Cenzic 232 Patent
Paid Advertising
web application security lab

U.S. Government Testing Cybersecurity

I’ve been asking about this for years now, but I finally got my answer, yes, the US government is going to test the state of cyber-security in the event of a cyber war. The goal is to identify weaknesses and come up with solutions to a large scale network attack. I was bitching about this when I was a member of the IT-ISAC - there was no one working on this at the time, and it was scaring the crap out of me. Apparently someone was listening!

I have no idea how the test is going to play out, but to anyone who is involved, let me reiterate this issue - the attacks often come from within. It’s not only outside threats we are going to have to contend with (and furthermore once something is inside a network it’s hard to get out). So is the case with viruses, XSS worms, botnets, etc…. You may be able to kill the command and control but that relies on one critical assumption - that there is one. Anyway, I’ll be very interested to see the results of these tests if they are ever published.

4 Responses to “U.S. Government Testing Cybersecurity”

  1. ntp Says:

    Insider threats are grossly over-rated. Everyone has been blogging about them lately way too much.

    Basically, in the right environments - insider threats are not quite what you think they are. This isn’t an information security problem - it’s a human problem.

    Read this:
    http://en.wikipedia.org/wiki/Pogo#.22We_have_met_the_enemy…..22

    In most organizations, insider threats are an HR problem - not a physical security problem, and certainly not an information security problem. It’s high-time we start accepting them as such.

    E.g. guy takes out network with over 2k systems because he wasn’t paid enough? You and others made this mistake here:
    http://www.darkreading.com/document.asp?doc_id=117323&print=true

    Maybe the problem is that you didn’t pay him enough! Either way, as a security professional there is no way to know behind the scenes what is really going on. In human resources, the study of organizational behavior and human interaction is usually the primary focus. Also, HR hires/fires. That’s their job, so insider threats are clearly their responsibility alone.

    My least favorite line from the DarkReading article is, “Since that time, the UBS PaineWebber incident has become a case study in how unauthorized “insider” activity — both malicious and accidental — can lead to corporate disaster”.

    Malicious insider threats and pilot-error both can lead to corporate disaster, yes. Accidental disaster is an IT problem. Malicious insider threats are an HR problem. Both can be fixed through awareness/education and process. But let’s keep them in the right business units.

    What you are talking about is risk assessment, which can take in the human factor - but is usually done by a NEUTRAL third-party (IOW the opposite of an insider).

    Also - the 80/20 rule of Internal vs. External threats is also a blatant lie among security professionals. See:
    http://taosecurity.blogspot.com/2006/07/of-course-insiders-cause-fewer.html

    The technical problem we are facing is not insider threats from a people perspective. It’s weak, chewy insides that are the result of trust in firewalls (see my last rant on WAF’s for more information). Enterprise applications and Intranets have too long been unpatched, unmonitored, and unauthenticated. Even worse, they haven’t been assessed properly.

    Also see: Jeremiah Grossman, “Hacking Intranets from the Outside” and Tom Ptacek, “Do Enterprise Management Systems Dream of Electric Sheep?”.

    Insider threats are not popular in the field of information security because of the human factor. They are popular because we caused them ourselves in our own industry. We are our own insider threat, so to speak.

    Also - this post says nothing about Cyber-security / Cyber-War. I’m sure the DHS people involved already understand all my points about human problems vs. technical problems when it comes to insider threats. I’m also sure that much of their technical solutions will be third-party risk-assessments. At least, I have that much faith in such a process. If they screw it up then I guess we all won’t be here to blog about it.

  2. RSnake Says:

    Hmm… I actually tend to agree with most of your comments. But for the record in that Dark Reading article I only focused on tracking the users, not on the social aspects of how to avoid the problem. But also you said that maybe the problem is that you aren’t paying them enough - be careful there, the PROBLEM is that they are stealing data - the solution may be to pay them more, not the other way around. ;)

    Also, I think you took the term “internal” and mis-understood what I was getting at. I’m not talking about inside the government, I am talking about inside national boundaries. So yes, I actually agree with everything you said.

  3. Awesome AnDrEw Says:

    There’s been a recent trend of the U.S. government overseeing online activity (more so than the past decade it would appear). They’ve become increasingly interested in this social networking bullshit as users are more than willing to provide all personal information to the entire internet, and there’s also been a surge in these cyber-bullying policies taking place in various areas of the country. In another decade they’ll have us locked down just like in the outside world. All that’ll be left is consumerism.

    “1-2-3-4-5-6-7-8. You are just a number, and I ain’t got a name.”

  4. Chris_B Says:

    Once again I think ntp is barking in the right direction but up the wrong tree. Its a bit disjointed to pass the buck to HR but then place the blame on poorly secured internal systems. The fact is that even the “most secure” networks and systems remain vulnerable to the trusted insider problem. This problem cant be solved by paying people more money, giving them fancier titles, etc. There may well be no “solution” but raising the difficulty by technical and non technical means helps reduce the risk. In any case the article clearly states that there is tacit acceptance of insider risk with the closing statement.