OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: InfoSec News (isn_at_c4i.org)
Date: Thu Oct 24 2002 - 01:38:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Forwarded from: matthew patton <pattonmeyahoo.com>

    The Senator makes an excellent and accurate point. But how do we go
    about replacing the people we have in gov't NOW who continue to make
    bad decisions, and also go after the contractors who are implementing
    really bad security without a second thought?

    I work on the FBI's new Trilogy program (replacement for their
    ineffectual case mangement system - nee 9/11) and at every turn all I
    get are really lame excuses why security isn't important - the chief
    one being "we're all good guys, everyone has a gun, and we all have TS
    security clearances, we use KG84's to encrypt our trunk lines, etc."
    Like I'm supposed to be impressed. Proving to me or any auditor that
    the network is demonstrably secure is impossible. As the very FBI
    repeatedly asserts, 80+% of the threat is internal. Are they under the
    delusion that the same figure doesn't apply to them? No less after all
    the moles and traitors they've unearthed in the not too distant past?

    Am I nuts to object strongly to the notion that Windows(tm) can be
    explicitly and fully trusted to provide authentication and prove
    identity of the person on the other end of the keyboard, especially
    when the desktop's security is very much in question and the FBI wants
    to have non-repudiatable logging of user activity? (not to mention the
    rather sensitive nature of case contents and that they want to access
    it via handhelds at some point too) Am I crazy to demand that the most
    trivial basics of secure web-programming guidelines (eg. input
    validation, separation of function, protection of servers/processes
    from each other, and requiring re-authorization/re-authentication when
    using and dropping elevated privileges etc.) must be followed
    regardless of claims of a supposedly secure network and that everybody
    and I mean EVERYBODY is on the up and up? What about those legions of
    contractors who have their very fingers on the network infrastructure
    or the maint/janitorial staff, or the security guards who have access
    to the cable plant at the very least? It's as if the FBI thinks they
    are immune to all of those simplistic human failures. "Oh, but we have
    a policy for that." Yeah, and like anybody actually lives by
    policies...

    What's worse is that the FBI *HAS* appropriate security infrastructure
    in place to do things better/correctly (small-time PKI rollout and
    SecureID etc). "This is only a stop-gap solution" is another favorite.
    As is passing the buck to the "customer" who is, well, your typical
    information systems customer (let alone a gov't one): buzzwords from a
    menu, requirements all over the map and no real idea what they want.

    Can anyone put me in touch with some heavy-hitting clued-in people
    over at the FBI that can not only help their own people "get it", but
    demand some real accountability from the contractors involved? The FBI
    should have told us to stuff that solution and come up with something
    that made sense, but they don't know enough to even comment on a bad
    idea let alone tear it apart. As a 2-bit journeyman I can't seem to
    get anyone to pay the slightest attention nor do they apparently (want
    to) understand just how flawed the whole design is from the get go.
    I'd go a few steps up the food chain on my side but I'm not convinced
    I wouldn't be seen as a yipping dog best removed from the organization
    let alone the contract. I couldn't believe my ears when the boss said,
    that if the customer is happy with the security as presented then I
    should shut up and sit down, that it was none of my concern. And that
    "you just don't understand, we're not on the Internet."

    A year+ from now the FBI will have fielded a MAJOR
    national-security/law-enforcement impacting system at an incredibly
    high price tag (I've personally done systems of roughly comparable
    complexity with a staff of eight, not 200 persons) with but a figleaf
    for security (and an entertaining disaster recovery plan to boot).
    Shouldn't somebody care? Or has "Clinton-esque Accountability"
    permeated every hall of government? If "trained experts" are not
    allowed to pull the emergency brake and force a reality check, what
    chance is there EVER of changing the appalling security in the gov't
    IT landscape regardless of how many millions get thrown at the
    problem?

    Senator, how do you respond to that?

    Maybe I should quit and become a used-car salesman or something...

    > --- InfoSec News <isnc4i.org> wrote:
    >
    > > http://www.fcw.com/fcw/articles/2002/1021/news-cyber-10-21-02.asp
    > >
    > > By Diane Frank
    > > Oct. 21, 2002
    > >
    > > The Senate passed a bill Oct. 16 that will provide more than $900
    > > million over five years for cybersecurity research and development.
    >
    > [...]
    >
    > > "In the long run, all government and private-sector cybersecurity
    > > efforts depend on people trained experts with the knowledge and
    > > skills to develop innovative solutions and respond creatively and
    > > proactively to evolving threats,"

    -
    ISN is currently hosted by Attrition.org

    To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
    in the BODY of the mail.