OPM Data Breach - Whitehouse Petition - Help Wanted

• Previous message (by thread): OPM Data Breach - Whitehouse Petition - Help Wanted
• Next message (by thread): OPM Data Breach - Whitehouse Petition - Help Wanted
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Based on prior work in this space, the problems are as follows:



0. Political appointees don't stick around for long, therefore they can
always point to the last guy as the problem. They are also gone, before
impact of lack of security focus impact their jobs.



1. Executives and middle managers are not compensated or recognized for
have secure systems, there for operations and missions take priority. This
includes disabling all security if the operation requires it, and the PM
justifies it.



2. Architecture of systems seldom includes a security architect from the
beginning, with security added later at a substantial expense.



3. Test plans are inadequate and at times the wrong test plan for the
technology being audited.



4. Third party contractor performing audits and assessments, are paid by
the IT department to provide a favorable report, as quick as possible.  To
accomplish this, the testing is minimal, the qualifications of the staff
are low, and the contractors PM has the ability to change findings to
ensure the customer looks good.



5. System and network admins - they too are not compensated for secure
system, only that the system are operating.  This forces prioritizing
operations over security.



6. Developers are not held accountable for secure code, and their
contractors ignore the issues, even in the few instances where a security
clause is included in the contract.



7. Many architectures are build around a security product, and not the risk
profile.



8. Stovepipes - Many organization have competing political goals, and spend
time CYA instead of making this secure by default.



9. Contractor staff training – contractors promises training to customer
facing staff, but instead never budget for that training. Instead the
contract companies see this as OJT on the taxpayer dime.



>From a game theory standpoint, it turns security always loses.

Joe Klein
"Inveniam viam aut faciam"

On Thu, Jun 18, 2015 at 1:35 PM, William Herrin <bill at herrin.us> wrote:

> On Wed, Jun 17, 2015 at 8:54 PM, Ronald F. Guilmette
> <rfg at tristatelogic.com> wrote:
> > I've just started a new Whitehouse Petition, asking
> > that the director of OPM, Ms. Archueta, be fired for gross incompetence.
>
> Hi Ronald,
>
> The core problem here is that the Authority To Operate (ATO) process
> consumes essentially the entire activity of a USG computing project's
> security staff. The non-sensical compliance requirements, which if
> taken literally just about prevent you from ever connecting any
> computer to any other, get in the way of architecting systems around
> pragmatic and effective security.
>
> There's no use blaming the director for a broken system she's
> compelled to employ, one far out of her control. The next warmer of
> that seat is constrained to do no better.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin ................ herrin at dirtside.com  bill at herrin.us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
>

• Previous message (by thread): OPM Data Breach - Whitehouse Petition - Help Wanted
• Next message (by thread): OPM Data Breach - Whitehouse Petition - Help Wanted
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]