency, National Science Foundation,
         Dept. of Health and Human Services

F: Justice Dept., State Dept., U.S. Agency for International
   Development, Office of Personnel Management, Veterans' 
   Administration, Dept. of Housing and Urban Development, the Small 
   Business Administration, the Treasury Dept., Energy Dept., Defense 
   Dept., Interior Dept., Agriculture Dept., the Federal Emergency 
   Management Agency, Transportation Dept.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.