http://carnal0wnage.attackresearch.com/2015/06/hard-to-sprint-when-you-have-two-broken.html
By Valsmith
June 14, 2015
Now as a disclaimer, I don't work for the government so there is a lot I don't
know but I have friends who do or who have in the past and you hear things. I
also pay attention and listen to questions I get in my training classes and
conference talks.
This directive from the White House is laughable for a number of reasons and
demonstrates just how out of touch decision makers in the Government are on
these issues.
1.) Technically skilled people have been BEGGING to improve cyber security in
the government for well over 15 years. I don't think this is any kind of
secret, just google for a bit or talk to anyone who works in government in the
trenches. Asking for staff, tools, budget, authority, support and getting
little of it. In a way, this directive is insulting to them after years of
asking, trying and failing suddenly someone says: "oh hey I have an idea, why
don't you go and secure stuff!". Right. Unless you are going to supply those
things they need RIGHT NOW, they will fail. And government procurement and
hiring organizations are notoriously slow so the chances of that happening are
slim.
2.) IT Operations. The first thing that has to be in place for there to be any
real chance is solid IT operations. Organizations have to be able to push out
images and patches quickly, orderly, and with assurance. Backup recovery,
knowledge of inventory, well managed systems, etc. are all paramount. Do you
know how most government IT operations are managed? By contractors, aka the
lowest bidder. These are the Raytheons, Booz Allens, Boeings, Lockheeds, etc.
who bid on large omnibus support contracts, win them, and THEN try to fill the
staffing requirements. How do you win the lowest bid in services / support
contracts? By keeping staffing costs down, aka paying the lowest possible
salaries. This results in some of the most piss-poor IT operations in the
world. You want to know why Hilary Clinton, former Secretaries of Defense, and
numerous other government staff run their own private mail servers? Most likely
its because their work provided email DOESN'T work. Slow systems, tiny inbox
quotas, inability to handle attachments, downtime, no crypto or crypto
incompatible with anyone else, these are just a few of the issues out there.
And its not just email. I have personally seen a government conference room
system take 15-20 minutes to log in at the windows login prompt, due too poor
IT practices. I was told that most of the time people resorted to paper hand
outs or overhead projectors. Yeh like the ones you had in highschool in the 90s
with the light bulbs and transparencies.
Essentially what this directive is saying: "Hey you low end IT staff, winners
of the lowest bid, who can barely keep a network up or run a mail server, make
sure you become infosec experts and shore up our defenses, and you have 30 days
to do it." Right. I have heard horror stories from acquaintances in the
government of waiting 6 months for an initial account setup ticket to get
performed. Weeks to get a new desktop deployed. It is idiotic to think that
current IT operations can support this kind of request. But that is who
typically manages servers, network and desktops, and who would have to deploy
whatever security tools would be needed to do this in support of pitifully
small infosec teams.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
