Amazon

7.6.11

DHS, the government, and "cyber" security

The White House issued their "CyberDream" last month titled the "International Strategy for CyberSpace." The strategy is chock full of wonderful thoughts and ideas about what cyberspace should look like and even has a few really excellent threats leveled at people who may want to attack the US. The majority of the document seems to be a plea for other nations to share "our" vision. On one hand it would be amazing to have multiple nations sharing information and standing against those who would seeks to do harm or gain information illegally via the digital realm. On the other hand, why don't we just defend our own assets better. If I had an extra hand I might suggest a blend of the two.

Really, I doubt it will matter since the government will want to be in charge of the whole program including some of the highly technical aspects. This is evidenced by DHS being funded with over 40 million dollars and their attempts to continue to hire infosec personnel. What's wrong with that? I am so glad you asked, nothing would be wrong with that IF DHS is hiring new top-level decision makers along with the technical folks. If the same policy makers are in charge, nothing will change. They will hire bright and talented young technical folks then ignore their recommendations and lose them to the private sector. Also known as "status quo." Reading the DHS, and other government, initiatives on hiring they appear to believe that the only problem is the pay. That may be part of the problem, but the real issue I have seen is the promotion of the wrong personnel over time. The last government place I worked had dug a hole so deep and wide they didn't even know they were in a hole. Several manager level personnel possessed zero technical skill or knowledge yet were making decisions regarding technologies they didn't understand. They were also responsible for hiring but didn't know how to hire since  this field has been overrun with certifications, "policy analysts", and general confusion.

How bad is it? That used to be difficult to quantify but take a look at the major breaches that have happened in 2011. HBGary, RSA, and Lockheed are security-centric shops with deep technical talent that were pwned with techniques taught in any pen testing class you might want to take. The Oak Ridge National Lab was taken hostage and had to be disconnected from the Internet for weeks. Many of these intrusions were blamed on "APT" but they were not advanced techniques and they certainly didn't persist for very long. What really happened is the age-old theory of "acceptable risk" is being put to the test. If your entire enterprise can be jacked when one person clicks a link or opens a file something is not quite right. I have performed enough penetration tests to know that this is common and the excuses for not implementing deep, separate layers of security are many both valid and otherwise.

What's the fix? Get red teamed or pen tested using real techniques. Make sure the people performing the tests offer mitigations and remediations for the vulnerabilities they discover and exploit. HIRE THE RIGHT PEOPLE and GET RID OF THE WRONG PEOPLE. I cannot stress that enough and I know hiring is difficult. If you don't know how to hire the right people, then you shouldn't be doing the hiring. I don't mean that at all in a rude or arrogant manner, simply ask for help and the infosec community will help you. I would be glad to assist your hiring, resume review, and interview process. I watched a government site two years a go replace a talented mid-level technical cyber ninja with a junior in college who knew nothing about security. Now I am all for bringing up new folks and teaching them but you must keep good technical people and hearing the phrase "we just need to hire people who get along, not anymore smarty pants" was discouraging. I believe the government CAN do it right if they want to. Challenge the status quo, admit when mistakes are made, and persevere. Hire the right contractors to assist you. For some of us it isn't about money, it's about doing security right to protect assets as a higher calling. You do it right, because it's right.