Re: Cyber bill gets boost

[InfoSec News <isn () c4i org>]

Forwarded from: matthew patton <pattonme () yahoo com>

The Senator makes an excellent and accurate point. But how do we go
about replacing the people we have in gov't NOW who continue to make
bad decisions, and also go after the contractors who are implementing
really bad security without a second thought?

I work on the FBI's new Trilogy program (replacement for their
ineffectual case mangement system - nee 9/11) and at every turn all I
get are really lame excuses why security isn't important - the chief
one being "we're all good guys, everyone has a gun, and we all have TS
security clearances, we use KG84's to encrypt our trunk lines, etc."  
Like I'm supposed to be impressed. Proving to me or any auditor that
the network is demonstrably secure is impossible. As the very FBI
repeatedly asserts, 80+% of the threat is internal. Are they under the
delusion that the same figure doesn't apply to them? No less after all
the moles and traitors they've unearthed in the not too distant past?

Am I nuts to object strongly to the notion that Windows(tm) can be
explicitly and fully trusted to provide authentication and prove
identity of the person on the other end of the keyboard, especially
when the desktop's security is very much in question and the FBI wants
to have non-repudiatable logging of user activity? (not to mention the
rather sensitive nature of case contents and that they want to access
it via handhelds at some point too) Am I crazy to demand that the most
trivial basics of secure web-programming guidelines (eg. input
validation, separation of function, protection of servers/processes
from each other, and requiring re-authorization/re-authentication when
using and dropping elevated privileges etc.) must be followed
regardless of claims of a supposedly secure network and that everybody
and I mean EVERYBODY is on the up and up? What about those legions of
contractors who have their very fingers on the network infrastructure
or the maint/janitorial staff, or the security guards who have access
to the cable plant at the very least? It's as if the FBI thinks they
are immune to all of those simplistic human failures. "Oh, but we have
a policy for that." Yeah, and like anybody actually lives by
policies...

What's worse is that the FBI *HAS* appropriate security infrastructure
in place to do things better/correctly (small-time PKI rollout and
SecureID etc). "This is only a stop-gap solution" is another favorite.
As is passing the buck to the "customer" who is, well, your typical
information systems customer (let alone a gov't one): buzzwords from a
menu, requirements all over the map and no real idea what they want.

Can anyone put me in touch with some heavy-hitting clued-in people
over at the FBI that can not only help their own people "get it", but
demand some real accountability from the contractors involved? The FBI
should have told us to stuff that solution and come up with something
that made sense, but they don't know enough to even comment on a bad
idea let alone tear it apart. As a 2-bit journeyman I can't seem to
get anyone to pay the slightest attention nor do they apparently (want
to) understand just how flawed the whole design is from the get go.
I'd go a few steps up the food chain on my side but I'm not convinced
I wouldn't be seen as a yipping dog best removed from the organization
let alone the contract. I couldn't believe my ears when the boss said,
that if the customer is happy with the security as presented then I
should shut up and sit down, that it was none of my concern. And that
"you just don't understand, we're not on the Internet."

A year+ from now the FBI will have fielded a MAJOR
national-security/law-enforcement impacting system at an incredibly
high price tag (I've personally done systems of roughly comparable
complexity with a staff of eight, not 200 persons) with but a figleaf
for security (and an entertaining disaster recovery plan to boot).
Shouldn't somebody care? Or has "Clinton-esque Accountability"
permeated every hall of government? If "trained experts" are not
allowed to pull the emergency brake and force a reality check, what
chance is there EVER of changing the appalling security in the gov't
IT landscape regardless of how many millions get thrown at the
problem?

Senator, how do you respond to that?


Maybe I should quit and become a used-car salesman or something...

> --- InfoSec News <isn () c4i org> wrote:
>
> > http://www.fcw.com/fcw/articles/2002/1021/news-cyber-10-21-02.asp
> >
> > By Diane Frank 
> > Oct. 21, 2002
> >
> > The Senate passed a bill Oct. 16 that will provide more than $900
> > million over five years for cybersecurity research and development.
>
> [...]
>
> > "In the long run, all government and private-sector cybersecurity
> > efforts depend on people — trained experts with the knowledge and
> > skills to develop innovative solutions and respond creatively and
> > proactively to evolving threats,"



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.