Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

J. Oquendo sil at infiltrated.net
Tue Oct 7 13:23:20 CDT 2008


On Tue, 07 Oct 2008, Sean Donelan wrote:

> On Tue, 7 Oct 2008, Valdis.Kletnieks at vt.edu wrote:
> >On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
> >>What about exceeding the minimum requirements for a change.
> >(I think you'll find that if somebody is actually willing to *pay* for more
> >security, there's plenty of outfits who are more than happy to make it 
> >happen)
> 
> What should the US Government buy for more security?  And how can the US 
> Government make sure they actually get what they are paying?
> 
> 

I apologize for being naive. I guess 1.5 billion allocated to one
state's Cybersecurity initiative *really* isn't enough to purchase
the necessary load balancers, firewalls and personnel to audit the
infrastructure for that one state.

Quote: "These include positions funded for Cyber Security (Public Service Account);
the federal Disaster Preparedness Program (Weapons of Mass Destruction)
through which the agency has granted over $1.5 billion in federal grant funds across
the state; "

http://www.budget.state.ny.us/budgetFP/spendingReductions/agencyPlansPDF/NYSOHS_FMP.pdf

So much so (not enough) they've not looked into ramping UP their
budget, but ramping it DOWN. My thought would be to review the
entire network as a whole, instead of the bandaid approach we've
been taking, start fresh. Look at what's currently in place,
audit, assess, re-do until they get it right.

Contractors should be held accountable for breaches in an
infrastructure. Before awarding a contract, I would do my best
to have the wording changed from "minimum requirements" to
securest implementation. Whether this securest implementation
took 5 new engineers to give a closer review, so be it.

I'd have some form of interagency strategy of tiger teams in
differing realms of government and perform war games testing
amongst each others' networks. The theory would be if the
best of the best in government can find a hole, so will an
attacker. It could be incentive based where a monthly
"DefGovCon" capture the flag like training would take place
to ensure that security issues are discovered internally and
defended against. Teams would get prizes or recognition.

Our government has so many resources at its disposal there is
no real reason I can see them not protecting themselves. What
I do see is shifting of blame and responsibility. Ye old
"Cover Your Ass" attitude.  Accountability - it goes a long
way with accounts receivable and accounts payable. 


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, CNDA, CHFI, OSCP

"Believe nothing, no matter where you read it, or
who said it, no matter if I have said it, unless it
agrees with your own reason and your own common
sense." - Buddha

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB





More information about the NANOG mailing list