http://www.wtnh.com/Global/story.asp?S=4727203&nav=menu29_2
http://www.newsday.com/news/nationworld/nation/orl-polksex0506apr05,0,5024728.story?coll=ny-leadnationalnews-headlines
http://www.usatoday.com/news/washington/2006-04-04-homeland-official-arrest_x.htm?POE=NEWISVA
http://www.tampabays10.com/printfullstory.aspx?storyid=28229
The deputy press secretary for the Department of Homeland Security is accused by cops of being an online child molester. Okay, I'm not the kind of security commentator who goes around shrieking KIDPORN KIDPORN KIDPORN, because hotbutton sexual demagoguery muddies the waters and always makes bad policy but, well...
This thumbfingered mash-up of a security agency is just
SO LOUSY! It's AMAZING how bad they are!
Not only are they NOT leading other, lesser agencies into the sunlit
uplands of improved security – they're blowing THEIR OWN
computer security! And now their #2 press guy is a Net predator who gets nabbed by local law enforcement in a sting? Really.... what
can one say? Other than: where is their accountability?
Where is the sense of honor, where is the public service?
Why do they go to work in the morning?
Why don't they go home and let SOME OTHER government
protect American citizens? Canada, maybe.
–DHS Scores F on Cyber Security Report Card
(15 March 2006)
The US Department of Homeland Security (DHS) has received a failing grade for its cyber security from the House Government Reform Committee. The federal government is expected to receive an overall grade of D-plus. The grades are based on the federal agencies' compliance with requirements set out in the Federal Information Security Management Act (FISMA). Some believe that money spent documenting compliance would be better spent securing systems.
http://www.washingtonpost.com/wp-dyn/content/article/2006/03/15/AR2006031501589_pf.html
http://www.infoworld.com/article/06/03/15/76516_HNfedsecurityfailures_1.html
[Editor's Note (Ranum): Money spent toward producing documentation and checking checkboxes ultimately does little more than create a priesthood of box-checkers. One thing that is clear: using budgetary controls to enforce standard compliance does not work.
(Schultz): The push for compliance within the US government arena has been tremendously blown out of proportion. I'd like to conduct a study in which standards frequently used for compliance such as NIST 800-026 and NIST 800-053 are followed to the "T" in a test environment, then launch a barrage of attacks against the computing systems in that environment. I'd wager a lot of money that many if not most of such attacks would succeed.
(Paller) DHS isn't perfect, but the agencies that got high grades are no better secured than the agencies that got low grades. (((!))) Gene Schultz and Marcus Ranum are exactly right. If the agencies are to be held to a standard for security (as well they should be), let it be one that measures the readiness of the systems and people to withstand attacks and recover from them.]
TOP OF THE NEWS
–FISMA's Effectiveness Questioned
(15 March 2006)
Former federal CISO Bruce Brody has questioned the efficacy of the Federal Information Security Management Act (FISMA). Because of the way the FISMA grading system is structured, agencies have an incentive to conduct certification and accreditation (C&A) system-by-system rather than take an overall approach to cyber security. This means that FISMA grades are not necessarily an accurate measure of the agency's level of cyber security. FISMA requires a significant amount of paperwork and encourages rote hole plugging but ignores the need for real-time monitoring.
http://www.govexec.com/story_page.cfm?articleid=33605&printerfriendlyVers=1&
[Editor's Note (Weatherford): Maybe if this gets enough attention
something will be done about this waste of time and effort involved with FISMA. Mr. Brody's comments are on-target.
(Honan): If US Government agencies are not seen to be taking information security seriously then we should not be surprised a lack of concern for information security in many private organizations.
(Schultz) Mr. Brody is once again entirely correct. Having "accredited systems" and the like is better than nothing, but it does not take into account network environments in the same way that MIL-STD 5200 ("The Orange Book") did not. One would think that after all this time the US government would wake up to this reality.
(Ranum): I can't believe it's taken so long for government IT execs to figure this out. Substituting box-checking for actually understanding what you are doing will never work. Security based on paperwork simply creates a "priesthood" to push paper; when what is really needed is knowledgeable security-oriented IT management.]
(((You know what's really awesome? Not only are they not DOING computer security, the Feds are even stalling on the attempt to TALK ABOUT computer security with any consistent bureaucratic vocabulary.)))
http://www.gcn.com/online/vol1_no1/38150-1.html?CMP=OTC-RSS
Effort to create architecture lexicon on hold, Burk says
By Jason Miller, GCN Staff
The Chief Architects Forum has put on hold their attempt to establish a common glossary for the Federal Enterprise Architecture after coming up with four or five definitions for 120 terms.
Richard Burk, the Office of Management and Budget's chief architect, said last week that the effort to harmonize terms and build consensus among agencies is on hiatus until the group can decide on the context of the terms.
The term 'transition plan' may mean one thing for current-state architecture and another thing for to-be architecture; Burk said during a luncheon sponsored by the Industry Advisory Council in Washington. There is a fair amount of loosey-goosey terminology floating around. This is the problem we are trying to solve.
