1

Why Government SystemsFail at Security

Chey Cobb

chey@computer.org

February 15, 2001

2

My Background

Whoami– Firewall certification lab– Anti-virus testing lab– Web security since 1994– DoD systems architectures– Intelligence systems security architectures– Senior technical security advisor for IC– Security program manager

3

Recently Retired

There’s no such thing as “too young” to retire!

4

Why THIS Topic?

Security needs to be discussed in the open– What is discussed behind closed doors tends to

stay behind doors.

Credibility– No matter how you explain things to

management, they tend not to believe you – until they see the same thing in the public forum.

5

Don’t Make the Same Mistakes

In many ways, the private sector is doing security much better than top secret facilities– Keeping secrets while sharing data and systems and

providing public access.

In government, people tend to think firewalls and IDS are a “cure” for security– AIDS

• Promiscuous connections to multiple systems

• There is NO cure

6

3Ds

Disillusioned Disgusted Disappointed … and did I mention

DISGUSTED?

7

War Stories

Chief of security was an English major whose last job was in HR.

Software developers didn’t know what a “hardened OS” is.

NSA teams didn’t know that web servers have many vulnerabilities.

8

War Stories … 2

Keyboard strings as passwords.– “Too much trouble to change it.”– “I use it on all my accounts.”– “It’s so obvious nobody would think I use it.”

Logging-off off at the end of the day was considered “adequate” security.

Root passwords on major systems had not been changed in 10 years.

9

What Does A Security Officer Do??

Fight... Ask your security officer what his/her last

few big fights were about:– Of the last 10 fights, 9 involved internal

politics.– The 10th fight was probably horribly mundane.

10

The Word is $$$$$

Gov’t thought they were saving money going to COTS.

Gov’t can’t match the wages of good security personnel.

Gov’t can’t afford to keep their systems updated.

Is Corporate America that much different?

11

Security Decision Maker

You can only pick You can only pick two!two!

12

Case In Point

Firewalls and Intrusion Detection are “new” to many facilities– They had to chose two from the triangle …

guess which two?– Sysadmins are not sent for training.– Security officers don’t get their own monitoring

systems.– In some circles, routers are still considered to

be firewalls.

13

New Technologies?

The procurement process is “broke”– It can take up to FIVE years for a “new” system

to be purchased and installed

Engineering and Acquisitions Don’t Talk– In some offices, Acquistions buys the

technology before consulting Engineering.– Engineering is stuck with creating systems out

of bargain basement clear-outs

14

Why Haven’t All Government Systems Been Hacked?

They are well hidden

–But “Security through Obscurity” will bite them eventually.

15

Government Security Policies

Took FIVE years to get them written. Took another year to get the agencies to all agree

to use them. Policies have different interpretations on key

issues by the different agencies and organizations. Director of Central Intelligence Directive 6/3

“Protecting Sensitive Information within Information Systems– http://www.fas.org/irp/offdocs/dcid_6-3_20manual.htm

16

Sidebar

John Deutsch Case– In the unclassified version of his hearings he stated that

he “was not aware of the computer security rules”.

– He did not know that sending mail on the Internet with the name of cia_deutsch@aol.com would be a problem

He was the HEAD of the CIA … (a/k/a DCI) … – His office WROTE the policies and he signed off on

them.

– Is it possible that in fact he did know?

… and now he has been PARDONED?

17

Are They Wearing Blinders? GAO ordered exercise called “Eligible Receiver”

to test the security of government systems (1997). Found basic vulnerabilities in every single system

they touched:– Rooted systems– Launched DoS attacks– Disrupted phone systems– Read and ALTERED e-mail– Most of this was done from the Internet

People in Top Secret facilities do not believe this report.

18

1998 GAO Investigation http://www.gao.gov/AIndexFY98/category/Inform.htm

Survey of security officers found:– 66% stated didn’t have enough time or training

to do their jobs.– 53% stated that security was an ancillary duty.– 305 of 709 were totally unaware of what they

should be doing (43% for those of you who have not had enough caffeine yet).

– 57% had no security training.

19

2000 Investigation AIMD-00-295, Information Security: Serious and

Widespread Weaknesses Persist at Federal Agencies– www.gao.gov/docdblite/summary.php?

accno=576618&rptno=AIMD-00-295 Reported:

– Computer security fraught with weaknesses– Physical and logical access controls were not

effective in preventing or detecting systems intrusions and misuse

– Installation commanders give systems security a low priority

20

GAO Summary

More needs to be done … including instituting routine risk management activities aimed at ensuring that risks are understood; that appropriate controls are implemented commensurate with the risk, and that these controls operate as intended.

DUH!

21

What’s It Mean?

The wrong people are allowed to make decisions about information security.

The people who are making the decisions either don’t know or don’t care.

There are no incentives to do things correctly and no repercussions for doing things wrong (Deutsch Pardoned!)

22

A War Story

Reviewed proposed system architecture approx 10 months prior to its initial testing.

Architecture included FTP. Developers insisted that they needed 65,000+

ports open in the firewall to handle FTP. Told them to scan the ports during testing and

come back with a better answer. Also told them to harden the OS – Solaris (What’s

OS hardening?)

23

War Story … cont. The equipment showed up for testing installation

and they still wanted 65,000+ ports. I denied them permission to install. Developers complained it would take too long to

change the code. Project manager said it would cost too much. Three months of fighting with them (which they

could have spent fixing the code). Over-ruled by a Director who said she would

“accept the risk” – and then she retired.

24

Did You Know …

Germany requires ALL banks to use hardened, “trusted” OS’s for ALL systems

25

Accepting the Risk

Fancy way for management to say “get the hell out of the way.”

NO technical expertise and they want “simple” explanations.

When you try to explain the implications of their actions, they get pissed off.

They’ll accept the risk, but they sure as hell won’t put it in writing.

26

News Flash

Last year a hacker connected via the Internet to a printer at the Navy’s Space and Naval Warfare Center and rerouted a document to a server in Russia.

The Program Manager had accepted the risk to connect sensitive systems to the Internet.

Did anything happen to the Program Manager?

27

Security is Soooooo Inconvenient

NRO didn’t allow cell phones, two-way pagers, unclassified laptops, or PDAs into the building– Cell phone microphones can be opened remotely, even

when the system is turned off

– Classified data can be sent out of the building via text-based pagers

– Unclassified laptops and PDAs can store classified material

THEN the Director got a new cell phone …

28

Security is Soooooo Inconvenient #2 A junior sysadmin was found to installed

several hacking tools on major networks. Senior management decided NOT to have

the root passwords changed because it would:– Take too long.– Would notify the general populace that

“something” had happened.– Would interfere with normal operations.

29

Let the CIO Handle It?

Each agency has its own CIO. Agencies and offices are loath to create

MOAs or MOUs. MOAs and MOUs are ignored. NSA CIO had no idea how hugely

interconnected they were – until everything “died” for four days last year.

30

Who Handles Incident Response?

Air Force CERT? (afcert) Navy CERT? (navcert) NSA? (noc) CIA? NRO? DIA? Keystone Kops?

31

Educate the Populace?

4,000 in one office. Average length of time at the office is two

years. $$$? (… sigh …) Most are computer illiterates who can’t

even change passwords without help.

32

Inspector General’s Office?

Nice folks … but– Understaffed– Inexperienced– Far too little technical expertise

Corrections they request are ignored – or lies are told.

33

Presidential Directive?

Been there – Done that– PDD-63, Protecting America’s Critical

Infrastructures– By 2003, a “reliable, interconnected, and secure

information systems infrastructure.”– Federal Government to serve as a “model” for

country– Umpteen dozen new offices and positions

34

Hire More People?

Military billets are the cheapest Average tour is 2 years Pay scale is approximately 1/3 of market

rate More people does not ensure better security

35

Solutions?

Honey Nets and Honey Pots Training, training, training for sys admins

and security officers Vulnerability labs within agencies should

create their own listserver to share findings Cancel ALL subscriptions to PC Magazine! Stop looking at strong fortress walls and

enforce common sense security within the walls

36

Corporate is Better

Take satisfaction in the fact that Corporate America is doing better than Government

You can more quickly take advantage of new technologies and react to new threats

More educational opportunities– You don’t have to worry about revealing secret

associations with companies

37

Windows 2K?

Not any better or any worse than what you have

… but the Government doesn’t know that! Default installations are always a risk Who said that letting the OS make decisions

for you would be a Good Thing?

38

</End Of Rant>

Questions?