Return-Path: <sentto-279987-3847-1005489644-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sun, 11 Nov 2001 06:42:07 -0800 (PST) Received: (qmail 32414 invoked by uid 510); 11 Nov 2001 14:39:39 -0000 Received: from n31.groups.yahoo.com (216.115.96.81) by all.net with SMTP; 11 Nov 2001 14:39:39 -0000 X-eGroups-Return: sentto-279987-3847-1005489644-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.53] by n31.groups.yahoo.com with NNFMP; 11 Nov 2001 14:40:45 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 11 Nov 2001 14:40:44 -0000 Received: (qmail 8562 invoked from network); 11 Nov 2001 14:40:44 -0000 Received: from unknown (216.115.97.171) by m9.grp.snv.yahoo.com with QMQP; 11 Nov 2001 14:40:44 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3.grp.snv.yahoo.com with SMTP; 11 Nov 2001 14:40:44 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fABEfBB13287 for iwar@onelist.com; Sun, 11 Nov 2001 06:41:11 -0800 Message-Id: <200111111441.fABEfBB13287@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 11 Nov 2001 06:41:11 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Executive.Branch.Agencies.Flunk.Computer.Security.Tests] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Executive Branch Agencies Flunk Computer Security Tests By Brian Krebs, Newsbytes, 11/9/2001 <a href="http://www.newsbytes.com/news/01/172052.html">http://www.newsbytes.com/news/01/172052.html> The majority of executive branch agencies earned failing or barely passing grades for computer security, and most actually managed to perform more poorly than last year, according to a report released today. Two-thirds of executive branch agencies - including the departments of Defense, Agriculture, Education, Energy, Justice, Labor, Transportation and Treasury and eight other departments - earned an "F" for computer security. Such abysmal scores helped win the government a overall "F" grade this year, down from a "D-" awarded in last year's computer security report card. Rep. Stephen Horn, R-Calif., chairman of the House subcommittee that handed out the grades, scolded the Defense Department and Department of Energy for failing to protect the nation's most sensitive secrets at a time when it is imperative that such information be kept out of the hands of hackers and cyber-terrorists. "In the aftermath of the terrible events of September 11th, the nation has prudently focused on its vulnerabilities," Horn said. "However, as the oversight conducted by this subcommittee during the last six years has shown, the nation cannot afford to ignore risks associated with cyber attacks." The National Science Foundation earned the highest mark - a "B+" - and the Social Security Administration and NASA each merited a "C" grade. The Environmental Protection Agency, the Department of State, the Federal Emergency Management Agency, the Department of Housing and Urban Development, and the General Services Administration earned "D" grades. The grades were based on the results of penetration testing and assessments of how well agencies met standard network security measures, such as limiting access to privileged data and eliminating easily-guessed passwords. In its analysis of the penetration tests, the General Accounting Office noted that this year's grades may be lower because agencies significantly expanded the scope of their testing. Nevertheless, the GAO found all 24 agencies had weak computer-access controls for sensitive data and systems "that make it possible for an individual or group to inappropriately modify, destroy or disclose sensitive data or computer programs for purposes such as personal gain or sabotage." The GAO also found that most agencies are doing a poor job installing readily available patches for commonly known software hacks. According to the Federal Computer Incident Response Center, such deficiencies are the root cause of some 90 percent of successful attacks on government computers. In August, the GAO discovered that many internal systems at the Commerce Department did not require passwords, even for administrator accounts. The GAO also found widespread use of obvious passwords such as "password," and noted that password files were either unencrypted or unprotected - allowing anyone on the network to obtain the most powerful account passwords. The grades are required under the Government Information Security Reform Act, a law passed in November 2000 that requires federal agencies to asses and test the security of their non-classified information systems. The reports issued today will be tied to each agency's budget request submitted to the Office of Management and Budget (OMB) for the coming fiscal year. Harris Miller, president of the Information Technology Association of America, called the government's failing grades "unacceptable," and urged lawmakers to commit more funds to computer security efforts. "Federal agencies simply do not have the funding available in their current budgets," Miller said. But Mark Forman, associate director of information technology for the OMB, said agencies have all the money they need to protect their systems. Rather, most simply must do a better job coordinating their efforts and ensuring accountability for computer security at the highest levels on down, he said. "We do not believe that, given the large total amount already being spent on security, that simply adding more money will solve the problems," Forman said. "Such an approach has not worked for IT in general - it shifts attention away from effective management and investment of existing resources - and it will not work for IT security." The 24 executive branch agencies have requested a total of $2.7 billion for computer security in the coming fiscal year, and Forman promised that OMB would soon cut funding for projects that continue to flout the agency's security guidelines. "We are going to stop funding for any project that does not adequately address security requirements and neglects to document how security planning and funding is integrated into the life cycle of the project." Horn, whose subcommittee has presided over hearings documenting many of the same computer security weaknesses at the same agencies each year after year, appeared skeptical that any progress would be made. "We've been around here a long time, and it's always the same old game," Horn said. "We'll see what happens next year." ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/r9F0cB/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST