Re: [ISN] Agencies flunk security review

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 07:06:10 PST

  • Next message: InfoSec News: "Re: [ISN] Linux snares security tool"

    Forwarded from: security curmudgeon <jerichoat_private>
    (comments below)
    > By Diane Frank 
    > A House panel last week gave two-thirds of all federal agencies a
    > failing grade for efforts to secure information systems a worse
    > showing than last year attributed to greater awareness of security
    > vulnerabilities.
    > New set of security grades from Horn
    > (Last year's scores in parentheses)
    > Agriculture (F) F				USAID (C-) F
    > Commerce (C-) F				Defense (D+) F
    > Education (C) F				Energy (Inc) F
    > HHS (F) F					Interior (F) F
    > Justice (F) F					Labor (F) F
    > Nuclear Regulatory Commission (Inc) F		OPM (F) F
    > SBA (F) F					Transportation (Inc) F
    > Treasury (D) F				VA (D) F
    > NSF (B-) B+					Social Security (B) C+
    > NASA (D-) C-					EPA (D-) D+
    > State (C) D+					FEMA (Inc) D
    > GSA (D-) D					HUD (C-) D
    > Governmentwide grade (D-) F 
    So in short, basically every agency stayed the same or went down. Why
    does this seem a bit off to me..
    I am no fan of government agencies when it comes to *most* of their
    security practices. I realize that a lot of the demands have been
    dumped on them with little time or resources to meet stringent demands
    as well.
    I have done direct consulting for two agencies listed above, and work
    with several people that handle a healthy amount of some aspects of
    security of a third, so my comments are based on that.
    First, one of the two agencies I have worked with does not deserve
    anything close to the grade it received. Part of the problem is the
    single grade for huge agencies that are broken down into many sub
    agencies. One of them listed above got an "F", yet consists of 33
    federal agencies that get referred to by a single name. While the
    agency I mention is not perfect, they have done an oustanding job in
    regards to security in the last year. Most importantly, they did the
    outstanding job before hiring the company I am currently with. Their
    administrators had security policy, firewalls, audit procedures, kept
    up to date on security issues, etc. For the facilities they control
    (which serve almost all 33 agencies), there has been no external
    intrusion into their network for five years. They recently hired
    several companies to set up and audit (before it went live) new
    systems for remote access. They went through a full accreditation
    process to verify security controls were in place. While it may not be
    *everything* they could possibly do, it sure is a hell of a lot more
    than many net connected companies/agencies go through, and all done
    within budget constraints. Their staff is knowledgeable, practical,
    and gets the job done. To see them get labeled as 'F' is a joke.
    Second, several of these agencies still have too many layers of
    beauracracy that impede network security. The big wigs of these
    agencies who hand down these over simplified report card style grading
    are often the cause of problems. They want X security, with Y budget,
    in Z time.. and they want to be able to remotely pop their mail from
    home, firewall be damned. The problem is, X is too high, Y is too low,
    and Z is often barely enough time to write an RFP let alone complete
    the job.
    I'm not saying these grades are necessarily right or wrong. I am
    saying they are not giving credit where due, and overlooking the fact
    that some agencies have been taking the security initiative for a long
    time now. Some of these agencies are aware of the importance of
    security, they understand the need for it, and they are still not
    given the time and resources required to do the job.
    And to pick on a single agency above (that i do not consult for =), I
    don't have a clue how they could give NASA a C while failing some of
    the other agencies. Three nasa machines have been hacked and defaced
    in the last six days. That is three security incidents that the public
    is aware about, all happening within a week of NASA getting a 'C'..
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 09:23:29 PST