Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology

["Jeffrey Denton" <dentonj () gmail com>]

Every time some within the DoD goes public and starts rattling sabres,
it's because a short coming has been identified and resources are
needed to fix the problem.  Resources can be in the form of money,
personnel, training/skill set, authority, etc.

The DoD has long suffered from personnel rotations.  This causes
problems in training people, retaining trained/experienced people, and
stable leadership.  People get trained up and become halfway
proficient at what they do, rotate to another duty station, leave the
service, move up and rank take on other responsibilities, etc.  New
leadership comes in with a different set of priorities and focuses on
different tasks.  It's not uncommon for an unfinished task to be
scraped when someone new takes charge.  Government civilians provide
some continuity.  Some are good, others are looking to retire.
Overall, the pay isn't good enough to retain quality throughout the
work force.  Defense contractors have been filling the gaps with
training and experience.  But this smooths over the problem until a
contract goes up for rebid and gets lost to another company that
underbids.

Point 1:  Not sure what to say here other than government agencies
have publicly claimed that their critical infrastructure is using
equipment that is so old, no one would know what to do with it, let
alone know how to break into it.  Just because 10 organized hackers
are better than one lone hacker doesn't mean you can ignore the ankle
biters.  The ankle biters are the ones triggering all of the alarms
which in turn consumes most of your time.  You can't ignore them
because that ankle biter may be an inexperience team member of the
other 9 that own your network (other people suffer from personnel
rotation problems too...)

Point 2:  "The US is a hard system to model."  That is true of any
complex system.  The components are easy to model.  Yes, a MIG is easy
to model.  Even an F22 would be easy to model.  Try modeling the Air
Force of a country.  Little more complex.  Model a network switch or
an OS.  Little easier.

Points 3:  "Complexity breeds resilience."  In relation to security,
complexity is inherently insecure.  This horse has been beaten to
death many times.  Add the rotation of people in and out of an complex
environment as I stated above and complexity can become very difficult
to comprehend for those trying to protect the infrastructure.

Point 4:  "Technology is adopted quickly in the US, making it a fast-moving
target. "  Rapidly changing technology makes it difficult for people
defending the infrastructure to keep up.  Policy is slow to adapt.
Training on new technology doesn't happen overnight.  By the time some
organization has formally conducted an evaluation of a new technology
and release a security technical implementation guide, you already
have half a dozen of those devices on your network that some hacker
found holes in the day after it was release.  Some enterprising
individual on the defense side may have already bothered to read the
manual, but that seems to be the exception and not the rule.

Point 5:  "Having a "target rich environment" overwhelms an attacker's
analytical capability."  I have a hard time believing this is one of
your arguments.  A target rich environment is also known as easy
pickings.   Anyone who's done a penetration test will tell you they
only need to find one hole.   That one hole will lead to many more.
Those defending have to protect against every possibility.  In a
complex environment as you pointed out in point 3, defending that
environment against attack becomes complex as well.

There is a big push for standardization to get rid of complexity and
get rid of the "target rich environment".  Everyone will use this AV
product, this OS configured with this baseline, managed with these
tools, scanned for vulnerabilities and compliance with a different set
of spelled out tools, only use this vendor for network devices, etc.
Standardization tends to create tunnel vision.  Standardization
forgets about the other "legacy" stuff on the network.
Standardization doesn't see the details inside big solutions.  Buy a
big SAN solution to do virtualization.  The associated network
equipment will probably not be from the only vendor that is authorized
when purchasing networking equipment.  Contract out a big solution,
don't be surprised when what gets developed doesn't meet your
standardization.  What?  Tell them to fix it?  Was is spelled out in
the contract?  "No, then give us more money...."  But those
standardized tools don't monitor that other stuff.  Don't worry,
tunnel vision will make sure everyone forgets about that other stuff.
Add a complex environment, new technologies, personnel rotation
problems, standardization, and you soon have a network full of holes.

For points 3, 4, and 5, "You don't know what you don't know."

Point 6:  "Everyone repeats this Myth yet no one has any data to back
it up."  The DoD is the one making the most noise.  They are going to
keep any evidence that they are getting their asses handed to them
classified.  About the only evidence you may see is sabre rattling.

Dave, you cannot have evidence, not yours.

"Myth: The US is more vulnerable to information warfare because it is
more reliant on information technology. Some people like to say the US
is "uniquely vulnerable"."

That can be debated either way.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave