1 Why Government Systems Fail at Security Chey Cobb chey@ February 15, 2001

download 1 Why Government Systems Fail at Security Chey Cobb chey@  February 15, 2001

of 38

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of 1 Why Government Systems Fail at Security Chey Cobb chey@ February 15, 2001

  • Slide 1

1 Why Government Systems Fail at Security Chey Cobb chey@computer.org February 15, 2001 Slide 2 2 My Background Whoami Firewall certification lab Anti-virus testing lab Web security since 1994 DoD systems architectures Intelligence systems security architectures Senior technical security advisor for IC Security program manager Slide 3 3 Recently Retired Theres no such thing as too young to retire! Slide 4 4 Why THIS Topic? Security needs to be discussed in the open What is discussed behind closed doors tends to stay behind doors. Credibility No matter how you explain things to management, they tend not to believe you until they see the same thing in the public forum. Slide 5 5 Dont Make the Same Mistakes In many ways, the private sector is doing security much better than top secret facilities Keeping secrets while sharing data and systems and providing public access. In government, people tend to think firewalls and IDS are a cure for security AIDS Promiscuous connections to multiple systems There is NO cure Slide 6 6 3Ds Disillusioned Disgusted Disappointed and did I mention DISGUSTED? Slide 7 7 War Stories Chief of security was an English major whose last job was in HR. Software developers didnt know what a hardened OS is. NSA teams didnt know that web servers have many vulnerabilities. Slide 8 8 War Stories 2 Keyboard strings as passwords. Too much trouble to change it. I use it on all my accounts. Its so obvious nobody would think I use it. Logging-off off at the end of the day was considered adequate security. Root passwords on major systems had not been changed in 10 years. Slide 9 9 What Does A Security Officer Do?? Fight... Ask your security officer what his/her last few big fights were about: Of the last 10 fights, 9 involved internal politics. The 10 th fight was probably horribly mundane. Slide 10 10 The Word is $$$$$ Govt thought they were saving money going to COTS. Govt cant match the wages of good security personnel. Govt cant afford to keep their systems updated. Is Corporate America that much different? Slide 11 11 Security Decision Maker You can only pick two! Slide 12 12 Case In Point Firewalls and Intrusion Detection are new to many facilities They had to chose two from the triangle guess which two? Sysadmins are not sent for training. Security officers dont get their own monitoring systems. In some circles, routers are still considered to be firewalls. Slide 13 13 New Technologies? The procurement process is broke It can take up to FIVE years for a new system to be purchased and installed Engineering and Acquisitions Dont Talk In some offices, Acquistions buys the technology before consulting Engineering. Engineering is stuck with creating systems out of bargain basement clear-outs Slide 14 14 Why Havent All Government Systems Been Hacked? They are well hidden But Security through Obscurity will bite them eventually. Slide 15 15 Government Security Policies Took FIVE years to get them written. Took another year to get the agencies to all agree to use them. Policies have different interpretations on key issues by the different agencies and organizations. Director of Central Intelligence Directive 6/3 Protecting Sensitive Information within Information Systems http://www.fas.org/irp/offdocs/dcid_6-3_20manual.htm Slide 16 16 Sidebar John Deutsch Case In the unclassified version of his hearings he stated that he was not aware of the computer security rules. He did not know that sending mail on the Internet with the name of cia_deutsch@aol.com would be a problem He was the HEAD of the CIA (a/k/a DCI) His office WROTE the policies and he signed off on them. Is it possible that in fact he did know? and now he has been PARDONED? Slide 17 17 Are They Wearing Blinders? GAO ordered exercise called Eligible Receiver to test the security of government systems (1997). Found basic vulnerabilities in every single system they touched: Rooted systems Launched DoS attacks Disrupted phone systems Read and ALTERED e-mail Most of this was done from the Internet People in Top Secret facilities do not believe this report. Slide 18 18 1998 GAO Investigation http://www.gao.gov/AIndexFY98/category/Inform.htm Survey of security officers found: 66% stated didnt have enough time or training to do their jobs. 53% stated that security was an ancillary duty. 305 of 709 were totally unaware of what they should be doing (43% for those of you who have not had enough caffeine yet). 57% had no security training. Slide 19 19 2000 Investigation AIMD-00-295, Information Security: Serious and Widespread Weaknesses Persist at Federal Agencies www.gao.gov/docdblite/summary.php?accno=576618& rptno=AIMD-00-295 Reported: Computer security fraught with weaknesses Physical and logical access controls were not effective in preventing or detecting systems intrusions and misuse Installation commanders give systems security a low priority Slide 20 20 GAO Summary More needs to be done including instituting routine risk management activities aimed at ensuring that risks are understood; that appropriate controls are implemented commensurate with the risk, and that these controls operate as intended. DUH! Slide 21 21 Whats It Mean? The wrong people are allowed to make decisions about information security. The people who are making the decisions either dont know or dont care. There are no incentives to do things correctly and no repercussions for doing things wrong (Deutsch Pardoned!) Slide 22 22 A War Story Reviewed proposed system architecture approx 10 months prior to its initial testing. Architecture included FTP. Developers insisted that they needed 65,000+ ports open in the firewall to handle FTP. Told them to scan the ports during testing and come back with a better answer. Also told them to harden the OS Solaris (Whats OS hardening?) Slide 23 23 War Story cont. The equipment showed up for testing installation and they still wanted 65,000+ ports. I denied them permission to install. Developers complained it would take too long to change the code. Project manager said it would cost too much. Three months of fighting with them (which they could have spent fixing the code). Over-ruled by a Director who said she would accept the risk and then she retired. Slide 24 24 Did You Know Germany requires ALL banks to use hardened, trusted OSs for ALL systems Slide 25 25 Accepting the Risk Fancy way for management to say get the hell out of the way. NO technical expertise and they want simple explanations. When you try to explain the implications of their actions, they get pissed off. Theyll accept the risk, but they sure as hell wont put it in writing. Slide 26 26 News Flash Last year a hacker connected via the Internet to a printer at the Navys Space and Naval Warfare Center and rerouted a document to a server in Russia. The Program Manager had accepted the risk to connect sensitive systems to the Internet. Did anything happen to the Program Manager? Slide 27 27 Security is Soooooo Inconvenient NRO didnt allow cell phones, two-way pagers, unclassified laptops, or PDAs into the building Cell phone microphones can be opened remotely, even when the system is turned off Classified data can be sent out of the building via text- based pagers Unclassified laptops and PDAs can store classified material THEN the Director got a new cell phone Slide 28 28 Security is Soooooo Inconvenient #2 A junior sysadmin was found to installed several hacking tools on major networks. Senior management decided NOT to have the root passwords changed because it would: Take too long. Would notify the general populace that something had happened. Would interfere with normal operations. Slide 29 29 Let the CIO Handle It? Each agency has its own CIO. Agencies and offices are loath to create MOAs or MOUs. MOAs and MOUs are ignored. NSA CIO had no idea how hugely interconnected they were until everything died for four days last year. Slide 30 30 Who Handles Incident Response? Air Force CERT? (afcert) Navy CERT? (navcert) NSA? (noc) CIA? NRO? DIA? Keystone Kops? Slide 31 31 Educate the Populace? 4,000 in one office. Average length of time at the office is two years. $$$? ( sigh ) Most are computer illiterates who cant even change passwords without help. Slide 32 32 Inspector Generals Office? Nice folks but Understaffed Inexperienced Far too little technical expertise Corrections they request are ignored or lies are told. Slide 33 33 Presidential Directive? Been there Done that PDD-63, Protecting Americas Critical Infrastructures By 2003, a reliable, interconnected, and secure information systems infrastructure. Federal Government to serve as a model for country Umpteen dozen new offices and positions Slide 34 34 Hire More People? Military billets are the cheapest Average tour is 2 years Pay scale is approximately 1/3 of market rate More people does not ensure better security Slide 35 35 Solutions? Honey Nets and Honey Pots Training, training, training for sys admins and security officers Vulnerability labs within agencies should create their own listserver to share findings Cancel ALL subscriptions to PC Magazine! Stop looking at strong fortress walls and enforce common sense security within the walls Slide 36 36 Corporate is Better Take satisfaction in the fact that Corporate America is doing better than Government You can more quickly take advantage of new technologies and react to new threats More educational opportunities You dont have to worry about revealing secret associations with companies Slide 37 37 Windows 2K? Not any better or any worse than what you have but the Government doesnt know that! Default installations are always a risk Who said that letting the OS make decisions for you would be a Good Thing? Slide 38 38 Questions?