# USG Network Insecurity



## Brill (Feb 26, 2016)

Congress needs to put a stop to this shit and exercise some fucking oversight by holding IT leaders accountable. I wish a watchdog would document how much this shit is costing taxpayers.

Why is my home network more secure than OPM, IRS, DOJ, etc?

The IRS Hack Was Twice as Bad as We Thought


----------



## AWP (Feb 26, 2016)

Some of my colleagues froth at the mouth about going into IT security. I told them I'd rather be a meteorologist than in IT security, because one's trustworthy part of the time and the other's an overpaid joke waiting to be a victim. "Go read a log file, your shit's already been stolen via a dozen attack vectors you know nothing about."


----------



## Kraut783 (Feb 26, 2016)

I'm on my fourth "official" release of my personal information from the federal government...in the past 6 years...:whatever:


----------



## Dame (Feb 26, 2016)

And then there are the PSOs (POSs) who refuse to authorize anything at all because no one can blame them if something goes wrong. :wall::wall::wall:


----------



## Gunz (Feb 26, 2016)

Can you compare it to performance enhancing drugs in sports? That is, as soon as one is detected another undetectable one--or a new undetectable version of the first one--is engineered. Then the science has to catch up with it. And by that time yet another undetectable chemical emerges. 

Isn't that what IT security is about? Reactionary?  Developing safeguards against potential threats...while new threats are being constantly developed? Just when we learn to counter one another one crops up that we have to figure out?


----------



## Dame (Feb 26, 2016)

Ocoka One said:


> Can you compare it to performance enhancing drugs in sports? That is, as soon as one is detected another undetectable one--or a new undetectable version of the first one--is engineered. Then the science has to catch up with it. And by that time yet another undetectable chemical emerges.
> 
> Isn't that what IT security is about? Reactionary?  Developing safeguards against potential threats...while new threats are being constantly developed? Just when we learn to counter one another one crops up that we have to figure out?



Yes and no. Yes they can get in where there is a door/window/wire to get in. In the case of national security there are other safeguards in place. I'm not saying closed networks are impenetrable but they are much more secure. Which is why what HRC and her staff did is so horrifically bad. Taking information from a secure environment and moving it to one that WILL get hacked is, in all ways, criminal. It doesn't help that not only was it ON her private server, she SENT it via unsecured private e-mail to other unsecured networks and the dumb-asses who received it replied and sent it back the other way again. Incidentally, said dumb-asses are equally culpable for exposing national secrets to hackers.

ETA: The IRS uses the interwebz for filing tax returns. Ergo, hackable.


----------



## Brill (Feb 27, 2016)

Instead of giving performance bonuses to VA and GSA folks, why not give massive "atta boy" via $$$$ to Info Assurance techs who really do assure info is secure?

Garbage in, garbage out...or info to hackers, either way, still valid.

Oh, keep in mind these are the same idiots telling the sheeple that your medical info is secure so it's required by Federal law to digitize your health info.


----------



## AWP (Feb 27, 2016)

Ocoka One said:


> Can you compare it to performance enhancing drugs in sports? That is, as soon as one is detected another undetectable one--or a new undetectable version of the first one--is engineered. Then the science has to catch up with it. And by that time yet another undetectable chemical emerges.
> 
> Isn't that what IT security is about? Reactionary?  Developing safeguards against potential threats...while new threats are being constantly developed? Just when we learn to counter one another one crops up that we have to figure out?



Along with @Dame's post, "yes and no." Yes, as soon as one is detected they look for other means to defeat the system's security. "No" in that security researchers and hackers are constantly looking for new attack vectors in operating systems, applications, plug-ins, breaking encryption, etc. (zero-day exploits) Really obscure stuff like CPU temperature and fan speeds were researched and conditionally exploited (though this was more a proof of concept). Guys (script kiddies) use pre-written programs to scan for vulnerabilities while others break apart the code in a lab and look for cracks and holes.

On the user/ administrator side it is reactionary. Developing best practices, patching against known vulnerabilities, firewall rules, intrusion detection software, etc. This is where security breaks down. Either no one's found a vulnerability (or knows about it) or they are lazy and don't patch, poor security (writing down a password), social engineering, phishing/ whaling, all sorts of methods.

To expound upon my earlier post, the majority of security professionals are guys with a certification and maybe some experience. Their lives are reading log files (not bloody likely if they are swamped), patching systems, paperwork, IDS if their organization has it, and audits. They are very reactionary and tend to worry more about the admin side. When they have technical knowledge it tends to be useless in the day-to-day because it sounds impressive. Oh, you know about encryption? Awesome, what are your firewall rules and logs telling you?

(Blank stare, eyes blink) "Well, our policies in place...."

Their policies are bullshit and totally dependent upon outside sources telling them what to do. The human component fails us. A zero-day exploit is almost impossible to defend against, but most hacking methods are preventable....if the users are willing to do their jobs and if the security guy/ SysAdmin are doing theirs.

Many do not and the end users are lazy. Those components will almost never change.

A few years old, but some numbers:
Hacking, Malware, and Social Engineering Threats | IRMI.com

Hacking methods: global data breaches within Hacking 2011 | Statistic


----------



## Brill (Feb 27, 2016)

The prob here @Freefalling , is the US isn't really invested/interested in network security. Every element of the IC has teams focused on penetrating terrorist cells to collect info about groups, leaders, and TTPs.  Imagine trying to do "CT" only AFTER an attack.

Do the various Fed and military units have equal (or more robust) teams conducting similar counter-hacking ops, with the aim to ID the groups, individuals, or TTPs?

Where is our similar COIC for hackers?  Which Tier one element is geared towards kill/capture of hacker networks or their machines.

We've had our "9-11" hack at OPM but the US didn't give a shit.


----------



## AWP (Feb 27, 2016)

Agree 1 billion percent.


----------



## compforce (Feb 27, 2016)

I'm not going to get too deep into this one because I've been too close to it.  I will say though that much of the fault lies with the leadership.  The IA guy can "recommend" that the leader's groundbreaking idea probably is going to open holes in the security that shouldn't be opened.  The IA folks are nearly always overruled by the leader because A) the good idea fairy told him he would be smarter than everyone else if he did this or B) he can cover his ass by simply making another person write up a risk analysis.

Obamacare is a perfect example of this.  It has a requirement for centralized storage of data with multiple integrations to other units/departments.  Every time that integration is set up it's done as a separate piece, usually by different working groups (thanks to the aggressive schedule).  Ultimately what you get is a series of holes opened in the perimeter security.  Think of it as a castle with a moat and 25 bridges over the moat each manned by a single guard.  What's the value of the moat at that point?

The easiest way to keep hackers from exploiting your systems is to keep them from being able to get to the systems.  If you can do that, then you can funnel any truly necessary traffic to a single point that can control access. Every time you create a new access point, whether it is a publically exposed web site or a connection to allow some other group to work with your data, you make it easier for the hackers to get inside.  Once inside there is a ton of damage that can be done, including creating other access points that you don't know about (trojans/rootkits/backdoors).

Computer security is much like physical security.  You need defense in depth all the way from the perimiter (firewall) to the individual information and applications on each system.  It also has to be meticulously planned and executed to perfection.  When has the USG _ever_ planned and executed anything to perfection?

Here's a somewhat outdated look at Obamacare so you can see all of the holes they created.  It's worse now.  This is what happens when the good idea fairy comes to play in IT.  Bear in mind that, while this is a relationship diagram for the program, each line represents a minimum of one IT integration and often more than one.


----------



## Brill (Feb 27, 2016)

@compforce, these are the same people who believe ID theft can be mitigated by keeping OS and virus software update.

The USG can advise me of network security but if I pass on legal or medical advice...

The best defense is a STRONG offense.


----------



## Ooh-Rah (Feb 27, 2016)

compforce said:


> Ultimately what you get is a series of holes opened in the perimeter security. Think of it as a castle with a moat and 25 bridges over the moat each manned by a single guard. What's the value of the moat at that point?



What a great explanation!  I fully plan to use this at an unknown date in the future.


----------



## compforce (Feb 27, 2016)

Ooh-Rah said:


> What a great explanation!  I fully plan to use this at an unknown date in the future.



Thanks.  The other half of the explanation (analogy) is that it would be better use of resources to have a single big bridge with the same 25 guards all controlling access.


----------



## compforce (Feb 27, 2016)

lindy said:


> The best defense is a STRONG offense.



I disagree...   If that's the case, then everyone should completely disregard their own system and focus on counterattacking the hackers.  It has to be appropriately balanced because there are too many actors to completely shut it down.

Why do we have bases in Afghanistan with guards?  By the same analogy you used, we should just carpet bomb or nuke the country and be done with it.  Would it work?  Definitely.  Would we accomplish our actual objectives?  Nope.  The idea about the best defense being a strong offense only works on an athletic field with inviolate boundaries, a limited time frame and rules for each player and team.  In the open ended world of global society, it doesn't hold water.  To make that theory work in the real world you'd have to engage in an activity called genocide.

To be clear, I'd say a solid offense is important, but only when there was a reasonably strong defense in place.


----------



## Florida173 (Feb 27, 2016)

Just because it's true in the sense of cyber security doesn't mean that it would be absolutely relatable in physical security. Two entirely different things.

And I didn't take from his statements that we are to completely forget about cyber defense. It should be an automatic process within the IT realm.

Offense is not an IT's job.


----------



## Brill (Feb 27, 2016)

@compforce, I'm not saying completely do away with defense in depth but advocating for an aggressive national counter-hacking strategy IN ADDITION TO defense.

We absolutely should guard the castle while we have guys out running source networks, collecting Intel, etc in order to facilitate DA raids.

I'd wager that hacking has cost the US population way more $$$$ than terrorism has.

This is a national problem and not just a consumer problem. It seems we're back to the late 20's when (then) Secretary of War said we don't read each other's mail.


----------



## Brill (Sep 7, 2016)

These idiots should be fired and fined for incompetence.  Guess we know who will be Hillary's Cyber-security Czar.

Congressional report: OPM cyberattack had missed opportunities | Fox News


----------



## AWP (Sep 7, 2016)

To piggyback on my earlier posts I am now a Cybersecurity Liaison/ Information Assurance guy. That tells us my application to become a meteorologist was denied.

FML

My earlier points still stand because I'm now the guy left with mostly admin work. This is driven by an inept system that literally makes up the rules on the fly, violates SLA's, and..."other stuff". To steal from a  video game, the cake is a lie.


----------



## Brill (Sep 8, 2016)

Nothing to see here. Move along.

Officials dismiss possibility of US election hacking - CNNPolitics.com

I love narrow minded people who say our ballot count cannot be hacked. Great...what about voter registration lists?

What happens if a shit ton of registered Democrats in state X suddenly show up at the polling place as unregistered?

Would the election be free and fair?


----------



## CDG (Mar 13, 2017)

Jesus. Christ.  How much of a mental midget do you have to be to not password protect the drive?

US military leak exposes 'holy grail' of security clearance files


----------



## Grunt (Mar 13, 2017)

Unfortunately, people are lazy and the protection of "your" PII isn't "their" problem apparently. 

And, if it is...they don't take their jobs seriously and the one whose information is released is the one who suffers and has to clean up the expensive mess created by another's laziness and incompetence.


----------



## compforce (Mar 13, 2017)

Agoge said:


> Unfortunately, people are lazy and the protection of "your" PII isn't "their" problem apparently.
> 
> And, if it is...they don't take their jobs seriously and the one whose information is released is the one who suffers and has to clean up the expensive mess created by another's laziness and incompetence.



To date I've received no less than 4 notices that someone has lost my PII/SF-86...  OPM, contractor couriering our info from Mississippi to Texas, two backup copies lost when laptops or drives were stolen from their cars.  The people protecting our personal info are idiots.


----------



## compforce (Mar 13, 2017)

lindy said:


> I'd wager that hacking has cost the US population way more $$$$ than terrorism has.



Interesting related factoid for you.  The guy who invented the concept of a NULL (an unknown value in programming and data) back in the '60's had an interview with CIO magazine in 2008.  In that article he stated (paraphrased) that the null had cost businesses more money than the sum of all of the savings that they had realized from the use of automation since.  He's probably right too...


----------



## Grunt (Mar 13, 2017)

compforce said:


> To date I've received no less than 4 notices that someone has lost my PII/SF-86...  OPM, contractor couriering our info from Mississippi to Texas, two backup copies lost when laptops or drives were stolen from their cars.  The people protecting our personal info are idiots.



Yep...they lost one of mine. I asked them what happened and they simply responded, "It was lost someone between our office and the field office." That was truly comforting and the worst part of it all was that they didn't seem to care one bit about it.


----------

