Sunday, June 14, 2015

Hard to Sprint When You Have Two Broken Legs

Today I saw this article: White House Tells Agencies to Tighten Up Cyber Defenses Immediately.

By Valsmith

Now as a disclaimer, I don't work for the government so there is a lot I don't know but I have friends who do or who have in the past and you hear things. I also pay attention and listen to questions I get in my training classes and conference talks.

This directive from the White House is laughable for a number of reasons and demonstrates just how out of touch decision makers in the Government are on these issues.

1.) Technically skilled people have been BEGGING to improve cyber security in the government for well over 15 years. I don't think this is any kind of secret, just google for a bit or talk to anyone who works in government in the trenches. Asking for staff, tools, budget, authority, support and getting little of it. In a way, this directive is insulting to them after years of asking, trying and failing suddenly someone says: "oh hey I have an idea, why don't you go and secure stuff!". Right.  Unless you are going to supply those things they need RIGHT NOW, they will fail. And government procurement and hiring organizations are notoriously slow so the chances of that happening are slim.

2.) IT Operations. The first thing that has to be in place for there to be any real chance is solid IT operations. Organizations have to be able to push out images and patches quickly, orderly, and with assurance. Backup recovery, knowledge of inventory, well managed systems, etc. are all paramount. Do you know how most government IT operations are managed? By contractors, aka the lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc. who bid on large omnibus support contracts, win them, and THEN try to fill the staffing requirements. How do you win the lowest bid in services / support contracts? By keeping staffing costs down, aka paying the lowest possible salaries. This results in some of the most piss-poor IT operations in the world. You want to know why Hilary Clinton, former Secretaries of Defense, and numerous other government staff run their own private mail servers? Most likely its because their work provided email DOESN'T work. Slow systems, tiny inbox quotas, inability to handle attachments, downtime, no crypto or crypto incompatible with anyone else, these are just a few of the issues out there. And its not just email.  I have personally seen a government conference room system take 15-20 minutes to log in at the windows login prompt, due too poor IT practices. I was told that most of the time people resorted to paper hand outs or overhead projectors. Yeh like the ones you had in highschool in the 90s with the light bulbs and transparencies.

Essentially what this directive is saying: "Hey you low end IT staff, winners of the lowest bid, who can barely keep a network up or run a mail server, make sure you become infosec experts and shore up our defenses, and you have 30 days to do it." Right. I have heard horror stories from acquaintances in the government of waiting 6 months for an initial account setup ticket to get performed. Weeks to get a new desktop deployed. It is idiotic to think that current IT operations can support this kind of request. But that is who typically manages servers, network and desktops, and who would have to deploy whatever security tools would be needed to do this in support of pitifully small infosec teams.

3.) Infosec staff and hiring. There are none available. If they are good and employable they are employed at a better job making more money. And if there is, you (the government) can't engage them. The pay scales for well trained infosec professionals in industry are off the charts, regardless of degree or "clearability". Why would anyone in their right mind join a government agency (or worse a government contractor) and make 70k a year, be subject to clearance requirements  (how many hackers you know smoke weed?), and live in a place like Washington DC? Patriotism might draw some but that only goes so far.

Many agencies have strict requirements for education standards, sometimes certifications, and years of experience. There are a lot of truly talented and skilled people who might be willing to fill these jobs but would never meet the outdated requirements that are designed for classic engineers and scientists. The government HR departments have not and maybe will never catch up to this fact. HR staff are not typically technically skilled, are not paid that great, and are trying to make decisions on things they don't understand or know much about. The deck is stacked against them being successful at recruiting and retaining the crack infosec staff that would be needed to achieve this directive. It also often takes 9 months on average to hire someone.

There exist a number of highly skilled and trustable boutiques so maybe the government would engage them to do this work right? OH, sorry, these things have to be bid out. To the lowest bidder. Who has a war chest to wait through the 18 month, highly costly, contracting process. Who can meet all the government requirements for accredited accounting systems, policies and procedures for asset management, the FARs (10000000000000s of pages of regulations governing these sorts of contracts), and who can defeat an incumbent like a Lockheed or Bechtel with all their lobbying power, war chests, and former insiders now working as federal service sales staff. Commercial contracts take 2 weeks and have and NDA / MSA, maybe some insurance. That's about it, so from a business decision standpoint would you put your time into bidding on a government contract or pursuing commercial ones as a small infosec company?

4.) Legacy systems. The government has everything you can imagine somewhere running something. I would not at all be surprised of OS2 Warp being in place somewhere. I have heard of VAXs running payrol systems. SPARC 10s as critical gateway servers for database applications. There is all this old stuff laying around, that few people understand anymore, that don't have great support or security guidelines, and often can't be updated. All a hacker has to do is compromise a windows workstation and wait for the victim to SSH, zmodem, telnet, or whatever ancient protocol they use to communicate to legacy systems and just take screenshots in order to get viably useful information. They dont even need to really know how to use the legacy systems to steal their data. Just hack someone who does and watch. To be fair this exists in industry as well, its not exclusive to the government, but it does greatly impact one's ability to fix security in 30 days.

5.) The wrong decisions makers. Senior management in government agencies as well as politicians are often woefully inexperienced with cyber technology and security in general. A series of tubes, nuff said. But they don't always have or listen to advisers who are. I have heard of cases where in emergency knee jerk situations physicists are put in charge of designing cyber-security systems while the infosec staff are standing around holding their well thought out plans for addressing the issues wondering what just happened. Maybe we should have the IDS guy design the next missile system?

And I'm not just picking on the federal government. Most states are in even worse shape. Few companies in the private sector could pull this off either. Especially any the size of a government agency.

I could go on for pages describing reasons this directive is silly, but you get the idea. Maybe what is really needed here is a new Manhattan Project. When we built the bomb we went and found all the best people we could, incentivized them, removed most of the shackles, funded the hell out of them and LET them do what they are good at with smart guardrails in place to protect national security. Feynman was 24 when he was put in charge of a theoretical division group helping to work on the bomb. Put the right people in charge of the right components. It's a hard problem and we need a lot of smart people to figure out what to do, but here are some starting ideas:

1.) Follow in Mudge's laudable attempt with the DARPA Cyber-Fast Track program and make it easier and quicker to engage small infosec firms.

2.) Change the contracting guidelines for pricing on infosec services. We are not making bullets or other process based widgets where going with the lowest bid makes sense.

3.) Change the hiring guidelines and either allow managers to make hiring decisions or train HR staff to understand the requirements better. Remove education requirements. PAY people competitive rates. (Govenment pensions are not what they used to be and neither is the stability of the job so stop acting like that is enough to make up for it).  Allow managers to fire incompetent infosec staff with a minimum of red tape.

4.) Fix your IT operations! Get rid of the lowest bid contractor carousel and implement some real, performance based, competition! (When a new contractor wins they often just end up hiring the same people away from the old contractor and sucking just as bad).

5.) Change clearance requirements (this would need proper compartmentalization to prevent problems) for infosec staff so that you can get some of those talented but unclearable people helping you somehow.

6.) Figure out remote work. Nobody wants to live in DC.

7.) Bring in smart infosec industry people, educate them on some of the problems and realities, and have them brainstorm to see what they might come up with. And I don't mean a bunch of Mitre and Booz consultants. I mean people with a proven track record in private industry. Partner them with your few strong government infosec staff and see what happens.

8.) Stop talking about how you are going to "hire 1000 infosec professionals this year" or "fix security in 30 days" while the perfectly good private sector national resources who could actually help are languishing out in the world wishing they could while the big contractors rake in tax payer money and provide little value. You know where they are, go get them. Don't make them try to figure out the BAA process, its not worth it to them.

In the meantime, good luck sprinting on two broken legs.




dre said...

The bar to hiring should be set stringently to two things:

1) Individual contributors should have a CISSP, a Security+, a CCNA:Security, or even just a CCNA in that preferred order. No high-school diploma or otherwise is necessary.
2) Managers should have an Open Group FAIR certification. Forget ISACA and ISC2 for these types. Make them understand risk with a formula or go back to their other business-management job using old technologies and old ways of doing projects. Take the FAIR guy or gal over the diploma every time, but make sure managers have business experience and acumen that relate to Millennials. Make sure that some are Millennials.

Two more things should happen once people get hired and start working:

1) People should work on value chains as their primary priority. They should improve the way that they do things ALL OF THE TIME. Old processes must go. Look to PASTA, i.e., the book "Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis", for new ideas, RACI matrixes, etc.
2) People you hire get to use whatever tools they want, as long as they pick a primary tool that maps to each value chain -- and it must be highly-automated. For incident response, try Google Rapid Response. For network and app penetration testing and vulnerability assessment, try sixdub-Minions and Arachni, plus metasploitHelper. DLP, use OpenDLP. Firewall and IPS, try Untangle firewall or Suricata IPS. SIEM, use OSSIM. Log management with file integrity monitoring -- easy peasy with OSSEC. Access controls needed, then U2F is a must-have. smicallef-spiderfoot or the Collective Intelligence Framework for threat intelligence information and Soltra Edge to share it with your industry ISAC. Do not bother with commercial tools -- those days are long gone. Give up any commercial stuff you already have. Shut it off and write it off. Call Gartner and tell them that you are listening to the beat of the open-source movement from now on, and that you're breaking up with them. It's time to move on.

Anonymous said...

Unfortunately I work for the Gov at the moment and have as active duty, a contractor for one of those big turd companies Val mentions and I'm currently a Gov Civilian working at the Director of a CNDSP. I only write this to back up 100% what Val says. Val's uber legit, those of us in the know in the industry all know that. Once again he's just preaching the Gospel truth here, there is no opinion really, the shit is just as he says. We are totally ass up and yet we scratch our heads with China 'hacks' OPM?! They supposedly used an O-Day, which is really silly as they could have just sent a macro embededd in Excel to get in, but we give them shitloads of $ so they can afford to buy that stuff on the open market I guess. Point is if they did use an 0-day how hilarious is it that all the basic sysad stuff they mandated we do in the next 30 days won't do shit all vs an 0-day, WTF is the point. I've said for years I don't believe we'll see any real change in the industry for a couple generations. As in we need the decision makers currently in the driver seat to retire or die off so folks that come up in the know on 'Cyber' can start to make a difference. Bah! I could ramble for days on my soap box. BTW writing anonymously as somebody will likely try and get in my shit for being a naysayer in public forum. I do however take every opportunity I can to piss in all the false reality folks cheerios in official forums like the DoD CND working group and such.

Anonymous said...

I have worked in both private and public sector and I can attest to the statements made in this post. A lot of things need to change internally for InfoSec in the public sector in order to step up their game. I've been out of that arena now for two years and while the transition was intense in the change from military mind-set to start up mind-set; the technology, pay scale, and benefits are worth the transition.

Anonymous said...

I definitely agree! Hell, I'm still trying to convince the program office that our system is actually part of the DoDIN and subject to lawful orders. I've watched as people legitimately said that the mission system we run isn't part of the DoD network, without proof, for no reason other than they say so. And we're still using DOS 6, because the program office can't find its head from a hole in the ground. Our ISSM, who's been in this job for 10 years no less, actually got the definition of virus, worm, and trojan wrong in the base incident response plan, and NEVER ACTUALLY WROTE ONE for our mission system. This system has been around since the 70s, (although continuously modernized) and we're just now writing the incident response plan. In 10 years we've had at least 15 inspections, each telling us we failed, and guess what was fixed? Nothing. Why? Because "we're a standalone network, we can't possibly be hacked." There's so much bullshit with this that the ISSM should be sitting in jail for criminal negligence.

Anonymous said...

I feel like this article significantly understates the difficulty the government has hiring infosec staff. There is zero unemployment in the industry, and lots of us have significant issues with the US government's behavior (NSA spying, Wassenaar, overzealous prosecution of "hackers"). Even if the government offered equivalent salaries, lots of folks would rather work in industry.

Adam said...

Even better, a former CISSP that was smart enough to let their cert expire because such a person has demonstrated the wisdom necessary to recognize that the ISC2 is useless.

Anonymous said...

To Anonymous in the DoD CNDSP: I used to work in one & I RAN from that place. FAST. The incompetence is unbelievable in the DoD. You talk about systems being outdated? Its not the systems, it's the systems and the PEOPLE. I know a CDNSPM who allowed a malicious IP even though it was generating massive traffic against our IDS systems and I told him it would make sense to block it to save system resources buit did not do so because the IP hosted a often used search engine throughout the agency.
Inept is a nice way of putting it. Unfortunately, even some private industry is like that. But Gov't is far worse. They deserve it with their heads stuck up their @sses. Apparently now, the OPM hack is believed to be 4x worse than originally thought. I used to be a contractor, but now I'm done. They can keep their clearance and and all their secret crap. The C.I.A. security principle huh? Availability above all else... this article is the truest I ever read.

Anonymous said...

Having worked in federal IT I can state there is a whole lot here that is wrong.

Where I worked everything - and I mean everything - was done by contractors. We had to have a civil servant in every meeting, on every call, on every trip, but contractors did all the work. We were well paid (well in to six figures a decade ago), the firms that hired us sought out the very best, and our budgets were pretty generous.

And apart from one time at hiring, we weren't drug tested. The civil servants at our agency weren't either.

The civil servants we reported to loved to find an excuse to launch a project, add to the next year's budget, or generally acquire new toys. If we told them all of the laptops had to be replaced with some new gee whiz expensive version with some special tech, they'd be all over it, regardless of the fact that they had zero understanding of the tech involved.

Unknown said...

@Dre... A CISSP or Sec+ as base requirements are you kidding me? Those certs as highlighted requirements in the industry are a big part of the problem. I'm not saying the info is useless, both are very good survey of cyber sec style course at different levels...but... Neither come CLOSE to certifying someone can get the job done. They are like online college degrees, you get what you put into to it, but exist mostly to make a profit (boot camp courses, re-cert fees ECT) and literally ANYONE can get one if you put stick around long enough and do some college style cramming.

For starters how about hiring people who can actually understand the languages computers speak. People who can code, script, read machine instructions, understand the guts of operating systems at an intimate level, understand electronic theory, understand the guts of networking equipment... and even *gasp* ACTUALLY understand the mathematics behind crypto *gasp* (you know that thing that gets like two questions on the CISSP ). Maybe if we had people that actually understood these subjects you would have far less snake oil salesmen pushing ridiculous products bases on their "patented algorithms" while all the CISSP in the room nod their head to like they understand the actual science (or lack there of) behind the product.

It truly baffles me how many CISSP I have met who have been doing one track thought projects, like managing patches for years, think they are cyber experts but can't write a line of code... or worse don't know their way around command line. When I see "John Doe CISSP, CEH, SEC+" on a card or resume the first thing I think is they don't really know their way around a computer system and are using the cert as a crutch. Then you have the hiring managers that haven't a clue what they are looking for and will pick that guy/gal who has the CISSP over the one that spent their time actually researching exploits and defenses to exploits because you can't sum that up with a cert.

Anonymous said...

Recently came across this point, and wanted to throw in my 2 cents. My career has been split: private industry & government. Based on my experience, Valsmith got more right than wrong. I can see cyber security changes coming in government; mostly based out of fear (i.e. "Oh ****, OPM got breached, maybe we should do something!" or more commonly from management, "Oh ****, I could lose my job if we get hacked!")

Maybe the breaches in recent years are finally bringing much-needed attention to cyber security (private & public sector). Where logic and reason hasn't worked, management's fear of a breach seems to be helping the cause.

Sean said...

Raytheon wins big cyber contract
Yay, lowest bidder FTW!