On Tue, 07 Oct 2008, Sean Donelan wrote:
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
What should the US Government buy for more security? And how can the US Government make sure they actually get what they are paying?
I apologize for being naive. I guess 1.5 billion allocated to one state's Cybersecurity initiative *really* isn't enough to purchase the necessary load balancers, firewalls and personnel to audit the infrastructure for that one state. Quote: "These include positions funded for Cyber Security (Public Service Account); the federal Disaster Preparedness Program (Weapons of Mass Destruction) through which the agency has granted over $1.5 billion in federal grant funds across the state; " http://www.budget.state.ny.us/budgetFP/spendingReductions/agencyPlansPDF/NYS... So much so (not enough) they've not looked into ramping UP their budget, but ramping it DOWN. My thought would be to review the entire network as a whole, instead of the bandaid approach we've been taking, start fresh. Look at what's currently in place, audit, assess, re-do until they get it right. Contractors should be held accountable for breaches in an infrastructure. Before awarding a contract, I would do my best to have the wording changed from "minimum requirements" to securest implementation. Whether this securest implementation took 5 new engineers to give a closer review, so be it. I'd have some form of interagency strategy of tiger teams in differing realms of government and perform war games testing amongst each others' networks. The theory would be if the best of the best in government can find a hole, so will an attacker. It could be incentive based where a monthly "DefGovCon" capture the flag like training would take place to ensure that security issues are discovered internally and defended against. Teams would get prizes or recognition. Our government has so many resources at its disposal there is no real reason I can see them not protecting themselves. What I do see is shifting of blame and responsibility. Ye old "Cover Your Ass" attitude. Accountability - it goes a long way with accounts receivable and accounts payable. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "Believe nothing, no matter where you read it, or who said it, no matter if I have said it, unless it agrees with your own reason and your own common sense." - Buddha http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB