Hard to Sprint When You Have Two Broken Legs

[InfoSec News <alerts () infosecnews org>]

http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html

By Valsmith
June 14, 2015

Now as a disclaimer, I don't work for the government so there is a lot I don't 
know but I have friends who do or who have in the past and you hear things. I 
also pay attention and listen to questions I get in my training classes and 
conference talks.

This directive from the White House is laughable for a number of reasons and 
demonstrates just how out of touch decision makers in the Government are on 
these issues.

1.) Technically skilled people have been BEGGING to improve cyber security in 
the government for well over 15 years. I don't think this is any kind of 
secret, just google for a bit or talk to anyone who works in government in the 
trenches. Asking for staff, tools, budget, authority, support and getting 
little of it. In a way, this directive is insulting to them after years of 
asking, trying and failing suddenly someone says: "oh hey I have an idea, why 
don't you go and secure stuff!". Right.  Unless you are going to supply those 
things they need RIGHT NOW, they will fail. And government procurement and 
hiring organizations are notoriously slow so the chances of that happening are 
slim.

2.) IT Operations. The first thing that has to be in place for there to be any 
real chance is solid IT operations. Organizations have to be able to push out 
images and patches quickly, orderly, and with assurance. Backup recovery, 
knowledge of inventory, well managed systems, etc. are all paramount. Do you 
know how most government IT operations are managed? By contractors, aka the 
lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc. 
who bid on large omnibus support contracts, win them, and THEN try to fill the 
staffing requirements. How do you win the lowest bid in services / support 
contracts? By keeping staffing costs down, aka paying the lowest possible 
salaries. This results in some of the most piss-poor IT operations in the 
world. You want to know why Hilary Clinton, former Secretaries of Defense, and 
numerous other government staff run their own private mail servers? Most likely 
its because their work provided email DOESN'T work. Slow systems, tiny inbox 
quotas, inability to handle attachments, downtime, no crypto or crypto 
incompatible with anyone else, these are just a few of the issues out there. 
And its not just email.  I have personally seen a government conference room 
system take 15-20 minutes to log in at the windows login prompt, due too poor 
IT practices. I was told that most of the time people resorted to paper hand 
outs or overhead projectors. Yeh like the ones you had in highschool in the 90s 
with the light bulbs and transparencies.

Essentially what this directive is saying: "Hey you low end IT staff, winners 
of the lowest bid, who can barely keep a network up or run a mail server, make 
sure you become infosec experts and shore up our defenses, and you have 30 days 
to do it." Right. I have heard horror stories from acquaintances in the 
government of waiting 6 months for an initial account setup ticket to get 
performed. Weeks to get a new desktop deployed. It is idiotic to think that 
current IT operations can support this kind of request. But that is who 
typically manages servers, network and desktops, and who would have to deploy 
whatever security tools would be needed to do this in support of pitifully 
small infosec teams.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/