Dailydave mailing list archives
Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology
From: "Jeffrey Denton" <dentonj () gmail com>
Date: Wed, 22 Aug 2007 02:11:13 +0200
Every time some within the DoD goes public and starts rattling sabres, it's because a short coming has been identified and resources are needed to fix the problem. Resources can be in the form of money, personnel, training/skill set, authority, etc. The DoD has long suffered from personnel rotations. This causes problems in training people, retaining trained/experienced people, and stable leadership. People get trained up and become halfway proficient at what they do, rotate to another duty station, leave the service, move up and rank take on other responsibilities, etc. New leadership comes in with a different set of priorities and focuses on different tasks. It's not uncommon for an unfinished task to be scraped when someone new takes charge. Government civilians provide some continuity. Some are good, others are looking to retire. Overall, the pay isn't good enough to retain quality throughout the work force. Defense contractors have been filling the gaps with training and experience. But this smooths over the problem until a contract goes up for rebid and gets lost to another company that underbids. Point 1: Not sure what to say here other than government agencies have publicly claimed that their critical infrastructure is using equipment that is so old, no one would know what to do with it, let alone know how to break into it. Just because 10 organized hackers are better than one lone hacker doesn't mean you can ignore the ankle biters. The ankle biters are the ones triggering all of the alarms which in turn consumes most of your time. You can't ignore them because that ankle biter may be an inexperience team member of the other 9 that own your network (other people suffer from personnel rotation problems too...) Point 2: "The US is a hard system to model." That is true of any complex system. The components are easy to model. Yes, a MIG is easy to model. Even an F22 would be easy to model. Try modeling the Air Force of a country. Little more complex. Model a network switch or an OS. Little easier. Points 3: "Complexity breeds resilience." In relation to security, complexity is inherently insecure. This horse has been beaten to death many times. Add the rotation of people in and out of an complex environment as I stated above and complexity can become very difficult to comprehend for those trying to protect the infrastructure. Point 4: "Technology is adopted quickly in the US, making it a fast-moving target. " Rapidly changing technology makes it difficult for people defending the infrastructure to keep up. Policy is slow to adapt. Training on new technology doesn't happen overnight. By the time some organization has formally conducted an evaluation of a new technology and release a security technical implementation guide, you already have half a dozen of those devices on your network that some hacker found holes in the day after it was release. Some enterprising individual on the defense side may have already bothered to read the manual, but that seems to be the exception and not the rule. Point 5: "Having a "target rich environment" overwhelms an attacker's analytical capability." I have a hard time believing this is one of your arguments. A target rich environment is also known as easy pickings. Anyone who's done a penetration test will tell you they only need to find one hole. That one hole will lead to many more. Those defending have to protect against every possibility. In a complex environment as you pointed out in point 3, defending that environment against attack becomes complex as well. There is a big push for standardization to get rid of complexity and get rid of the "target rich environment". Everyone will use this AV product, this OS configured with this baseline, managed with these tools, scanned for vulnerabilities and compliance with a different set of spelled out tools, only use this vendor for network devices, etc. Standardization tends to create tunnel vision. Standardization forgets about the other "legacy" stuff on the network. Standardization doesn't see the details inside big solutions. Buy a big SAN solution to do virtualization. The associated network equipment will probably not be from the only vendor that is authorized when purchasing networking equipment. Contract out a big solution, don't be surprised when what gets developed doesn't meet your standardization. What? Tell them to fix it? Was is spelled out in the contract? "No, then give us more money...." But those standardized tools don't monitor that other stuff. Don't worry, tunnel vision will make sure everyone forgets about that other stuff. Add a complex environment, new technologies, personnel rotation problems, standardization, and you soon have a network full of holes. For points 3, 4, and 5, "You don't know what you don't know." Point 6: "Everyone repeats this Myth yet no one has any data to back it up." The DoD is the one making the most noise. They are going to keep any evidence that they are getting their asses handed to them classified. About the only evidence you may see is sabre rattling. Dave, you cannot have evidence, not yours. "Myth: The US is more vulnerable to information warfare because it is more reliant on information technology. Some people like to say the US is "uniquely vulnerable"." That can be debated either way. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Dave Aitel (Aug 21)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Jeffrey Denton (Aug 21)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology sai (Aug 22)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Timothy R. Chavez (Aug 22)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Jake Brodsky (Aug 23)