Forwarded from: Jay D. Dyson <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- On Wed, 14 Nov 2001, InfoSec News wrote: > > A House panel last week gave two-thirds of all federal agencies a > > failing grade for efforts to secure information systems a worse > > showing than last year attributed to greater awareness of security > > vulnerabilities. <snip> > I have done direct consulting for two agencies listed above, and work > with several people that handle a healthy amount of some aspects of > security of a third, so my comments are based on that. Unless I'm sorely mistaken, I believe the lower grades are also courtesy of the Code Red and Nimda aftermath. Loads of government systems were hit hard by those worms. Thus, what was once considered a "minor risk" (running IIS) became weighted as a "serious risk" by the auditors. This one factor is enough to push the grades down on an appreciable level. > Second, several of these agencies still have too many layers of > beauracracy that impede network security. The big wigs of these agencies > who hand down these over simplified report card style grading are often > the cause of problems. They want X security, with Y budget, in Z time.. > and they want to be able to remotely pop their mail from home, firewall > be damned. The problem is, X is too high, Y is too low, and Z is often > barely enough time to write an RFP let alone complete the job. There's also the problem of fiefdoms on both the intra- and inter-agency level. To put it bluntly, too many people who know too little about genuine security (but who have the magic letters "Ph.D" after their names) are calling the shots in government circles. Those of us who push for meaningful security are consistently ignored. I personally have made proposals for counter-measures to deal with Code Red, Nimda and a host of other plagues that visit government centers on a regular basis. In the end, apart from my own independent projects, nothing meaningful is done. Hell, even a most recent attempt to even ID webservers and their operating systems across one agency was cut short because one Ph.D (whose systems were so horribly misconfigured that they croaked under an nmap -O scan) griped about the scans. We're supposed to secure the systems and we can't even aggressively scan our own networks? Please. > And to pick on a single agency above (that i do not consult for =), I > don't have a clue how they could give NASA a C while failing some of the > other agencies. Three nasa machines have been hacked and defaced in the > last six days. That is three security incidents that the public is aware > about, all happening within a week of NASA getting a 'C'.. Careful. People who point out such things are quickly labelled as having a "bad attitude" in government circles. Sounds funny, but it's not. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~|(>------ Jay D. Dyson -- jdysonat_private ------<)| = |-' `--' `--' `-Terrorists prefer victims who don't strike back.-' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO/KdNblDRyqRQ2a9AQEYaQP/Y+ZmYXc8DZOSc3kT/lnZ4qJYKiqPA8ns hINlDbYI/f+5xZLvPzLuHFhd3mlXgwoQLjx9VmrUyTDPdjlGfb7STdpSSJkrhP2t JSiGp40kquko3xbEaXkVrawCL7EGuhoj4jWGRfqQ4WjSYIyth13JdEUntsG2Hkqs X2SaFGoC9Q0= =6BNN -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 04:33:10 PST