Why Government Systems

Fail at Security
Chey Cobb
chey@computer.org
February 15, 2001

My Background
Whoami
Firewall certification lab
Anti-virus testing lab
Web security since 1994
DoD systems architectures
Intelligence systems security architectures
Senior technical security advisor for IC
Security program manager

Recently Retired
Theres no such thing as too young to

retire!

Why THIS Topic?

Security needs to be discussed in the open
What is discussed behind closed doors tends to
stay behind doors.
Credibility
No matter how you explain things to
management, they tend not to believe you
until they see the same thing in the public
forum.

Dont Make the Same Mistakes

In many ways, the private sector is doing security

much better than top secret facilities

Keeping secrets while sharing data and systems and
providing public access.

In government, people tend to think firewalls and

IDS are a cure for security

AIDS
Promiscuous connections to multiple systems
There is NO cure

3Ds
Disillusioned
Disgusted
Disappointed
and did I mention

DISGUSTED?

War Stories
Chief of security was an English major

whose last job was in HR.

Software developers didnt know what a
hardened OS is.
NSA teams didnt know that web servers
have many vulnerabilities.

War Stories 2
Keyboard strings as passwords.
Too much trouble to change it.
I use it on all my accounts.
Its so obvious nobody would think I use it.
Logging-off off at the end of the day was

considered adequate security.

Root passwords on major systems had not
been changed in 10 years.
8

What Does A Security Officer

Do??
Fight...
Ask your security officer what his/her last

few big fights were about:

Of the last 10 fights, 9 involved internal
politics.
The 10th fight was probably horribly mundane.

The Word is $$$$$

Govt thought they were saving money

going to COTS.
Govt cant match the wages of good
security personnel.
Govt cant afford to keep their systems
updated.
Is Corporate America that much different?

10

Security Decision Maker

You can only pick two!

11

Case In Point
Firewalls and Intrusion Detection are new

to many facilities
They had to chose two from the triangle
guess which two?
Sysadmins are not sent for training.
Security officers dont get their own monitoring
systems.
In some circles, routers are still considered to
be firewalls.
12

New Technologies?
The procurement process is broke
It can take up to FIVE years for a new system
to be purchased and installed
Engineering and Acquisitions Dont Talk
In some offices, Acquistions buys the
technology before consulting Engineering.
Engineering is stuck with creating systems out
of bargain basement clear-outs

13

Why Havent All Government

Systems Been Hacked?
They are well hidden

But Security through Obscurity

will bite them eventually.

14

Government Security Policies

Took FIVE years to get them written.
Took another year to get the agencies to all agree

to use them.
Policies have different interpretations on key
issues by the different agencies and organizations.
Director of Central Intelligence Directive 6/3
Protecting Sensitive Information within
Information Systems
http://www.fas.org/irp/offdocs/dcid_6-3_20manual.htm
15

Sidebar
John Deutsch Case
In the unclassified version of his hearings he stated that
he was not aware of the computer security rules.
He did not know that sending mail on the Internet with
the name of cia_deutsch@aol.com would be a problem
He was the HEAD of the CIA (a/k/a DCI)
His office WROTE the policies and he signed off on
them.
Is it possible that in fact he did know?
and now he has been PARDONED?
16

Are They Wearing Blinders?

GAO ordered exercise called Eligible Receiver

to test the security of government systems (1997).

Found basic vulnerabilities in every single system
they touched:

Rooted systems
Launched DoS attacks
Disrupted phone systems
Read and ALTERED e-mail
Most of this was done from the Internet

People in Top Secret facilities do not believe this

report.
17

1998 GAO Investigation

http://www.gao.gov/AIndexFY98/category/Inform.htm

Survey of security officers found:

66% stated didnt have enough time or training
to do their jobs.
53% stated that security was an ancillary duty.
305 of 709 were totally unaware of what they
should be doing (43% for those of you who
have not had enough caffeine yet).
57% had no security training.
18

2000 Investigation
AIMD-00-295, Information Security: Serious and

Widespread Weaknesses Persist at Federal

Agencies
www.gao.gov/docdblite/summary.php?accno=576618&
rptno=AIMD-00-295

Reported:
Computer security fraught with weaknesses
Physical and logical access controls were not
effective in preventing or detecting systems
intrusions and misuse
Installation commanders give systems security a
low priority
19

GAO Summary
More needs to be done including

instituting routine risk management

activities aimed at ensuring that risks
are understood; that appropriate
controls are implemented
commensurate with the risk, and that
these controls operate as intended.
DUH!
20

Whats It Mean?
The wrong people are allowed to make

decisions about information security.

The people who are making the decisions
either dont know or dont care.
There are no incentives to do things
correctly and no repercussions for doing
things wrong (Deutsch Pardoned!)

21

A War Story
Reviewed proposed system architecture approx 10

months prior to its initial testing.

Architecture included FTP.
Developers insisted that they needed 65,000+
ports open in the firewall to handle FTP.
Told them to scan the ports during testing and
come back with a better answer.
Also told them to harden the OS Solaris (Whats
OS hardening?)
22

War Story cont.

The equipment showed up for testing installation

and they still wanted 65,000+ ports.

I denied them permission to install.
Developers complained it would take too long to
change the code.
Project manager said it would cost too much.
Three months of fighting with them (which they
could have spent fixing the code).
Over-ruled by a Director who said she would
accept the risk and then she retired.
23

Did You Know

Germany requires ALL banks to

use hardened, trusted OSs for

ALL systems

24

Accepting the Risk

Fancy way for management to say get the

hell out of the way.

NO technical expertise and they want
simple explanations.
When you try to explain the implications of
their actions, they get pissed off.
Theyll accept the risk, but they sure as hell
wont put it in writing.
25

News Flash
Last year a hacker connected via the

Internet to a printer at the Navys Space and

Naval Warfare Center and rerouted a
document to a server in Russia.
The Program Manager had accepted the risk
to connect sensitive systems to the Internet.
Did anything happen to the Program
Manager?
26

Security is Soooooo Inconvenient

NRO didnt allow cell phones, two-way pagers,

unclassified laptops, or PDAs into the building

Cell phone microphones can be opened remotely, even
when the system is turned off
Classified data can be sent out of the building via textbased pagers
Unclassified laptops and PDAs can store classified
material

THEN the Director got a new cell phone

27

Security is Soooooo Inconvenient

#2
A junior sysadmin was found to installed

several hacking tools on major networks.

Senior management decided NOT to have
the root passwords changed because it
would:
Take too long.
Would notify the general populace that
something had happened.
Would interfere with normal operations.

28

Let the CIO Handle It?

Each agency has its own CIO.

Agencies and offices are loath to create

MOAs or MOUs.
MOAs and MOUs are ignored.
NSA CIO had no idea how hugely
interconnected they were until everything
died for four days last year.

29

Who Handles Incident Response?

Air Force CERT? (afcert)

Navy CERT? (navcert)

NSA? (noc)

CIA?
NRO?
DIA?
Keystone Kops?

30

Educate the Populace?

4,000 in one office.

Average length of time at the office is two

years.
$$$? ( sigh )
Most are computer illiterates who cant
even change passwords without help.

31

Inspector Generals Office?

Nice folks but
Understaffed
Inexperienced
Far too little technical expertise
Corrections they request are ignored or

lies are told.

32

Presidential Directive?
Been there Done that
PDD-63, Protecting Americas Critical
Infrastructures
By 2003, a reliable, interconnected, and secure
information systems infrastructure.
Federal Government to serve as a model for
country
Umpteen dozen new offices and positions

33

Hire More People?

Military billets are the cheapest

Average tour is 2 years

Pay scale is approximately 1/3 of market

rate
More people does not ensure better security

34

Solutions?
Honey Nets and Honey Pots
Training, training, training for sys admins

and security officers

Vulnerability labs within agencies should
create their own listserver to share findings
Cancel ALL subscriptions to PC Magazine!
Stop looking at strong fortress walls and
enforce common sense security within the
walls
35

Corporate is Better
Take satisfaction in the fact that Corporate

America is doing better than Government

You can more quickly take advantage of
new technologies and react to new threats
More educational opportunities
You dont have to worry about revealing secret
associations with companies

36

Windows 2K?
Not any better or any worse than what you

have
but the Government doesnt know that!
Default installations are always a risk
Who said that letting the OS make decisions
for you would be a Good Thing?

37

</End Of Rant>
Questions?

38