America is getting owned?

Bl8ckr0uter

U.S. struggles to ward off evolving cyber threat - Security- msnbc.com

interesting read...Thoughts?

Turgon

knwminus wrote: »

U.S. struggles to ward off evolving cyber threat - Security- msnbc.com

interesting read...Thoughts?

Increasing opportunities to find security type work I would have thought. However some out of the box thinking and approaches may be more effective than simply filling the world with more security type professionals which is something of a sandbag way of dealing with a flood.

I recall watching a program on TV ten years ago where a bunch of quite young Americans were interviewed about their security work. They had been hired to advise coorporations on tightening their IT security because as amateur hackers they obviously knew something about exploits. In the words of one girl 'They are so stupid' i.e companies. I imagine a lot of hackers would look at many security certification programs with complete disdain as many of the exploits discussed in a formal way in standards and certification books have been common knowledge for a very long time.

The security type standards and certifications evolve but the process is slow and by the time all these roles and responsibilities emerge the damage is done and the hackers are onto pastures new. We are *almost* at the point where most companies have an employee with some kind of security designation often clutching a certification or two after learning about puTTy for the first time. The problem is people have been rooting servers for years, the same can be said for DoS attacks. We were taught about worms and trojan horses in University back in 1989 and viruses in 1986. It's not a new thing. The internet has opened up lots of opportunities though even though wardialers were used to attack PSTN entry points to networks back in the day (and still are).

tpatt100

This article sums up how I feel when it comes to security:

White House Updates Cybersecurity Orders -- Government Security -- InformationWeek

The White House issued new cybersecurity marching orders to government agencies Wednesday, which top officials say will help redirect government efforts from wasteful paperwork compliance toward continuous monitoring and patching and more effective cybersecurity spending.
Many observers both inside and outside government have come to the conclusion that the government's cybersecurity reporting requirements, as currently implemented, have created an environment in which expensive annual compliance reports that cut into real cybersecurity have become the norm. "These reports ended up being more secure in the cabinets they were living in than were the systems they were meant to protect," federal CIO Vivek Kundra said in a conference call with reporters and White House cybersecurity coordinator Howard Schmidt.

Compliance is all about people with great writing skills generating logical diagrams and words and more words with almost no time to actually technically fix anything.

For example I spent almost a month reading tons of documents for a DIACAP project at work. I spent 99 percent of that time trying to figure out HOW the FRACK the paperwork for the DIACAP package gets done and how to organize it rather than the most important part. Which is how to harden the software/hardware to be compliant and actually work.

At my last job of five years CAT 1 vulnerabilities on DOD systems (hundreds across several states in government buildings and DOD facilities went unpatched/fixed for months. I was constantly extending deadlines for the Windows and Unix admins because they were trying to be compliant but trying to actually figure out what the government wanted.

I think a lot of security needs these logical lay outs of what needs to be done at what layer because nobody wants to miss anything in the chaos that is patching and configuration but on the other hand I feel a lot of it is non technical people creating paperwork so they can justify billing the customer for hundreds of dollars per hour.

Turgon

tpatt100 wrote: »

This article sums up how I feel when it comes to security:

White House Updates Cybersecurity Orders -- Government Security -- InformationWeek



Compliance is all about people with great writing skills generating logical diagrams and words and more words with almost no time to actually technically fix anything.

For example I spent almost a month reading tons of documents for a DIACAP project at work. I spent 99 percent of that time trying to figure out HOW the FRACK the paperwork for the DIACAP package gets done and how to organize it rather than the most important part. Which is how to harden the software/hardware to be compliant and actually work.

At my last job of five years CAT 1 vulnerabilities on DOD systems (hundreds across several states in government buildings and DOD facilities went unpatched/fixed for months. I was constantly extending deadlines for the Windows and Unix admins because they were trying to be compliant but trying to actually figure out what the government wanted.

I think a lot of security needs these logical lay outs of what needs to be done at what layer because nobody wants to miss anything in the chaos that is patching and configuration but on the other hand I feel a lot of it is non technical people creating paperwork so they can justify billing the customer for hundreds of dollars per hour.

Yup. My personal take is that we do need standards and methodologies and people do need to be employed full time to generate and disseminate these things. But there is always the risk of bloat and the process becoming a self gratifying thing that just gets out of touch with reality. You find a lot of people getting into new evolving ways of working as a career option and the *system* gets so big that hardly anyone understands it anymore (or has the time to understand it), and it starts to undermine the very reason why it's there in the first place. This is a problem that can happen and has happened with anything that came along over time, total quality management, environmental health, health and safety, ITIL, data protection, security. Good implementation requires common sense and intelligence to work not only with the principles of the thing but perhaps more importantly with the actual risks, impacts and resources to deliver them in a way that is effective in a given setting. One size does not fit all.

Yes we need security, but it has a cost and it's no good filling a vault with endless compliance audits or even turning operations into a fortress if the company is adversely affected, loses competitive advantage and ceases to function properly.

Devilsbane

I read an article about 7 or 8 months ago that claimed that every government document has been stolen at one point. I can't vouch for the accuracy of that claim, but I don't think it can be too far off.

Shortly afterwords the Department of Homeland Security announced it would be hiring 1,000 cybercrime professionals in the next 3 years.

L0gicB0mb508

I think whoever wrote the article that every gov document has been stolen is a little bit out there. It sounds like someone is out to make you scared.

The government has the same issues with stupid users, outdated equipment, and 0 day exploits that anyone has to deal with. There are tons of unclassified networks/systems out there that aren't a priority. More than likely, anytime you hear about some 133t h4x0r breaking into a government system, it's some unclassified terminal that probably has nothing on it at all. Mission critical/ classified stuff is heavily protected. Is it still possible that someone could hack into them? Of course.

I'm not sure why the article freaks out about scans. This happens on any network. Your home network is probably scanned thousands of times a day. You just don't pay attention, or know about it. Why is it hard to imagine that a huge targets would get millions of scans per day?

The compliance issue is a big one. I do think that security is now taking a much more hands on approach versus the WTFOMG we need to be compliant mindset. DHS is hiring security analysts for a reason. They aren't there to check compliance, they are there to catch attacks. Federal security as a whole is under a huge revamp. It's a great time to get on as a GS or contractor if you do cyber intelligence, security analysis, or penetration testing.

Cyber warfare, cyber terrorism, cyber espionage are real. I've seen people say this isn't an issue, that these are made up to scare you. They are not. Next time you look at some port scans on your network, look and see if they are targeted towards SCADA systems. I think if you are hunting process control systems (chemical plants, electric grids, etc.) then its probably an act of terrorism. Joe Blow script kiddy isn't hunting SCADA systems. These are usually targeted attacks from a foreign entity. This stuff is only going to get more common in the near future.

We aren't losing the war, we are however changing the way we fight it.

KGhaleon

And here I thought this would be about being able to play Pacman on google. Everyone in my office is getting pac-rolled today.

Devilsbane

KGhaleon wrote: »

And here I thought this would be about being able to play Pacman on google. Everyone in my office is getting pac-rolled today.

LOL that is hilarious.