Beruflich Dokumente
Kultur Dokumente
Fail at Security
Chey Cobb
chey@computer.org
February 15, 2001
My Background
Whoami
Firewall certification lab
Anti-virus testing lab
Web security since 1994
DoD systems architectures
Intelligence systems security architectures
Senior technical security advisor for IC
Security program manager
Recently Retired
Theres no such thing as too young to
retire!
3Ds
Disillusioned
Disgusted
Disappointed
and did I mention
DISGUSTED?
War Stories
Chief of security was an English major
War Stories 2
Keyboard strings as passwords.
Too much trouble to change it.
I use it on all my accounts.
Its so obvious nobody would think I use it.
Logging-off off at the end of the day was
going to COTS.
Govt cant match the wages of good
security personnel.
Govt cant afford to keep their systems
updated.
Is Corporate America that much different?
10
Case In Point
Firewalls and Intrusion Detection are new
to many facilities
They had to chose two from the triangle
guess which two?
Sysadmins are not sent for training.
Security officers dont get their own monitoring
systems.
In some circles, routers are still considered to
be firewalls.
12
New Technologies?
The procurement process is broke
It can take up to FIVE years for a new system
to be purchased and installed
Engineering and Acquisitions Dont Talk
In some offices, Acquistions buys the
technology before consulting Engineering.
Engineering is stuck with creating systems out
of bargain basement clear-outs
13
14
to use them.
Policies have different interpretations on key
issues by the different agencies and organizations.
Director of Central Intelligence Directive 6/3
Protecting Sensitive Information within
Information Systems
http://www.fas.org/irp/offdocs/dcid_6-3_20manual.htm
15
Sidebar
John Deutsch Case
In the unclassified version of his hearings he stated that
he was not aware of the computer security rules.
He did not know that sending mail on the Internet with
the name of cia_deutsch@aol.com would be a problem
He was the HEAD of the CIA (a/k/a DCI)
His office WROTE the policies and he signed off on
them.
Is it possible that in fact he did know?
and now he has been PARDONED?
16
Rooted systems
Launched DoS attacks
Disrupted phone systems
Read and ALTERED e-mail
Most of this was done from the Internet
report.
17
2000 Investigation
AIMD-00-295, Information Security: Serious and
Reported:
Computer security fraught with weaknesses
Physical and logical access controls were not
effective in preventing or detecting systems
intrusions and misuse
Installation commanders give systems security a
low priority
19
GAO Summary
More needs to be done including
Whats It Mean?
The wrong people are allowed to make
21
A War Story
Reviewed proposed system architecture approx 10
24
News Flash
Last year a hacker connected via the
27
28
MOAs or MOUs.
MOAs and MOUs are ignored.
NSA CIO had no idea how hugely
interconnected they were until everything
died for four days last year.
29
CIA?
NRO?
DIA?
Keystone Kops?
30
years.
$$$? ( sigh )
Most are computer illiterates who cant
even change passwords without help.
31
32
Presidential Directive?
Been there Done that
PDD-63, Protecting Americas Critical
Infrastructures
By 2003, a reliable, interconnected, and secure
information systems infrastructure.
Federal Government to serve as a model for
country
Umpteen dozen new offices and positions
33
rate
More people does not ensure better security
34
Solutions?
Honey Nets and Honey Pots
Training, training, training for sys admins
Corporate is Better
Take satisfaction in the fact that Corporate
36
Windows 2K?
Not any better or any worse than what you
have
but the Government doesnt know that!
Default installations are always a risk
Who said that letting the OS make decisions
for you would be a Good Thing?
37
</End Of Rant>
Questions?
38