USG Network Insecurity

Some of my colleagues froth at the mouth about going into IT security. I told them I'd rather be a meteorologist than in IT security, because one's trustworthy part of the time and the other's an overpaid joke waiting to be a victim. "Go read a log file, your shit's already been stolen via a dozen attack vectors you know nothing about."
 
And then there are the PSOs (POSs) who refuse to authorize anything at all because no one can blame them if something goes wrong. :wall::wall::wall:
 
Can you compare it to performance enhancing drugs in sports? That is, as soon as one is detected another undetectable one--or a new undetectable version of the first one--is engineered. Then the science has to catch up with it. And by that time yet another undetectable chemical emerges.

Isn't that what IT security is about? Reactionary? Developing safeguards against potential threats...while new threats are being constantly developed? Just when we learn to counter one another one crops up that we have to figure out?
 
Ocoka One said:
Can you compare it to performance enhancing drugs in sports? That is, as soon as one is detected another undetectable one--or a new undetectable version of the first one--is engineered. Then the science has to catch up with it. And by that time yet another undetectable chemical emerges.

Isn't that what IT security is about? Reactionary? Developing safeguards against potential threats...while new threats are being constantly developed? Just when we learn to counter one another one crops up that we have to figure out?
Click to expand...

Yes and no. Yes they can get in where there is a door/window/wire to get in. In the case of national security there are other safeguards in place. I'm not saying closed networks are impenetrable but they are much more secure. Which is why what HRC and her staff did is so horrifically bad. Taking information from a secure environment and moving it to one that WILL get hacked is, in all ways, criminal. It doesn't help that not only was it ON her private server, she SENT it via unsecured private e-mail to other unsecured networks and the dumb-asses who received it replied and sent it back the other way again. Incidentally, said dumb-asses are equally culpable for exposing national secrets to hackers.

ETA: The IRS uses the interwebz for filing tax returns. Ergo, hackable.
 
Instead of giving performance bonuses to VA and GSA folks, why not give massive "atta boy" via $$$$ to Info Assurance techs who really do assure info is secure?

Garbage in, garbage out...or info to hackers, either way, still valid.

Oh, keep in mind these are the same idiots telling the sheeple that your medical info is secure so it's required by Federal law to digitize your health info.
 
Ocoka One said:
Can you compare it to performance enhancing drugs in sports? That is, as soon as one is detected another undetectable one--or a new undetectable version of the first one--is engineered. Then the science has to catch up with it. And by that time yet another undetectable chemical emerges.

Isn't that what IT security is about? Reactionary? Developing safeguards against potential threats...while new threats are being constantly developed? Just when we learn to counter one another one crops up that we have to figure out?
Click to expand...

Along with @Dame's post, "yes and no." Yes, as soon as one is detected they look for other means to defeat the system's security. "No" in that security researchers and hackers are constantly looking for new attack vectors in operating systems, applications, plug-ins, breaking encryption, etc. (zero-day exploits) Really obscure stuff like CPU temperature and fan speeds were researched and conditionally exploited (though this was more a proof of concept). Guys (script kiddies) use pre-written programs to scan for vulnerabilities while others break apart the code in a lab and look for cracks and holes.

On the user/ administrator side it is reactionary. Developing best practices, patching against known vulnerabilities, firewall rules, intrusion detection software, etc. This is where security breaks down. Either no one's found a vulnerability (or knows about it) or they are lazy and don't patch, poor security (writing down a password), social engineering, phishing/ whaling, all sorts of methods.

To expound upon my earlier post, the majority of security professionals are guys with a certification and maybe some experience. Their lives are reading log files (not bloody likely if they are swamped), patching systems, paperwork, IDS if their organization has it, and audits. They are very reactionary and tend to worry more about the admin side. When they have technical knowledge it tends to be useless in the day-to-day because it sounds impressive. Oh, you know about encryption? Awesome, what are your firewall rules and logs telling you?

(Blank stare, eyes blink) "Well, our policies in place...."

Their policies are bullshit and totally dependent upon outside sources telling them what to do. The human component fails us. A zero-day exploit is almost impossible to defend against, but most hacking methods are preventable....if the users are willing to do their jobs and if the security guy/ SysAdmin are doing theirs.

Many do not and the end users are lazy. Those components will almost never change.

A few years old, but some numbers:
Hacking, Malware, and Social Engineering Threats | IRMI.com

Hacking methods: global data breaches within Hacking 2011 | Statistic
 
The prob here @Freefalling , is the US isn't really invested/interested in network security. Every element of the IC has teams focused on penetrating terrorist cells to collect info about groups, leaders, and TTPs. Imagine trying to do "CT" only AFTER an attack.

Do the various Fed and military units have equal (or more robust) teams conducting similar counter-hacking ops, with the aim to ID the groups, individuals, or TTPs?

Where is our similar COIC for hackers? Which Tier one element is geared towards kill/capture of hacker networks or their machines.

We've had our "9-11" hack at OPM but the US didn't give a shit.
 
I'm not going to get too deep into this one because I've been too close to it. I will say though that much of the fault lies with the leadership. The IA guy can "recommend" that the leader's groundbreaking idea probably is going to open holes in the security that shouldn't be opened. The IA folks are nearly always overruled by the leader because A) the good idea fairy told him he would be smarter than everyone else if he did this or B) he can cover his ass by simply making another person write up a risk analysis.

Obamacare is a perfect example of this. It has a requirement for centralized storage of data with multiple integrations to other units/departments. Every time that integration is set up it's done as a separate piece, usually by different working groups (thanks to the aggressive schedule). Ultimately what you get is a series of holes opened in the perimeter security. Think of it as a castle with a moat and 25 bridges over the moat each manned by a single guard. What's the value of the moat at that point?

The easiest way to keep hackers from exploiting your systems is to keep them from being able to get to the systems. If you can do that, then you can funnel any truly necessary traffic to a single point that can control access. Every time you create a new access point, whether it is a publically exposed web site or a connection to allow some other group to work with your data, you make it easier for the hackers to get inside. Once inside there is a ton of damage that can be done, including creating other access points that you don't know about (trojans/rootkits/backdoors).

Computer security is much like physical security. You need defense in depth all the way from the perimiter (firewall) to the individual information and applications on each system. It also has to be meticulously planned and executed to perfection. When has the USG ever planned and executed anything to perfection?

Here's a somewhat outdated look at Obamacare so you can see all of the holes they created. It's worse now. This is what happens when the good idea fairy comes to play in IT. Bear in mind that, while this is a relationship diagram for the program, each line represents a minimum of one IT integration and often more than one.
Obamacare.jpg
 
@compforce, these are the same people who believe ID theft can be mitigated by keeping OS and virus software update.

The USG can advise me of network security but if I pass on legal or medical advice...

The best defense is a STRONG offense.
 
compforce said:
Ultimately what you get is a series of holes opened in the perimeter security. Think of it as a castle with a moat and 25 bridges over the moat each manned by a single guard. What's the value of the moat at that point?
Click to expand...

What a great explanation! I fully plan to use this at an unknown date in the future.
 
Ooh-Rah said:
What a great explanation! I fully plan to use this at an unknown date in the future.
Click to expand...

Thanks. The other half of the explanation (analogy) is that it would be better use of resources to have a single big bridge with the same 25 guards all controlling access.
 
lindy said:
The best defense is a STRONG offense.
Click to expand...

I disagree... If that's the case, then everyone should completely disregard their own system and focus on counterattacking the hackers. It has to be appropriately balanced because there are too many actors to completely shut it down.

Why do we have bases in Afghanistan with guards? By the same analogy you used, we should just carpet bomb or nuke the country and be done with it. Would it work? Definitely. Would we accomplish our actual objectives? Nope. The idea about the best defense being a strong offense only works on an athletic field with inviolate boundaries, a limited time frame and rules for each player and team. In the open ended world of global society, it doesn't hold water. To make that theory work in the real world you'd have to engage in an activity called genocide.

To be clear, I'd say a solid offense is important, but only when there was a reasonably strong defense in place.
 
Just because it's true in the sense of cyber security doesn't mean that it would be absolutely relatable in physical security. Two entirely different things.

And I didn't take from his statements that we are to completely forget about cyber defense. It should be an automatic process within the IT realm.

Offense is not an IT's job.
 
@compforce, I'm not saying completely do away with defense in depth but advocating for an aggressive national counter-hacking strategy IN ADDITION TO defense.

We absolutely should guard the castle while we have guys out running source networks, collecting Intel, etc in order to facilitate DA raids.

I'd wager that hacking has cost the US population way more $$$$ than terrorism has.

This is a national problem and not just a consumer problem. It seems we're back to the late 20's when (then) Secretary of War said we don't read each other's mail.
 
To piggyback on my earlier posts I am now a Cybersecurity Liaison/ Information Assurance guy. That tells us my application to become a meteorologist was denied.

FML

My earlier points still stand because I'm now the guy left with mostly admin work. This is driven by an inept system that literally makes up the rules on the fly, violates SLA's, and..."other stuff". To steal from a video game, the cake is a lie.
 

Similar threads

Ooh-Rah
Enlistment to SOF - The ShadowSpear Way
Replies
1
Views
3K
Ooh-Rah
Ooh-Rah
F.CASTLE
Revived rucking information from the way back machine.
Replies
3
Views
3K
Mad boomer
Mad boomer
RetPara
VA IG Retires After Missing A Beat
Replies
8
Views
1K
Red Flag 1
R
TLDR20
Progress Report from Q Course
2 3
Replies
43
Views
82K
amlove21
amlove21
TH15
The 21 Irrefutable Laws of Leadership
Replies
12
Views
4K
digrar
digrar
Back
Top