We’ll be hosting an informal reception at the Hofbräuhaus Las Vegas on Thursday, July 30 to celebrate Tony and Matt’s Black Hat and DEFCON presentations. Please RSVP to rsvp[shift+2]fyrmassociates.com or talk to one of the guys wearing the FYRM Associates shirts at Black Hat. The beer will start flowing at 6 PM and we’ll be around until at least 8 PM.
Archive for June, 2009
Would I volunteer my time? Sure, why not. Is it really a good or realistic idea to have our Military and Government solicit an army of volunteers to test their web sites? Probably not. Jeremiah Grossman, CTO and founder of WhiteHat Security, this past week voiced his opinion on a topic that isn’t entirely new, but hasn’t been brought up by an industry pundit for a while. He estimates “fewer than ten percent of United Stats .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities” and suggests getting vulnerability researchers to volunteer to test those web sites. I honestly didn’t see his blog entry until late Thursday and up til now sort of waited to see all the comments to his thoughts. It seems feedback is back and forth with the more detailed responses are on the “not so good” idea side of the fence. Jack Mannino had a good response, which Jeremiah is planning to respond to.
Here are my thoughts: Have you ever worked directly for/with the government? Not a rhetorical question or being a smart a$$, but seriously. It’s a given that the US Federal government doesn’t spend enough money or resources on cybersecurity [see previous blogs]. I cannot imagine how difficult it would be to attempt to coordinate these “volunteer tests” with the Federal Agency, the government security teams that protect the site, the network and system folks responsible for the site, and then all the contractors involved in monitoring and supporting the site… that’s just a fraction of the folks on the government site. We’ve done contract work with the Federal Government and doing a simple scan of a small environment from a single source address took a tremendous amount of coordination and planning. It would be insanity to try to coordinate dozens of volunteers. And that is just one of a couple pre-planning obstacles I can see.
What about from a slightly tangent ethics view; is it volunteers or freebies? The Federal Government from what I’ve experienced has pushed procurement and purchasing folks through different types of ethics training to prevent inappropriate kickbacks to individuals and organizations. Could a big corporate entity like “Big Yellow” for example be allowed to volunteer a team of young staffers to “pen-test”? Wouldn’t it then be ironic if that same company down the line got a chance to bid on projects or even technologies to be implemented? You got to expect someone out there to try to take advantage of it.
The one point that Jack made mention that I’m not going to rehash too much but agree with is regarding incident response. Could you imagine being the contractor or GS-10 sitting in the SOC during “volunteer pen-test day”? If the government doesn’t have the tools to assess their own web sites, I wonder if they would have the technologies or resources in place to review the logs generated to figure out what is considered “normal” vs. “bad” traffic.
I’m not entirely sure if Jeremiah really thinks it’s a good idea or is throwing it out there for media fodder (I see SC Magazine already picked it up). It does bring up some interesting early debate but the more I think about it, it just doesn’t seem reasonable.
However one thought I did come up with and please pardon me if there is already an organization like this, is taking a page from the National Guard. It would still require some money, background checks, a tremendous amount of coordination and volunteering. How about a “Cybersecurity National Guard” unit, where people can volunteer X hours a month and have one of the core responsibilities testing government and military web sites. I’m deeply familiar with the military and intelligence community programs and teams that do this, but this “volunteer” group could be staffed with vulnerability researchers who have extra time or want to do something more valuable for ISC^2 CPEs ;)
A couple months ago I wrote a quick blog on President Obama’s initial outline for protecting the nation’s homeland security… well, this past Friday he released his cybersecurity plan to the general public. In all honesty, there aren’t any big surprises and it seems inline with the recommendations put forth by the Center for Strategic and Internal Studies (CSIS) cybersecurity commission released in December.
For the most part, the media and industry pundits find President Obama’s plan to be on-target and favorable. He is determined to have a more joint effort (Public and Private organizations) to “deter, prevent, detect and defend” against cyber attacks. He was clear he does not want the federal government to be able to regularly monitor “private-sector networks” and believes that the Internet has become the backbone of American communications. The plan is to have cybersecurity leadership to be working closely to him in the White House and it appears that the appointed cyber czar will have the coordinating authority over the Pentagon, National Security Agency, Department of Homeland Security and etc.
An interesting observation regarding President Obama’s strategy over the Bush administration is his plan to have his approach distributed to the public and to companies that are most vulnerable to cyber attack. The previous administration’s strategy/policy was entirely classified. Obviously, if it’s important and requires everyone’s help, you need to get everyone on the same page. You can only do it if there is a national plan and everyone knows about it.
Again, President Obama is making cybersecurity is a top priority and has made good on those campaign pledges… Who wouldathunkit, the President makes a promise and keeps it. If only all of our government leaders were like that ;)