Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Chey Cobb - Black Hat

advertisement 
Why Government Systems
Fail at Security
Chey Cobb
chey@computer.org
February 15, 2001
1
My Background
 Whoami
– Firewall certification lab
– Anti-virus testing lab
– Web security since 1994
– DoD systems architectures
– Intelligence systems security architectures
– Senior technical security advisor for IC
– Security program manager
2
Recently Retired
 There’s no such thing as “too young” to
retire!
3
Why THIS Topic?
 Security needs to be discussed in the open
– What is discussed behind closed doors tends to
stay behind doors.
 Credibility
– No matter how you explain things to
management, they tend not to believe you –
until they see the same thing in the public
forum.
4
Don’t Make the Same Mistakes
 In many ways, the private sector is doing security
much better than top secret facilities
– Keeping secrets while sharing data and systems and
providing public access.
 In government, people tend to think firewalls and
IDS are a “cure” for security
– AIDS
• Promiscuous connections to multiple systems
• There is NO cure
5
3Ds
Disillusioned
Disgusted
Disappointed
… and did I mention
DISGUSTED?
6
War Stories
 Chief of security was an English major
whose last job was in HR.
 Software developers didn’t know what a
“hardened OS” is.
 NSA teams didn’t know that web servers
have many vulnerabilities.
7
War Stories … 2
 Keyboard strings as passwords.
– “Too much trouble to change it.”
– “I use it on all my accounts.”
– “It’s so obvious nobody would think I use it.”
 Logging-off off at the end of the day was
considered “adequate” security.
 Root passwords on major systems had not
been changed in 10 years.
8
What Does A Security Officer
Do??
 Fight...
 Ask your security officer what his/her last
few big fights were about:
– Of the last 10 fights, 9 involved internal
politics.
– The 10th fight was probably horribly mundane.
9
The Word is $$$$$
 Gov’t thought they were saving money
going to COTS.
 Gov’t can’t match the wages of good
security personnel.
 Gov’t can’t afford to keep their systems
updated.
 Is Corporate America that much different?
10
Security Decision Maker
You can only pick two!
11
Case In Point
 Firewalls and Intrusion Detection are “new”
to many facilities
– They had to chose two from the triangle …
guess which two?
– Sysadmins are not sent for training.
– Security officers don’t get their own monitoring
systems.
– In some circles, routers are still considered to
be firewalls.
12
New Technologies?
 The procurement process is “broke”
– It can take up to FIVE years for a “new” system
to be purchased and installed
 Engineering and Acquisitions Don’t Talk
– In some offices, Acquistions buys the
technology before consulting Engineering.
– Engineering is stuck with creating systems out
of bargain basement clear-outs
13
Why Haven’t All Government
Systems Been Hacked?
They are well hidden
–But “Security through Obscurity”
will bite them eventually.
14
Government Security Policies
 Took FIVE years to get them written.
 Took another year to get the agencies to all agree
to use them.
 Policies have different interpretations on key
issues by the different agencies and organizations.
 Director of Central Intelligence Directive 6/3
“Protecting Sensitive Information within
Information Systems
– http://www.fas.org/irp/offdocs/dcid_6-3_20manual.htm
15
Sidebar
 John Deutsch Case
– In the unclassified version of his hearings he stated that
he “was not aware of the computer security rules”.
– He did not know that sending mail on the Internet with
the name of cia_deutsch@aol.com would be a problem
 He was the HEAD of the CIA … (a/k/a DCI) …
– His office WROTE the policies and he signed off on
them.
– Is it possible that in fact he did know?
 … and now he has been PARDONED?
16
Are They Wearing Blinders?
 GAO ordered exercise called “Eligible Receiver”
to test the security of government systems (1997).
 Found basic vulnerabilities in every single system
they touched:
–
–
–
–
–
Rooted systems
Launched DoS attacks
Disrupted phone systems
Read and ALTERED e-mail
Most of this was done from the Internet
 People in Top Secret facilities do not believe this
report.
17
1998 GAO Investigation
 http://www.gao.gov/AIndexFY98/category/Inform.htm
 Survey of security officers found:
– 66% stated didn’t have enough time or training
to do their jobs.
– 53% stated that security was an ancillary duty.
– 305 of 709 were totally unaware of what they
should be doing (43% for those of you who
have not had enough caffeine yet).
– 57% had no security training.
18
2000 Investigation
 AIMD-00-295, Information Security: Serious and
Widespread Weaknesses Persist at Federal
Agencies
– www.gao.gov/docdblite/summary.php?accno=576618&
rptno=AIMD-00-295
 Reported:
– Computer security fraught with weaknesses
– Physical and logical access controls were not
effective in preventing or detecting systems
intrusions and misuse
– Installation commanders give systems security a
low priority
19
GAO Summary
 More needs to be done … including
instituting routine risk management
activities aimed at ensuring that risks
are understood; that appropriate
controls are implemented
commensurate with the risk, and that
these controls operate as intended.
 DUH!
20
What’s It Mean?
 The wrong people are allowed to make
decisions about information security.
 The people who are making the decisions
either don’t know or don’t care.
 There are no incentives to do things
correctly and no repercussions for doing
things wrong (Deutsch Pardoned!)
21
A War Story
 Reviewed proposed system architecture approx 10
months prior to its initial testing.
 Architecture included FTP.
 Developers insisted that they needed 65,000+
ports open in the firewall to handle FTP.
 Told them to scan the ports during testing and
come back with a better answer.
 Also told them to harden the OS – Solaris (What’s
OS hardening?)
22
War Story … cont.
 The equipment showed up for testing installation
and they still wanted 65,000+ ports.
 I denied them permission to install.
 Developers complained it would take too long to
change the code.
 Project manager said it would cost too much.
 Three months of fighting with them (which they
could have spent fixing the code).
 Over-ruled by a Director who said she would
“accept the risk” – and then she retired.
23
Did You Know …
Germany requires ALL banks to
use hardened, “trusted” OS’s for
ALL systems
24
Accepting the Risk
 Fancy way for management to say “get the
hell out of the way.”
 NO technical expertise and they want
“simple” explanations.
 When you try to explain the implications of
their actions, they get pissed off.
 They’ll accept the risk, but they sure as hell
won’t put it in writing.
25
News Flash
 Last year a hacker connected via the
Internet to a printer at the Navy’s Space and
Naval Warfare Center and rerouted a
document to a server in Russia.
 The Program Manager had accepted the risk
to connect sensitive systems to the Internet.
 Did anything happen to the Program
Manager?
26
Security is Soooooo Inconvenient
 NRO didn’t allow cell phones, two-way pagers,
unclassified laptops, or PDAs into the building
– Cell phone microphones can be opened remotely, even
when the system is turned off
– Classified data can be sent out of the building via textbased pagers
– Unclassified laptops and PDAs can store classified
material
 THEN the Director got a new cell phone …
27
Security is Soooooo Inconvenient
#2
 A junior sysadmin was found to installed
several hacking tools on major networks.
 Senior management decided NOT to have
the root passwords changed because it
would:
– Take too long.
– Would notify the general populace that
“something” had happened.
– Would interfere with normal operations.
28
Let the CIO Handle It?
 Each agency has its own CIO.
 Agencies and offices are loath to create
MOAs or MOUs.
 MOAs and MOUs are ignored.
 NSA CIO had no idea how hugely
interconnected they were – until everything
“died” for four days last year.
29
Who Handles Incident Response?
 Air Force CERT? (afcert)
 Navy CERT? (navcert)
 NSA? (noc)
 CIA?
 NRO?
 DIA?
 Keystone Kops?
30
Educate the Populace?
 4,000 in one office.
 Average length of time at the office is two
years.
 $$$? (… sigh …)
 Most are computer illiterates who can’t
even change passwords without help.
31
Inspector General’s Office?
 Nice folks … but
– Understaffed
– Inexperienced
– Far too little technical expertise
 Corrections they request are ignored – or
lies are told.
32
Presidential Directive?
 Been there – Done that
– PDD-63, Protecting America’s Critical
Infrastructures
– By 2003, a “reliable, interconnected, and secure
information systems infrastructure.”
– Federal Government to serve as a “model” for
country
– Umpteen dozen new offices and positions
33
Hire More People?
 Military billets are the cheapest
 Average tour is 2 years
 Pay scale is approximately 1/3 of market
rate
 More people does not ensure better security
34
Solutions?
 Honey Nets and Honey Pots
 Training, training, training for sys admins
and security officers
 Vulnerability labs within agencies should
create their own listserver to share findings
 Cancel ALL subscriptions to PC Magazine!
 Stop looking at strong fortress walls and
enforce common sense security within the
walls
35
Corporate is Better
 Take satisfaction in the fact that Corporate
America is doing better than Government
 You can more quickly take advantage of
new technologies and react to new threats
 More educational opportunities
– You don’t have to worry about revealing secret
associations with companies
36
Windows 2K?
 Not any better or any worse than what you
have
 … but the Government doesn’t know that!
 Default installations are always a risk
 Who said that letting the OS make decisions
for you would be a Good Thing?
37
</End Of Rant>
 Questions?
38
Related documents
EDS spectrum of α-monoclinic selenium nanowires
EDS spectrum of α-monoclinic selenium nanowires
Purdue University - Department of Computer Science and Engineering
Purdue University - Department of Computer Science and Engineering
Schedule - AGA Washington, DC Chapter
Schedule - AGA Washington, DC Chapter
Map & Directions to the DC Workshops at GAO - Mid
Map & Directions to the DC Workshops at GAO - Mid
Audio Script Here
Audio Script Here
tip sheet - Investigate Midwest
tip sheet - Investigate Midwest
Homework 3 Solutions
Homework 3 Solutions
preliminary
preliminary
6300-4 July 15, 2009
6300-4 July 15, 2009
GAO High-Risk Program: Highlighting the Need for
GAO High-Risk Program: Highlighting the Need for
July 7, 2003 The Honorable Tom Davis Chairman, Committee on Government Reform
July 7, 2003 The Honorable Tom Davis Chairman, Committee on Government Reform
Document11275646 11275646
Document11275646 11275646
GAO Testimony
GAO Testimony
Document11056056 11056056
Document11056056 11056056
GAO COMPUTER SECURITY Pervasive, Serious
GAO COMPUTER SECURITY Pervasive, Serious
August 19, 2005 The Honorable George V. Voinovich
August 19, 2005 The Honorable George V. Voinovich
June 14, 2006 The Honorable George V. Voinovich Chairman
June 14, 2006 The Honorable George V. Voinovich Chairman
GAO Testimony
GAO Testimony
august 4, 2012 luncheon slide presentation by gene l. dorado
august 4, 2012 luncheon slide presentation by gene l. dorado
Department of Homeland Security Daily Open Source Infrastructure Report for 30 July 2007
Department of Homeland Security Daily Open Source Infrastructure Report for 30 July 2007
GAO SECURE BORDER INITIATIVE DHS Needs to Address
GAO SECURE BORDER INITIATIVE DHS Needs to Address
June 30, 2009 The Honorable Diane Watson Chairwoman
June 30, 2009 The Honorable Diane Watson Chairwoman
Download
advertisement