Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

J. Oquendo sil at infiltrated.net
Tue Oct 7 16:30:11 UTC 2008

On Tue, 07 Oct 2008, Sean Donelan wrote:

> On Mon, 6 Oct 2008, Buhrmaster, Gary wrote:
> >The Federal Government (through its "Trusted Internet
> >Connection" initiative) is trying to limit the number
> >of entry points into the US Government networks.
> >(As I recall from 4000 interconnects to around 50,
> >where both numbers have a high percentage of politics
> >in the error bar.)
> Assuming you were on an advisory panel, what advice would you give
> the US Government how to protect and defend its networks and ability
> to maintain service?
> Most government networks and services depend on private network operators
> at some level.

Here is my take on this, recycling something I answered in similar
context earlier today. Too many companies and individuals rely far
too heavily on a false and outdated concept of the definition of
"minimum requirements" when it comes to security. They tend to
think they need to implement the minimum requirements and all will
be fine. This is evident in almost all security management material
I read where the goal is to offer a "mininum" set of requirements
to meet guidelines and regulatory controls.

What about exceeding the minimum requirements for a change. I
associate "minimum requirements" with laziness especially when it
comes to security. If companies structured their business a little
better, it could be more beneficial for them to speak out and
capitalize on security costs instead of worrying about the ROI on
implementing security technologies and practices.

This whole consensus about security not "making money" is flawed
and the more people stick with their confirmation and status quo
biases, the more businesses will NOT dish out for security causing
headaches and financial misery along the way, it's self-induced.

Can't wholly blame managers, a lot has to be weighed on the
organizations around the world whose wordings have been taken out
of context: e.g. "Under the proposal being considered, an
independent audit would ensure that their networks are secure,"
he explained. "This audit process would work across business
sectors, and would require companies to meet a minimum standard
of security competency."

Many have taken the attitude to implement enough to meet MINIMUM
standards and this seems to be enough for them. Then some wonder
why systems get compromised. Concepts are taken out of context.
Just because an organization makes a recommendation on what
should be a "minimum", shouldn't mean companies or governments
should put in solely enough to meet compliance and guidelines.

Businesses and governments in this day and age should be going
above and beyond to protect not only themselves, but their clients,
infrastructure, investors, etc. Until then, we'll see the same,
putting out *just* enough to flaunt a piece of paper: "Minimum
requirements met" and nothing more. How is this security again?
How is minimizing the connection points going to really stop
someone from launching exploit A against a machine that hasn't
been properly patched? Might stop someone from somewhere in
China or so, but once an alternative entry point is found, that
vulnerability is still ripe for the "hacking".

J. Oquendo

"A good district attorney can indict a ham sandwich
if he wants to ... The accusations harm as much as
the convictions ... they're obviously harmful or it
wouldn't be news.." - John Carter

wget -qO - www.infiltrated.net/sig|perl


More information about the NANOG mailing list