[ISN] U.S. Government Flunks Computer Security Tests

From: InfoSec News (isnat_private)
Date: Tue Nov 19 2002 - 23:59:12 PST

  • Next message: InfoSec News: "Re: [ISN] BIND Flaws Reignite Security Debate"

    Forwarded from: Elyn Wollensky <elynat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A9496-2002Nov19.html
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    Tuesday, November 19, 2002
    
    The U.S. government has earned failing marks for computer security for
    the second year in a row, according to a report released today by a
    congressional oversight committee.
    
    Nearly two-thirds of the federal government's 24 major agencies
    flunked the General Accounting Office's (GAO) latest "computer
    security report card," according to a House Government Reform
    subcommittee. The Departments of Justice, Defense, Energy and Treasury
    earned flunking grades, with the Department of Transportation earning
    the lowest score.
    
    The Social Security Administration won the highest mark, with a 
    "B minus."
    
    The report comes at a time when the Bush administration worries that
    international terrorist groups like Al Qaeda not are planning attacks
    against U.S. citizens, but intend to disrupt or disable the Internet
    and other global communications networks.
    
    Former Sen. Gary Hart (D), now co-chairman of the U.S. Commission on
    National Security/21st Century, has said that the government has not
    paid as much attention to "cyber-threats" as it should.
    
    Rep. Stephen Horn (R-Calif.), who commissioned the GAO report, said he
    was "disappointed" in its results.
    
    "Sept. 11 taught us that we must be prepared for attack. We cannot
    allow government operations to be compromised or crippled because we
    failed to heed that lesson," said Horn, who chairs the House
    Government Reform subcommittee on government efficiency, financial
    management and intergovernmental relations.
    
    The grades were based on data the agencies gave to the White House
    Office of Management and Budget as required under a law passed two
    years ago.
    
    Congressional investigators from the GAO used the information to
    determine whether agencies met network security standards, such as
    limiting access to privileged data and eliminating easily-guessed
    passwords.
    
    The GAO noted marginal improvement in computer security at a few
    agencies, but said all 24 agencies continue to have "significant
    information security weaknesses that place a broad array of federal
    operations and assets at risk of fraud, misuse, and disruption."
    
    The GAO based its assessment on the results of penetration testing and
    assessments of how well agencies met standard network security
    measures, such as limiting access to privileged data and eliminating
    easily-guessed passwords.
    
    In February, the GAO reported that the Internal Revenue Service (IRS)
    failed to restrict access to sensitive computers on its network and
    exposed confidential taxpayer information to the public.
    
    GAO Information Security Director Robert Dacey said the finding of
    additional areas of weakness at some agencies does not necessarily
    mean that information security at federal agencies is getting worse,
    but may instead reflect a growing awareness of security holes.
    
    Nevertheless, "the results leave no doubt that serious, pervasive
    weaknesses persist," Dacey said in the GAO report.
    
    Alan Paller, research director for the SANS Institute, a nonprofit
    security consortium based in Bethesda, Md., said the GAO's annual
    review process reinforces the wrong behavior.
    
    "There is a huge amount of money being spent on consultants for these
    thick, agency-specific reports. But the fact that these scores aren't
    getting better shows that while the law has impacted the reporting
    process, it hasn't really affected security," Paller said. "This
    simply measures how well agencies write reports - not the actual
    security of their systems."
    
    Here is a list of what grades the GAO assigned to the agencies:
    
    B minus: Social Security Administration
    
    C plus: Labor Dept.
    
    C: Nuclear Regulatory Commission
    
    D plus: Commerce Dept., NASA
    
    D: Education Dept., General Services Administration
    
    D minus: Environmental Protection Agency, National Science Foundation,
             Dept. of Health and Human Services
    
    F: Justice Dept., State Dept., U.S. Agency for International
       Development, Office of Personnel Management, Veterans' 
       Administration, Dept. of Housing and Urban Development, the Small 
       Business Administration, the Treasury Dept., Energy Dept., Defense 
       Dept., Interior Dept., Agriculture Dept., the Federal Emergency 
       Management Agency, Transportation Dept.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 02:24:00 PST