Forwarded from: matthew patton <pattonmeat_private> The Senator makes an excellent and accurate point. But how do we go about replacing the people we have in gov't NOW who continue to make bad decisions, and also go after the contractors who are implementing really bad security without a second thought? I work on the FBI's new Trilogy program (replacement for their ineffectual case mangement system - nee 9/11) and at every turn all I get are really lame excuses why security isn't important - the chief one being "we're all good guys, everyone has a gun, and we all have TS security clearances, we use KG84's to encrypt our trunk lines, etc." Like I'm supposed to be impressed. Proving to me or any auditor that the network is demonstrably secure is impossible. As the very FBI repeatedly asserts, 80+% of the threat is internal. Are they under the delusion that the same figure doesn't apply to them? No less after all the moles and traitors they've unearthed in the not too distant past? Am I nuts to object strongly to the notion that Windows(tm) can be explicitly and fully trusted to provide authentication and prove identity of the person on the other end of the keyboard, especially when the desktop's security is very much in question and the FBI wants to have non-repudiatable logging of user activity? (not to mention the rather sensitive nature of case contents and that they want to access it via handhelds at some point too) Am I crazy to demand that the most trivial basics of secure web-programming guidelines (eg. input validation, separation of function, protection of servers/processes from each other, and requiring re-authorization/re-authentication when using and dropping elevated privileges etc.) must be followed regardless of claims of a supposedly secure network and that everybody and I mean EVERYBODY is on the up and up? What about those legions of contractors who have their very fingers on the network infrastructure or the maint/janitorial staff, or the security guards who have access to the cable plant at the very least? It's as if the FBI thinks they are immune to all of those simplistic human failures. "Oh, but we have a policy for that." Yeah, and like anybody actually lives by policies... What's worse is that the FBI *HAS* appropriate security infrastructure in place to do things better/correctly (small-time PKI rollout and SecureID etc). "This is only a stop-gap solution" is another favorite. As is passing the buck to the "customer" who is, well, your typical information systems customer (let alone a gov't one): buzzwords from a menu, requirements all over the map and no real idea what they want. Can anyone put me in touch with some heavy-hitting clued-in people over at the FBI that can not only help their own people "get it", but demand some real accountability from the contractors involved? The FBI should have told us to stuff that solution and come up with something that made sense, but they don't know enough to even comment on a bad idea let alone tear it apart. As a 2-bit journeyman I can't seem to get anyone to pay the slightest attention nor do they apparently (want to) understand just how flawed the whole design is from the get go. I'd go a few steps up the food chain on my side but I'm not convinced I wouldn't be seen as a yipping dog best removed from the organization let alone the contract. I couldn't believe my ears when the boss said, that if the customer is happy with the security as presented then I should shut up and sit down, that it was none of my concern. And that "you just don't understand, we're not on the Internet." A year+ from now the FBI will have fielded a MAJOR national-security/law-enforcement impacting system at an incredibly high price tag (I've personally done systems of roughly comparable complexity with a staff of eight, not 200 persons) with but a figleaf for security (and an entertaining disaster recovery plan to boot). Shouldn't somebody care? Or has "Clinton-esque Accountability" permeated every hall of government? If "trained experts" are not allowed to pull the emergency brake and force a reality check, what chance is there EVER of changing the appalling security in the gov't IT landscape regardless of how many millions get thrown at the problem? Senator, how do you respond to that? Maybe I should quit and become a used-car salesman or something... > --- InfoSec News <isnat_private> wrote: > > > http://www.fcw.com/fcw/articles/2002/1021/news-cyber-10-21-02.asp > > > > By Diane Frank > > Oct. 21, 2002 > > > > The Senate passed a bill Oct. 16 that will provide more than $900 > > million over five years for cybersecurity research and development. > > [...] > > > "In the long run, all government and private-sector cybersecurity > > efforts depend on people — trained experts with the knowledge and > > skills to develop innovative solutions and respond creatively and > > proactively to evolving threats," - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 02:24:21 PDT