Archive for the Government Category

U.S. needs to attract more Cybersecurity Ninjas

Posted in Government, Jobs on July 27, 2009 by Matthew Flick

I’m not sure why I continue to keep a close eye on this administration and the Federal Government, but I guess someone needs to step up to do it. Hannity & Colmes, Limbaugh, and Jon Stewart might know the government but they sure don’t know security ;) I also think being so close proximity wise to the nation’s capital I’m constantly inundated with news clips, stories, and critiques that it’s hard not to form some opinion.

A report released by Partnership for Public Service, a nonprofit organization devoted to building a better federal work force and Booz Allen Hamilton, a management consulting firm, finds the Federal Government is at risk of being unable to fight off attacks on the nation’s computer networks unless it strengthens its cyber-security work force. The report identified the four main challenges “as uncoordinated leadership of cybersecurity workers; a cumbersome hiring process that discourages people from seeking government jobs and fails to provide a career path for those who do; and hiring managers and human resource specialists who disagree on the quality of IT candidates.”

The report contained several recommendations for actions to help resolve some of the issues right now. One point that is strongly suggested is that agencies should put someone in charge of hiring cybersecurity talent now and not waiting for instruction from the White House’s new cybersecurity coordinator. The report also included a checklist for cybersecurity talent management agencies can use as a reference point.

I think its fair to say the public sector continues to lag behind in most things information security related. The lack of budget, resources, training and awareness is not too different than what we see in the private sector. However, the disparity in those areas especially with some of the “most critical” agencies can be disturbing. I hope President Obama and his cybersecurity appointed folks move fast to address the raised issues in this latest report. I totally agree each agency should move forward independently but at the same time coordinated strategic efforts and sensible guidelines/frameworks are going to be critical across our government. I hate to admit it, but I do think a major roadblock is going to be the pay scale for government positions. Security folks are at the top of the IT pay scales and right now don’t translate well on the government’s GS scale. A bit cliché but money talks.

Please President Obama, please get your cybersecurity A-team put together quickly, get advice with cybersecurity thought leaders and representatives in the private sector, and give the agencies serious security budgets to get things accomplished. We need more ninjas on our side, protecting our “cyber-borders”.


LAN Party anyone? Let’s volunteer to hack Government websites…

Posted in Application Security, Government, Penetration Testing on June 21, 2009 by Matthew Flick

Would I volunteer my time? Sure, why not. Is it really a good or realistic idea to have our Military and Government solicit an army of volunteers to test their web sites? Probably not. Jeremiah Grossman, CTO and founder of WhiteHat Security, this past week voiced his opinion on a topic that isn’t entirely new, but hasn’t been brought up by an industry pundit for a while. He estimates “fewer than ten percent of United Stats .GOV and .MIL websites are professionally tested for custom Web application vulnerabilities” and suggests getting vulnerability researchers to volunteer to test those web sites.  I honestly didn’t see his blog entry until late Thursday and up til now sort of waited to see all the comments to his thoughts. It seems feedback is back and forth with the more detailed responses are on the “not so good” idea side of the fence. Jack Mannino had a good response, which Jeremiah is planning to respond to.

Here are my thoughts: Have you ever worked directly for/with the government? Not a rhetorical question or being a smart a$$, but seriously. It’s a given that the US Federal government doesn’t spend enough money or resources on cybersecurity [see previous blogs]. I cannot imagine how difficult it would be to attempt to coordinate these “volunteer tests” with the Federal Agency, the government security teams that protect the site, the network and system folks responsible for the site, and then all the contractors involved in monitoring and supporting the site… that’s just a fraction of the folks on the government site. We’ve done contract work with the Federal Government and doing a simple scan of a small environment from a single source address took a tremendous amount of coordination and planning. It would be insanity to try to coordinate dozens of volunteers. And that is just one of a couple pre-planning obstacles I can see.

What about from a slightly tangent ethics view; is it volunteers or freebies? The Federal Government from what I’ve experienced has pushed procurement and purchasing folks through different types of ethics training to prevent inappropriate kickbacks to individuals and organizations. Could a big corporate entity like “Big Yellow” for example be allowed to volunteer a team of young staffers to “pen-test”? Wouldn’t it then be ironic if that same company down the line got a chance to bid on projects or even technologies to be implemented? You got to expect someone out there to try to take advantage of it.

The one point that Jack made mention that I’m not going to rehash too much but agree with is regarding incident response. Could you imagine being the contractor or GS-10 sitting in the SOC during “volunteer pen-test day”? If the government doesn’t have the tools to assess their own web sites, I wonder if they would have the technologies or resources in place to review the logs generated to figure out what is considered “normal” vs. “bad” traffic.

I’m not entirely sure if Jeremiah really thinks it’s a good idea or is throwing it out there for media fodder (I see SC Magazine already picked it up). It does bring up some interesting early debate but the more I think about it, it just doesn’t seem reasonable.

However one thought I did come up with and please pardon me if there is already an organization like this, is taking a page from the National Guard. It would still require some money, background checks, a tremendous amount of coordination and volunteering. How about a “Cybersecurity National Guard” unit, where people can volunteer X hours a month and have one of the core responsibilities testing government and military web sites. I’m deeply familiar with the military and intelligence community programs and teams that do this, but this “volunteer” group could be staffed with vulnerability researchers who have extra time or want to do something more valuable for ISC^2 CPEs ;)

Cyber-Security Plan: “Strategery” Part Deux

Posted in Government on June 1, 2009 by Matthew Flick

A couple months ago I wrote a quick blog on President Obama’s initial outline for protecting the nation’s homeland security… well, this past Friday he released his cybersecurity plan to the general public.  In all honesty, there aren’t any big surprises and it seems inline with the recommendations put forth by the Center for Strategic and Internal Studies (CSIS) cybersecurity commission released in December.

For the most part, the media and industry pundits find President Obama’s plan to be on-target and favorable. He is determined to have a more joint effort (Public and Private organizations) to “deter, prevent, detect and defend” against cyber attacks. He was clear he does not want the federal government to be able to regularly monitor “private-sector networks” and believes that the Internet has become the backbone of American communications. The plan is to have cybersecurity leadership to be working closely to him in the White House and it appears that the appointed cyber czar will have the coordinating authority over the Pentagon, National Security Agency, Department of Homeland Security and etc.

An interesting observation regarding President Obama’s strategy over the Bush administration is his plan to have his approach distributed to the public and to companies that are most vulnerable to cyber attack. The previous administration’s strategy/policy was entirely classified. Obviously, if it’s important and requires everyone’s help, you need to get everyone on the same page. You can only do it if there is a national plan and everyone knows about it.

Again, President Obama is making cybersecurity is a top priority and has made good on those campaign pledges… Who wouldathunkit, the President makes a promise and keeps it. If only all of our government leaders were like that ;)

Support for President Obama’s cybersecurity “strategery”

Posted in Government on February 4, 2009 by Matthew Flick

Last week, Tim shared his views on the new plotline of the popular TV show 24 and expressed his hopes for President Obama’s cybersecurity strategy.  Had he checked his email before posting his blog, he would have seen my email that the administration released an outline for protecting the nation’s homeland security. We need to work on our timing!

President Obama’s initial strategy includes a six-step approach on “Protecting Our Information Networks.” It states the administration (while working with private industry, the research community and our citizens) will:

  • Strengthen Federal Leadership on Cyber Security: Declare the cyber infrastructure a strategic asset and establish the position of national cyber advisor who will report directly to the president and will be responsible for coordinating federal agency efforts and development of national cyber policy.
  • Initiate a Safe Computing R&D Effort and Harden our Nation’s Cyber Infrastructure: Support an initiative to develop next-generation secure computers and networking for national security applications. Work with industry and academia to develop and deploy a new generation of secure hardware and software for our critical cyber infrastructure.
  • Protect the IT Infrastructure That Keeps America’s Economy Safe: Work with the private sector to establish tough new standards for cyber security and physical resilience.
  • Prevent Corporate Cyber-Espionage: Work with industry to develop the systems necessary to protect our nation’s trade secrets and our research and development. Innovations in software, engineering, pharmaceuticals and other fields are being stolen online from U.S. businesses at an alarming rate.
  • Develop a Cyber Crime Strategy to Minimize the Opportunities for Criminal Profit: Shut down the mechanisms used to transmit criminal profits by shutting down untraceable Internet payment schemes. Initiate a grant and training program to provide federal, state, and local law enforcement agencies the tools they need to detect and prosecute cyber crime.
  • Mandate Standards for Securing Personal Data and Require Companies to Disclose Personal Information Data Breaches: Partner with industry and our citizens to secure personal data stored on government and private systems. Institute a common standard for securing such data across industries and protect the rights of individuals in the information age.

Surprisingly, this plan closely resembles the recommendations suggested by a commission of computer security experts one month earlier in December, 2008. The Center for Strategic and International Studies (CSIS) Commission on Cyber Security for the 44th Presidency released a 94-page report urging the incoming administration to improve cybersecurity by changing the way the federal government operates and by building better collaboration across organizational boundaries.  One of the specific recommendations included having an executive in the White House responsible for cybercrime coordination rather than having it fall under the Department of Homeland Security. I think most folks would agree that President Obama and his administration using the Commission’s recommendations as part of his strategy is ideal, but with the struggling economy, one hopes there will be enough money and resources to see at least some of them implemented.

President Obama has continued to state cybersecurity is a top priority and so far has made good on those campaign promises from last year. We can only hope the eventual implementation more closely resembles this strategy than the ’24’ all-powerful CIP firewall.

Who needs defense in depth when you have a CIP firewall?

Posted in Government with tags , , on January 25, 2009 by Tim

For this avid 24 watcher, this season has been hard to watch. Granted, 24 has always pushed the envelope of “believability,” but this season may just force me to succumb to my wife’s Monday night addiction to John & Kate Plus 8.

For those of you who aren’t following the show, basically the US government has a “mother” firewall that protects all of its networks, including the FAA and every public utility. (The official CIP page is located here.) The bad guys have developed a hardware appliance that can bypass the firewall and give them access to any of the networks it protects. (Apparently this hardware appliance has a tendency to overheat, but don’t worry the designer figured out how to fix that! Phew!)

With the bad guys possessing such a powerful piece of technology , the US’ foreign policy is being threatened. I’ll completely ignore the fact that I know that all of these networks are not connected and believe that the clandestine services can’t determine source IP addresses. Then I’ll suspend reality even more, and believe that there is such a “mother” firewall and that the bad guys can do whatever they please to the protected networks.

So…What can we do? Do we have to yield to the demands of the bad guys? Apparently so…

So it’s obvious that I am on a rant, but what irks me the most about this year’s plot is that the President in the show actually stated a viable solution. She said something to the affect of “Isn’t it just technology? Can’t we just unplug it?”

Yes, just unplug it. That’s my recommendation. Weighing the threat of US casualties or succumbing to the demands of terrorists versus down time of the CIP firewall, I would opt with unplugging the brilliant idea known as the CIP firewall.

It’s obvious how frustrated I am with this year’s plot. But hey, if this situation mimics reality, I would hope that Obama’s new Cyber-Security czar would look for both technical and non-technical solutions to such a problem. If not, looks like there may be a lot of money to be made in educating the US government on concepts their own agencies developed.