Wednesday, December 10, 2003

US Government Security Report Card

Yesterday Congressman Putnam of the US House Committee on Government Reform announced the federal government's computer security report card (.pdf). FCW summarized the results. For the first time two agencies scored above 90%: the Nuclear Regulatory Commission earned top honors with an A, and the National Science Foundation received an A-. The grades were based for the first time in the four-year program on the Federal Information Security Management Act (.pdf) reportedly an improvement over the Government Information Security Reform Act (GISRA) (.pdf).

I found it amusing that after the press NASA received for working with SANS to patch systems in 2001 (.pdf), NASA's score has consistently dropped. NASA scored a C- in 2001, a D+ in 2002 and now a D- in 2003. In 2001 NASA was lauded as a "poster child" for their "vulnerability-focused approach to eliminate security problems."

Apparently SANS no longer thinks addressing vulnerabilities is the answer. In their latest NewsBites, SANS reports on a new security survey of "IT professionals." The survey reports "eighty-seven percent [of respondents] said software patches for known vulnerabilities are up to date at their companies." SANS' comment on this statistic is telling: "The saddest part of this study is that it reinforces one of the greatest lies of security - that organizations that keep their systems patched but do not harden operating systems are keeping their systems safe... It's time to stop pretending, and start making sure every system administrator can prove he/she knows how to safely configure a system before being given root or administrator privileges."

My approach has always been simple: prevention fails. Period. Security staff must take steps to ensure they collect the right sorts of information to efficiently scope the extent of compromise and guide recovery. That's why network security monitoring (like implemented by Sguil) is required.