Re: [ISN] Agencies flunk security review

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 23:12:05 PST

  • Next message: InfoSec News: "Re: [ISN] 'Dark web space' hides net nasties"

    Forwarded from: Jay D. Dyson <jdysonat_private>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    
    On Wed, 14 Nov 2001, InfoSec News wrote:
    
    > > A House panel last week gave two-thirds of all federal agencies a
    > > failing grade for efforts to secure information systems a worse
    > > showing than last year attributed to greater awareness of security
    > > vulnerabilities.
    <snip>
    
    > I have done direct consulting for two agencies listed above, and work
    > with several people that handle a healthy amount of some aspects of
    > security of a third, so my comments are based on that. 
    
    	Unless I'm sorely mistaken, I believe the lower grades are also
    courtesy of the Code Red and Nimda aftermath.  Loads of government systems
    were hit hard by those worms.  Thus, what was once considered a "minor
    risk" (running IIS) became weighted as a "serious risk" by the auditors.
    This one factor is enough to push the grades down on an appreciable level.
    
    > Second, several of these agencies still have too many layers of
    > beauracracy that impede network security. The big wigs of these agencies
    > who hand down these over simplified report card style grading are often
    > the cause of problems. They want X security, with Y budget, in Z time.. 
    > and they want to be able to remotely pop their mail from home, firewall
    > be damned. The problem is, X is too high, Y is too low, and Z is often
    > barely enough time to write an RFP let alone complete the job.
    
    	There's also the problem of fiefdoms on both the intra- and
    inter-agency level.  To put it bluntly, too many people who know too
    little about genuine security (but who have the magic letters "Ph.D" after
    their names) are calling the shots in government circles.  Those of us who
    push for meaningful security are consistently ignored.  I personally have
    made proposals for counter-measures to deal with Code Red, Nimda and a
    host of other plagues that visit government centers on a regular basis. 
    In the end, apart from my own independent projects, nothing meaningful is
    done.  Hell, even a most recent attempt to even ID webservers and their
    operating systems across one agency was cut short because one Ph.D (whose
    systems were so horribly misconfigured that they croaked under an nmap -O
    scan) griped about the scans. 
    
    	We're supposed to secure the systems and we can't even
    aggressively scan our own networks?  Please. 
    
    > And to pick on a single agency above (that i do not consult for =), I
    > don't have a clue how they could give NASA a C while failing some of the
    > other agencies. Three nasa machines have been hacked and defaced in the
    > last six days. That is three security incidents that the public is aware
    > about, all happening within a week of NASA getting a 'C'.. 
    
    	Careful.  People who point out such things are quickly labelled as
    having a "bad attitude" in government circles.
    
    	Sounds funny, but it's not.
    
    - -Jay
    
      (    (                                                        _______
      ))   ))  .--"There's always time for a good cup of coffee"--.  >====<--.
    C|~~|C|~~|(>------ Jay D. Dyson -- jdysonat_private ------<)|    = |-'
     `--' `--' `-Terrorists prefer victims who don't strike back.-' `------'
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.2
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iQCVAwUBO/KdNblDRyqRQ2a9AQEYaQP/Y+ZmYXc8DZOSc3kT/lnZ4qJYKiqPA8ns
    hINlDbYI/f+5xZLvPzLuHFhd3mlXgwoQLjx9VmrUyTDPdjlGfb7STdpSSJkrhP2t
    JSiGp40kquko3xbEaXkVrawCL7EGuhoj4jWGRfqQ4WjSYIyth13JdEUntsG2Hkqs
    X2SaFGoC9Q0=
    =6BNN
    -----END PGP SIGNATURE-----
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 04:33:10 PST