Forwarded from: matthew patton <pattonme@private> > Unless DOD changes how it operates and learns to defend its cyber > networks, many military experts say it will not be able to wage an > effective battle in the cyberwar that is emerging as the 21st > century's biggest challenge. I don't go much for this bit about cyberwar this and that. Bombs, guns and boots on the ground is what ultimately matters. But if an adversary can jam and interfere with communications, then yes it affects the delivery of the above. I do think DoD has to take a look at their comm systems and their comm demands and figure out if the equipment they have or intend to rely upon, will be available when push comes to shove. Frequency hopping and line encryption is no longer the exlusive domain of tier-1 militaries. But I'm sure people far smarter than me have looked into that by now. > The Pentagon is at a crossroads, said Air Force Lt. Gen. Charles > Croom, the new director of the Defense Information Systems Agency > and commander of the Joint Task Force for Global Network Operations > (JTF-GNO). "Networks are too important to the warfighter to not have > them when the warfight begins," he said. So does this mean DoD/OSD firewalls are going to change to deny everything and then explicitly allow, and be VERY careful and deliberate about what they allow? The Pentagon's primary problem is pandering - pandering to senior officers and officials. How many E3's let alone junior officers and contractors who are theoretically following or at least trying to follow STIGs are going to refuse to back down when the O6 or UnderSecretary is bellowing that "by god I will have my fill_in_the_blank"? Something as mindless as forcing the screen to lock out after 10/15min of inactivity can nearly cause a revolt. Where are the senior managers who instead of signing some lame waver throw the people out of their office and tell them in no uncertain terms to figure out how to do something in a secure fashion? If the proper and secure solution is not convenient, then it's just too damn bad. Do it the right way or don't do it at all. No more of this tolerating substandard contractors and staff alike who refuse to spend any effort on doing things the secure way. It's not good enough to have a 'firewall' and then continue to be just as sloppy on the inside. The military is used to operating in top-down mode. So how come there isn't a IAP-wide ban on telnet, cleartext ftp, RPC, NFS etc? Everything that is not designed or implemented correctly gets turned off. Period. No exceptions. Sure there will be a lot of silly screaming and temper tamptrums, but the SecDEF on down need to get the message that sloppiness impacts the mission and costs lives. If a content creator can't upload to the web staging server because the "no clear ftp" rule is in effect, it's not time to browbeat or sidestep the policy, but rather time to get jumping ugly with the sysadmins who host the web content server to get their act together already. If the 'brass' won't even play by the rules and lay a heavy hand on their staff who don't want to either, then the General is wasting his breath. (Un)fortunately this is not just a problem in the military. Plenty of Fortune 100's on down who have legal, regulatory, and business critical justifications to clean up their act, are no more interested in fixing their messes either. > Croom said DOD approaches computer network defense by emphasizing > convenience to users, but the department's future information > assurance strategy should tilt toward adding security. I'd frankly settle for competence on the part of system admins instead of what we have now which is lazyness, lack of basic skills and knowledge, and an attitude of security doesn't matter. Security is hard and inconvenient. And since it is, they don't want to do it. Those organizations that have staffers who care, routinely cut themselves off from the rest of the Pentagon and take matters into their own hands. Part of the justification is defense-in-depth. But a big reason is that Pentagon/DoD network security simply can't be relied upon. I don't care if the other 30,000 computers in the building are owned by the military, they have no business being able to see or connect to my machines and neither do my machines have any business messing with anybody else. It is up to me to protect my users, and to protect the rest of the world *from* my users. That is my job. Few of my peers see it that way though. > "The threat is great," Croom said. "It requires constant vigilance." well, how "great" does it have to get before the boot comes stamping down hard on 20 years of institutionalized carelessness? Organizations hate to change. Do we have to blow up the building a second time? Who's going to put the screws to the service CIO's and bring them to account? Who will in turn roll that snowball down the hill? DoD had a decent rating/tracking system for patch management and if an organization failed to keep abreast, it was plain to see. Granted it worked on the honor system and public humiliation, but why not put some real teeth in it and tie salaries to network security metrics? If say the OSD CIO was forced to take an 50% pay cut, and the rest of the managers on down the line, I think we'd find some boots firmly planted in some butts. All of a sudden, all those excuses why security couldn't be done or why NT4 can't be turned off would evaporate like the morning mist. DITSCAP and other accredidation initiatives were a good idea. But what is useful about documenting the often glaring security deficiencies (assuming they were even recognized and identified as such) and getting somebody who won't be held accountable to sign off on them? Why aren't organizations forced to go back and FIX the problems? > DOD turned to procurement to support these policies and develop new > kinds of defenses for cyberattacks. First, the department chose > Retina from eEye Digital Security to scan computers for > vulnerabilities. Then, DOD selected Hercules from Citadel to patch > computers. Next, the department built a new multimillion-dollar > command center to monitor global network operations and picked > PestPatrol, antispyware from Computer Associates International. DOD > will soon begin testing Pest Patrol before introducing it later in > the year. This technology is all fine and good. But Security is not a technology problem. It's a people problem. No amount of Hercules/PestPatrol/NortonAV is going to fix, fundamental network engineering mistakes. The services don't necessarily have a massive patch management problem (though there are some that need motivating), they have a network architecture and mindset problem. I've got an Nokia IPSO sitting on a rack. It's been there for 3 years. OSD tossed it at us and I guess figured we'd do something with it. Well, it's been acting as a doorstop and dust collector all this time. Nobody here knew what to do with it or had the necessary motivation (personal or organizational) to figure it out and engineer the network to make use of it. Within hours of arrving and being informed of my mission I asked where our firewall was and discovered our all too typical state. > "This is the equivalent of the Manhattan Project," Lentz said. "I > will say we are at that level of seriousness of securing this > massive network." > > Every four hours, he said, the equivalent of the entire Library of > Congress' archives travels on DOD networks. To wage network-centric > warfare, he said, the department's 4 million users must trust the > confidentiality of the information that crosses GIG and be assured > of its availability. The amount of packets or the number of interconnects is not important. Security done right all the way to the lowest levels makes a large, complex problem quite manageable. And that is where most organizations (incl the gov't) fall flat on their face. When the department doesn't bother to practice good security, then it makes the division's job considerably more difficult. It's up to the division to cut the department off until they get their act straight. And on up the food chain. But if there are no marching orders and feet held to real fires, then nobody has incentive to put the screws hard to the people under their command. In the Army, god help the Lt. who has a member of his squad lose a case of ammo on an exercise. Is doing computer security that unimportant? > "The risk of losing the engagement because the systems were hacked > grows explosively," Paller said. President Bush has pledged to > defend Taiwan if China attacks. And DOD has said the new local > warfighting strategy of China's People's Liberation Army is to use > computer network operations to seize the initiative and gain > electromagnetic dominance early. I can appreciate the vital significance of communications and data feeds in dealing with the fog of war. But we have mobile comm groups for a reason. Yes, it would be inconvenient not to be able to use the Taiwan phone system to interconnect battalians in the field with tactical HQ. But something tells me the Chinese will 'win' in Taiwan and it has nothing to do with their h4x0r skills or Taiwan's lackadaisical attitude toward infrastructure security. Then again is it Taiwan's fault or more the telco provider itself who could care less about the security of the product (hardware and especially software) it sells? Homeland Security has been beating their drum for a while now. Look what Cisco pulled at BlackHat. If we're all in this together, how come commercial entities continue to downplay their "social obligations"? This latest worm knocked out what, several banks, an auto plant and probably lots of other lesser targets. I'll bet some pointed questions have been asked by now. But did anybody learn a lesson? Or are we just doomed to repeat the same idiocy the next time around? _________________________________________ Attend ToorCon Sept 16-18th, 2005 Convention Center San Diego, California www.toorcon.org
This archive was generated by hypermail 2.1.3 : Wed Sep 07 2005 - 23:51:21 PDT