cnn.com - Homeland Security seeks cyber counterattack system (Einstein 3.0)
I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP, in terms of "operat[ing] an Internet connected network", especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target". http://www.cnn.com/2008/TECH/10/04/chertoff.cyber.security/index.html Homeland Security seeks cyber counterattack system WASHINGTON (CNN) -- First, there was "Einstein," the federal government's effort to protect itself from cyber attacks by limiting the number of portals to government computer systems and searching for signs of cyber tampering. Then Einstein 2.0, a system now being tested to detect computer intrusions as they happen. And in the future? Perhaps Einstein 3.0, which would give the government the ability to fight back. Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens. The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0." At a meeting with reporters to highlight National Cyber Security Month, Chertoff reiterated his belief that the government should aggressively defend its computer systems, saying that terrorists, if they gain expertise already available to others, would "cause potentially very serious havoc" to government systems. "Let's make the investment now rather than wait until there's a huge catastrophe," he said. But despite his emphasis on the risks posed, Chertoff said the government is moving slowly to avoid stepping on the toes of the private sector as it addresses calls to reorganize the governance of cyberspace to provide accountability and authority. "I think the question of what is the government's role in cyberspace in general needs to be discussed among all the stakeholders, because there is a culture of cyberspace that is an open architecture," he said. "And I think if we just came in and said we want to take it over, there'd be, understandably, a considerable amount of discomfort with that." "We are deliberately going slowly because we recognize that the issue of government involvement in the Internet is fraught with all kinds of potential concerns and potential anxieties about not having the government have a big-foot impact on an area of communication and commerce that has traditionally been viewed as really independent and free." Chertoff said the government is "feeling our way to what is the right mix of government involvement with protecting the Internet in the private domain while preserving everybody's comfort level that we're not going to be in their business in a way that would be inappropriate." Asked if he envisioned a world with two cyberspaces, he said he envisions a world with "a lot of different levels of security and trust, depending upon the nature of what it is that you're doing." "We already have that now, in the sense that we have classified systems which are walled off from unclassified systems," he said. The Bush administration released its National Cyber Security Initiative in January. The "most immediate component" of it from the Department of Homeland Security's perspective, Chertoff said, is to increase security for federal government computer systems. But another priority is to work with the private sector to address threats to businesses. This includes not only protection from hackers, but also from counterfeit parts, which an individual or another nation could use to create vulnerabilities in the United States, he said. E-mail to a friend Tony Patti CIO S. Walter Packaging Corp.
Tony Patti wrote:
I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP, in terms of "operat[ing] an Internet connected network", especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target".
<snip>
The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
From a technical perspective, the Iran Air shootdown probably would not have happened, rather like Chernobyl, if there hadn't been humans in the loop overriding safeguards and making determinations of threats. In particular, if one wanted to look at a technical parallel that actually might be useful in network operations, part of the Iran Air disaster was that the decisions were all being made at one point, the ship that actually fired the missiles. Think centralized routing. Now, there's a military technique called Cooperative Engagement Capability that I liken to link state routing; it's a distributed computation model where each participating ship, radar aircraft, etc., gets the sensor information from the others, and the decisionmaking can become much more precise. In the Iran Air incident, at least one other U.S. ship had radar tracking on the airliner and was trying to warn that it was not a valid target. I'm saying this technically and from a standpoint of fault analysis avoidance, not politics. Just as the USS Vincennes' captain caused a disaster by deciding to fire on a very questionable target,
I'm not sure that this may not be veering into political OT, but, to the extent that proactive and automated reaction tools are being considered, even as benign as internal blackhole route generation, it may be worth discussing cases where, for various reasons, an automated defense system did not operate and people died. the USS Stark took missile hits because the captain had not turned on the missile defenses. The one SCUD hit in the Gulf War that caused major casualties was not engaged at all, apparently from a mixture of one radar being down for maintenance while the backup had not received a software patch to deal with a clock synchronization bug; the bug caused the radar to decide the incoming missile was an artifact and it was removed from the target list. Less seriously, my first reaction to Chertoff's statement is that the antiaircraft barrage already exists, is called Windows XP Pro Service Pack 3, which is sufficiently fanatical on my machine that its uninstaller committed suicide. -----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Sunday, October 05, 2008 12:47 PM To: Tony Patti Cc: nanog@nanog.org Subject: Re: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0) Tony Patti wrote:
I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP, in terms of "operat[ing] an Internet connected network", especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target".
<snip>
The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
Bad idea, The rogue government would use hospitals and power stations, to "cyber human shield" against the counter attack. You guys are living in cloud cuckoo land. The rogue government wouldn't have their bot nets in home computers that you could shut down easily. Read my rant about it all with the link below that I typed in May 2008 to stop the "Afcyber" idea going through. http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062517.html All the best, n3td3v ---------- Forwarded message ---------- From: Tony Patti <tony@swalter.com> Date: Sun, Oct 5, 2008 at 5:20 PM Subject: cnn.com - Homeland Security seeks cyber counterattack system (Einstein 3.0) To: "nanog@nanog.org" <nanog@nanog.org> I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP, in terms of "operat[ing] an Internet connected network", especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target". http://www.cnn.com/2008/TECH/10/04/chertoff.cyber.security/index.html Homeland Security seeks cyber counterattack system WASHINGTON (CNN) -- First, there was "Einstein," the federal government's effort to protect itself from cyber attacks by limiting the number of portals to government computer systems and searching for signs of cyber tampering. Then Einstein 2.0, a system now being tested to detect computer intrusions as they happen. And in the future? Perhaps Einstein 3.0, which would give the government the ability to fight back. Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens. The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0." At a meeting with reporters to highlight National Cyber Security Month, Chertoff reiterated his belief that the government should aggressively defend its computer systems, saying that terrorists, if they gain expertise already available to others, would "cause potentially very serious havoc" to government systems. "Let's make the investment now rather than wait until there's a huge catastrophe," he said. But despite his emphasis on the risks posed, Chertoff said the government is moving slowly to avoid stepping on the toes of the private sector as it addresses calls to reorganize the governance of cyberspace to provide accountability and authority. "I think the question of what is the government's role in cyberspace in general needs to be discussed among all the stakeholders, because there is a culture of cyberspace that is an open architecture," he said. "And I think if we just came in and said we want to take it over, there'd be, understandably, a considerable amount of discomfort with that." "We are deliberately going slowly because we recognize that the issue of government involvement in the Internet is fraught with all kinds of potential concerns and potential anxieties about not having the government have a big-foot impact on an area of communication and commerce that has traditionally been viewed as really independent and free." Chertoff said the government is "feeling our way to what is the right mix of government involvement with protecting the Internet in the private domain while preserving everybody's comfort level that we're not going to be in their business in a way that would be inappropriate." Asked if he envisioned a world with two cyberspaces, he said he envisions a world with "a lot of different levels of security and trust, depending upon the nature of what it is that you're doing." "We already have that now, in the sense that we have classified systems which are walled off from unclassified systems," he said. The Bush administration released its National Cyber Security Initiative in January. The "most immediate component" of it from the Department of Homeland Security's perspective, Chertoff said, is to increase security for federal government computer systems. But another priority is to work with the private sector to address threats to businesses. This includes not only protection from hackers, but also from counterfeit parts, which an individual or another nation could use to create vulnerabilities in the United States, he said. E-mail to a friend Tony Patti CIO S. Walter Packaging Corp.
There is no need to attack the attacking computers.. this would be a mostly useless process and you'd always miss some. if the 'attacks' could not be filtered the 'external' to that nations links would be 'cut' the internet would be segmented and would could all go back to our regularly planed days. On Sun, Oct 5, 2008 at 2:30 PM, n3td3v <xploitable@gmail.com> wrote:
Bad idea,
The rogue government would use hospitals and power stations, to "cyber human shield" against the counter attack.
You guys are living in cloud cuckoo land. The rogue government wouldn't have their bot nets in home computers that you could shut down easily.
Read my rant about it all with the link below that I typed in May 2008 to stop the "Afcyber" idea going through.
http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062517.html
All the best,
n3td3v
---------- Forwarded message ---------- From: Tony Patti <tony@swalter.com> Date: Sun, Oct 5, 2008 at 5:20 PM Subject: cnn.com - Homeland Security seeks cyber counterattack system (Einstein 3.0) To: "nanog@nanog.org" <nanog@nanog.org>
I presume this CNN article falls within the "Internet operational and technical issues" (especially security) criteria of the NANOG AUP, in terms of "operat[ing] an Internet connected network", especially where Chertoff refers to " like an anti-aircraft weapon, shoot down an [Internet] attack before it hits its target".
http://www.cnn.com/2008/TECH/10/04/chertoff.cyber.security/index.html
Homeland Security seeks cyber counterattack system
WASHINGTON (CNN) -- First, there was "Einstein," the federal government's effort to protect itself from cyber attacks by limiting the number of portals to government computer systems and searching for signs of cyber tampering.
Then Einstein 2.0, a system now being tested to detect computer intrusions as they happen.
And in the future? Perhaps Einstein 3.0, which would give the government the ability to fight back.
Homeland Security Secretary Michael Chertoff on Friday said he'd like to see a government computer infrastructure that could look for early indications of computer skullduggery and stop it before it happens.
The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
At a meeting with reporters to highlight National Cyber Security Month, Chertoff reiterated his belief that the government should aggressively defend its computer systems, saying that terrorists, if they gain expertise already available to others, would "cause potentially very serious havoc" to government systems.
"Let's make the investment now rather than wait until there's a huge catastrophe," he said.
But despite his emphasis on the risks posed, Chertoff said the government is moving slowly to avoid stepping on the toes of the private sector as it addresses calls to reorganize the governance of cyberspace to provide accountability and authority.
"I think the question of what is the government's role in cyberspace in general needs to be discussed among all the stakeholders, because there is a culture of cyberspace that is an open architecture," he said. "And I think if we just came in and said we want to take it over, there'd be, understandably, a considerable amount of discomfort with that."
"We are deliberately going slowly because we recognize that the issue of government involvement in the Internet is fraught with all kinds of potential concerns and potential anxieties about not having the government have a big-foot impact on an area of communication and commerce that has traditionally been viewed as really independent and free."
Chertoff said the government is "feeling our way to what is the right mix of government involvement with protecting the Internet in the private domain while preserving everybody's comfort level that we're not going to be in their business in a way that would be inappropriate."
Asked if he envisioned a world with two cyberspaces, he said he envisions a world with "a lot of different levels of security and trust, depending upon the nature of what it is that you're doing."
"We already have that now, in the sense that we have classified systems which are walled off from unclassified systems," he said. The Bush administration released its National Cyber Security Initiative in January. The "most immediate component" of it from the Department of Homeland Security's perspective, Chertoff said, is to increase security for federal government computer systems.
But another priority is to work with the private sector to address threats to businesses. This includes not only protection from hackers, but also from counterfeit parts, which an individual or another nation could use to create vulnerabilities in the United States, he said. E-mail to a friend
Tony Patti CIO S. Walter Packaging Corp.
I have a big problem with politicians making technical decisions that may look good at the politicial level but make no sense at the technical level. "fighting back" implies that your own facilities will be busy pinging thousands of bots to death around the world. Yeah, smart. Looks good during a politician's speech, but in reality, what good does "fighting back" do when the remote computers won't be hurt by it ? I think the speech would have far more credibility if the politician had used terms such as "dynamic protection against attacks" where the network would reconfigure itself dynamically to block attacks etc etc.
Jean-François Mezei wrote:
I have a big problem with politicians making technical decisions that may look good at the politicial level but make no sense at the technical level.
Works in the financial world, doesn't it. -- Eppure si rinfresca ICBM Targeting Information: http://tinyurl.com/4sqczs
On Sun, 05 Oct 2008 18:30:11 BST, n3td3v said:
You guys are living in cloud cuckoo land. The rogue government wouldn't have their bot nets in home computers that you could shut down easily.
Which is easier to shut down, an attack coming from a relatively small number of /16s that belong to the government, or one coming from the same number of source nodes scattered *all* over Comcast and Verizon and BT and a few other major providers? Hint 1: Consider the number of entry points into your network for the two cases, especially if you are heavily peered with one or more of the source ISPs. Consider also the "shoot self in foot" outcome if you decide to block *all* of Comcast, Verizon, BT and the others.... Hint 2: If botnets in home computers were so easy to shut down, why are there so many miscreants still using them for nefarious purposes?
Which is easier to shut down, an attack coming from a relatively small number of /16s that belong to the government, or one coming from the same number of source nodes scattered *all* over Comcast and Verizon and BT and a few other major providers?
Hint 1: Consider the number of entry points into your network for the two cases, especially if you are heavily peered with one or more of the source ISPs.
The Federal Government (through its "Trusted Internet Connection" initiative) is trying to limit the number of entry points into the US Government networks. (As I recall from 4000 interconnects to around 50, where both numbers have a high percentage of politics in the error bar.)
On Mon, 6 Oct 2008, Buhrmaster, Gary wrote:
The Federal Government (through its "Trusted Internet Connection" initiative) is trying to limit the number of entry points into the US Government networks. (As I recall from 4000 interconnects to around 50, where both numbers have a high percentage of politics in the error bar.)
Assuming you were on an advisory panel, what advice would you give the US Government how to protect and defend its networks and ability to maintain service? Most government networks and services depend on private network operators at some level.
On Tue, 07 Oct 2008, Sean Donelan wrote:
On Mon, 6 Oct 2008, Buhrmaster, Gary wrote:
The Federal Government (through its "Trusted Internet Connection" initiative) is trying to limit the number of entry points into the US Government networks. (As I recall from 4000 interconnects to around 50, where both numbers have a high percentage of politics in the error bar.)
Assuming you were on an advisory panel, what advice would you give the US Government how to protect and defend its networks and ability to maintain service?
Most government networks and services depend on private network operators at some level.
Here is my take on this, recycling something I answered in similar context earlier today. Too many companies and individuals rely far too heavily on a false and outdated concept of the definition of "minimum requirements" when it comes to security. They tend to think they need to implement the minimum requirements and all will be fine. This is evident in almost all security management material I read where the goal is to offer a "mininum" set of requirements to meet guidelines and regulatory controls. What about exceeding the minimum requirements for a change. I associate "minimum requirements" with laziness especially when it comes to security. If companies structured their business a little better, it could be more beneficial for them to speak out and capitalize on security costs instead of worrying about the ROI on implementing security technologies and practices. This whole consensus about security not "making money" is flawed and the more people stick with their confirmation and status quo biases, the more businesses will NOT dish out for security causing headaches and financial misery along the way, it's self-induced. Can't wholly blame managers, a lot has to be weighed on the organizations around the world whose wordings have been taken out of context: e.g. "Under the proposal being considered, an independent audit would ensure that their networks are secure," he explained. "This audit process would work across business sectors, and would require companies to meet a minimum standard of security competency." (http://www.net-security.org/secworld.php?id=1731) Many have taken the attitude to implement enough to meet MINIMUM standards and this seems to be enough for them. Then some wonder why systems get compromised. Concepts are taken out of context. Just because an organization makes a recommendation on what should be a "minimum", shouldn't mean companies or governments should put in solely enough to meet compliance and guidelines. Businesses and governments in this day and age should be going above and beyond to protect not only themselves, but their clients, infrastructure, investors, etc. Until then, we'll see the same, putting out *just* enough to flaunt a piece of paper: "Minimum requirements met" and nothing more. How is this security again? How is minimizing the connection points going to really stop someone from launching exploit A against a machine that hasn't been properly patched? Might stop someone from somewhere in China or so, but once an alternative entry point is found, that vulnerability is still ripe for the "hacking". =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change.
It's like any other field - the customer wants more than the minimum, they'll have to pay more. Almost all contractors will at least act like they're trying to meet the local building codes, because that's a minimum requirement. It's the rare contractor indeed who will throw in the upgraded appliance package and real marble flooring for free... (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
What should the US Government buy for more security? And how can the US Government make sure they actually get what they are paying?
On Tue, 7 Oct 2008 14:07:04 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
What should the US Government buy for more security? And how can the US Government make sure they actually get what they are paying?
Right. The US government is a *huge* operation. Suppose you were the CIO or the CSO for the US government (excluding the classified stuff) -- what is the proper cybersecurity strategy? --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Tue, 07 Oct 2008 14:13:08 EDT, "Steven M. Bellovin" said:
Right. The US government is a *huge* operation. Suppose you were the CIO or the CSO for the US government (excluding the classified stuff) -- what is the proper cybersecurity strategy?
Step 1: Figure out what I actually *have* already.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Oct 7, 2008 at 11:55 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 07 Oct 2008 14:13:08 EDT, "Steven M. Bellovin" said:
Right. The US government is a *huge* operation. Suppose you were the CIO or the CSO for the US government (excluding the classified stuff) -- what is the proper cybersecurity strategy?
Step 1: Figure out what I actually *have* already.
Step 2: Baseline your traffic patterns/usage. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI67Hsq1pz9mNUZTMRAmZ8AJ4laDWWB3fwLxxoh/UPcztosaJVagCeI6fL d+wsLTa0XlDQkE5LV/vtSOo= =J9y/ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Oct 7, 2008, at 3:01 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, Oct 7, 2008 at 11:55 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 07 Oct 2008 14:13:08 EDT, "Steven M. Bellovin" said:
Right. The US government is a *huge* operation. Suppose you were the CIO or the CSO for the US government (excluding the classified stuff) -- what is the proper cybersecurity strategy?
Step 0. DON"T PANIC.
Step 1: Figure out what I actually *have* already.
Step 2: Baseline your traffic patterns/usage.
- - ferg
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFI67Hsq1pz9mNUZTMRAmZ8AJ4laDWWB3fwLxxoh/UPcztosaJVagCeI6fL d+wsLTa0XlDQkE5LV/vtSOo= =J9y/ -----END PGP SIGNATURE-----
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Oct 7, 2008 at 12:05 PM, Marshall Eubanks <tme@multicasttech.com> wrote:
Step 0. DON"T PANIC.
Good point. Along the same line, I would like to point out this Ira Winkler article on the topic: "Not Much Genius in DHS's Einstein 3.0 Plan" http://www.internetevolution.com/author.asp?section_id=515&doc_id=165249 Especially the closing paragraph: "For everyone's protection, there should be requirements on the appropriate parties to remove offending systems from the Internet. Nobody has the right to endanger others. However, until Chertoff decides to push for this necessary measure, I recommend he pick up a few books on basic firewall security in the meantime." - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI67jzq1pz9mNUZTMRAs7FAJ4x4W5c3BziZU35R6FQvJXI5z2IZQCgrLm5 HwyiU+h4wElXQGLsN7O+Pao= =2OhO -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
On Tue, 7 Oct 2008, Steven M. Bellovin wrote:
On Tue, 7 Oct 2008 14:07:04 -0400 (EDT) Sean Donelan <sean@donelan.com> wrote:
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
What should the US Government buy for more security? And how can the US Government make sure they actually get what they are paying?
Right. The US government is a *huge* operation. Suppose you were the CIO or the CSO for the US government (excluding the classified stuff) -- what is the proper cybersecurity strategy?
Quit. More seriously though, you are far more likely to be in charge of certifying products for acquisition, and run after the different offices, agencies and organizations for cooperation. So a first step would be to try and make yourself useful to them, and develop personal relationships with those who do want to work with you, in order to start facilitating information sharing and incident response. I'd also try and get as many logs, flows, etc. I can get and build a main monitoring system. Being in "charge" is simply not possible or practical. Following the networks is indeed the first step. Gadi.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
On Tue, 07 Oct 2008, Sean Donelan wrote:
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
What should the US Government buy for more security? And how can the US Government make sure they actually get what they are paying?
I apologize for being naive. I guess 1.5 billion allocated to one state's Cybersecurity initiative *really* isn't enough to purchase the necessary load balancers, firewalls and personnel to audit the infrastructure for that one state. Quote: "These include positions funded for Cyber Security (Public Service Account); the federal Disaster Preparedness Program (Weapons of Mass Destruction) through which the agency has granted over $1.5 billion in federal grant funds across the state; " http://www.budget.state.ny.us/budgetFP/spendingReductions/agencyPlansPDF/NYS... So much so (not enough) they've not looked into ramping UP their budget, but ramping it DOWN. My thought would be to review the entire network as a whole, instead of the bandaid approach we've been taking, start fresh. Look at what's currently in place, audit, assess, re-do until they get it right. Contractors should be held accountable for breaches in an infrastructure. Before awarding a contract, I would do my best to have the wording changed from "minimum requirements" to securest implementation. Whether this securest implementation took 5 new engineers to give a closer review, so be it. I'd have some form of interagency strategy of tiger teams in differing realms of government and perform war games testing amongst each others' networks. The theory would be if the best of the best in government can find a hole, so will an attacker. It could be incentive based where a monthly "DefGovCon" capture the flag like training would take place to ensure that security issues are discovered internally and defended against. Teams would get prizes or recognition. Our government has so many resources at its disposal there is no real reason I can see them not protecting themselves. What I do see is shifting of blame and responsibility. Ye old "Cover Your Ass" attitude. Accountability - it goes a long way with accounts receivable and accounts payable. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "Believe nothing, no matter where you read it, or who said it, no matter if I have said it, unless it agrees with your own reason and your own common sense." - Buddha http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
On Tue, 07 Oct 2008 13:23:20 CDT, "J. Oquendo" said:
Contractors should be held accountable for breaches in an infrastructure. Before awarding a contract, I would do my best to have the wording changed from "minimum requirements" to securest implementation. Whether this securest implementation took 5 new engineers to give a closer review, so be it.
You don't want "the securest implementation". You want one that's "secure enough" while still allowing the job to get done. You also don't want to be *paying* for more security than you actually need. Note that the higher price paid to the vendor isn't the only added cost of too much security. (Consider - the *securest* firewall is a true airgap, where files are dropped on one side, and then must be manually vetted, copied to media, and physically transferred to the other side. Feel free to try to deploy a webserver in that environment - on *either* side of the airgap....)
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
You don't want "the securest implementation". You want one that's "secure enough" while still allowing the job to get done. You also don't want to be *paying* for more security than you actually need. Note that the higher price paid to the vendor isn't the only added cost of too much security.
The most recent (September 15 2008) US Government DNI directive about IT systems security includes the concept of appropriate risk management. http://www.dni.gov/electronic_reading_room/ICD_503.pdf D. POLICY 1. Risk Management a. The principal goal of an IC element's information technology risk management process shall be to protect the element's ability to perform its mission, not just its information assets. [...] b. [...] For example, a very high level of security may reduce risk to a very low level, but can be extremely expensive, and may unacceptably impede essential operations. In practice, it often turns out a "secure" system that is unusable for its mission is both insecure and unused because people start using other ways that bypass the "secure" system just to get the job done. So back to my original questions, what advice would you give to the US Government about protecting and defending its networks to maintain its capability to perform. And how can it be sure its getting what it paid for.
I think I may have found a spin for the political statements: With the USA government so focused on blaming "axis of evil" countries for all its woes, perhaps the statement was really meant to say that should <evil country> setup some botnet attack against our systems, the USA would retaliate by setting up a botnet attack against the <evil country> own systems. Basically, if Canada were to send 6 billion mosquitoes to the USA to annoy the hell out of americans, the USA wouldn't bother attacking the mosquitoes, but would attack something valuable to canadians (like DDOS attack against the Tim Horton's web site). In other words, once they have concucted evidence that <evil country> is behind a botnet attack against www.house.gov, then the USA would "attack" www.government.<evil country> instead of attacking the individual computers that attack the USA.
People, and manage them appropriately.
-----Original Message----- From: Sean Donelan [mailto:sean@donelan.com] Sent: Tuesday, October 07, 2008 11:07 AM To: Valdis.Kletnieks@vt.edu Cc: nanog@nanog.org Subject: Re: Fwd: cnn.com - Homeland Security seeks cyber counterattacksystem(Einstein 3.0)
On Tue, 7 Oct 2008, Valdis.Kletnieks@vt.edu wrote:
On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
What should the US Government buy for more security? And how can the US Government make sure they actually get what they are paying?
Superficially, one difference between government and business security programs is that government has intelligence agencies that they can draw upon for threat assessment. It is a separate question if intelligence agencies accurately determine certain threats, or if politicians pay attention to accurate assessments if the assessment conflicts with ideology or generic preconceptions. Seriously, one of the major problems in convincing businesses about a need for security is that many managers, sensitive to cost, do not see a real threat. If one broadens that to continuity of operations in general, those managers whose firms have survived major disasters tend to be far more in favor of disaster recovery planning. Unfortuately, many security technologists are in the unfortunate position of the parent trying to convince a child not to touch a hot stove, when they have never been burned. In my case, that is convincing a dearly beloved cat that the stovetop is not on the feasible route from point A to point B. While some use the analogy of herding cats, that is more appropriate with technical people than top managers. In the case of the latter, the analogy may be more akin to the lion, who woke one day, and strode through his domain. Encountering an antelope, he roared, "WHO IS KING OF THE JUNGLE?" The antelope quivered and said "you, mighty lion." He next encountered a gnu (no, it's not Gnu). Again, even the tougher beast said "You are the great one." The lion walked further, and met an elephant. As he started to say "WHO IS...", the elephant wrapped his trunk around him, whopped him into several trees, juggled him on his tusks, and then threw him into a mud wallow. Scrambling to avoid an indignant hippopotamus, the lion looked at the elephant and said "Gee, your Majesty, could you chill out a little?" -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, October 07, 2008 1:40 PM To: J. Oquendo Cc: nanog@nanog.org Subject: Re: Fwd: cnn.com - Homeland Security seeks cyber counterattacksystem(Einstein 3.0) On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said:
What about exceeding the minimum requirements for a change.
It's like any other field - the customer wants more than the minimum, they'll have to pay more. Almost all contractors will at least act like they're trying to meet the local building codes, because that's a minimum requirement. It's the rare contractor indeed who will throw in the upgraded appliance package and real marble flooring for free... (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy to make it happen)
J. Oquendo wrote:
Too many companies and individuals rely far too heavily on a false and outdated concept of the definition of "minimum requirements" when it comes to security. They tend to think they need to implement the minimum requirements and all will be fine. This is evident in almost all security management material I read where the goal is to offer a "mininum" set of requirements to meet guidelines and regulatory controls.
What about exceeding the minimum requirements for a change.
What about an entirely different concept? I see a lot of network router/firewall admins make the mistake of closing certain known bad ports off. This mostly happens in a University-type situation, where it is necessary--or at least traditional--to have an open network. A network able to handle myriad new and changing protocols and services. This is the black-list approach. It is a fundamental approach to security that ends up with "minimum requirements" either met or exceeded, without any real effectiveness no matter what certain experts may claim. The acknowledged better path is using a white-list instead. Turn everything off by default. Turn off all ports on the router/firewall. Turn the ones back on that can be trusted, with as much control as you can throw in there--specifying endpoints and ports, using content inspection and ensuring protocols using higher layer proxy-type protocols. Modern firewalls can do all of this. This would lead to "maximum possible" security, regulated only by realities. Layer 9 and 10 being the biggies, although layer 1 and 2 are also important (money and politics). This would not work in an open environment with 30,000 new laptops coming in at the start of every summer, each running a different brand of Doom (pun intended). But if we are talking about a smaller number of stable networks that are meant primarily to interface with one-another and only network outside of themselves... (wait for it, not secondarily, not tertially, not even quartnearilly but instead) perhaps as the least important function, then we have something we can work with. These networks would be of Working machines. Primary purpose: work. Stability, functionality, security of data and communications.... Here you go, my incredibly naive take on it: 0. white list as the fundamental principle. maximum security. 1. you are starting with a mess. turn off all internetworking on a network, until it is compliant with the below. 2. separate the networks into discrete logical units (via function would be best, if realities such as location/bandwidth permit). 3. separate the workstations. 4. harden the workstations. turn off extra services. only install certain programs. make an image. shoot that image down every now and then to ensure compliance. 5. harden the networks. allow communication between networks only for certain services. specify endpoints and ports, use content inspection ensure protocol regulation. check logs for unregulated attempts to communicate between networks. 6. make sure you have adequate pc/networking/security admins to do this--and maintain it. Keeping it all up to date will be a big part of making sure it stays functional. 7. probably this should be #1 instead of #7--start with clear documentation for each of the above points, including assignation of responsibilities with job titles. --Patrick Darden
The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
Oh dear. I cringe whenever I read such a massacre of correct English like this. If it's going to "literally" shot down an attack like an AA weapon, are they planning on physically launching projectiles at compromised machines across the world and destroying them? That really *would* be something worth seeing. B
I'm surprised that no one has made a Skynet reference yet, perhaps because such a reference would be trite and predictable. I'm feeling trite and predictable this morning, so allow me to be the first. Homeland Security is planning to launch Skynet. I hope you guys have your nuclear bunkers stocked with Ensure. We on this list might be all that's left after Judgement Day.
If it's going to "literally" shot down an attack like an AA weapon, are they planning on physically launching projectiles at compromised machines across the world and destroying them?
Bill, they're probably planning on physically launching explosive projectiles at compromised users. /me dons his tinfoil hat Steve
-----Original Message----- From: Steve Church [mailto:nanog@headcandy.org] Sent: Monday, October 06, 2008 8:24 AM To: nanog@nanog.org Subject: Re: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)
If it's going to "literally" shot down an attack like an AA weapon, are they planning on physically launching projectiles at compromised machines across the world and destroying them?
Bill, they're probably planning on physically launching explosive projectiles at compromised users. /me dons his tinfoil hat Steve [Howard C. Berkowitz] Not being able to resist, they may be thinking of physically launching compromised users at the assumed servers. As the circus owner pleaded with the Man Shot Out of the Cannon not to leave the show, he pointed out "It's very difficult to find a man of your caliber." (While that's Pythonesque rather than canonical Python, is there an equivalent to Godwin's Law for pythonisms? Alas, would it be applicable if the pythonism were issued by a government official?) Seriously, see U.S. Joint Publication 3-13, "Information Operations", p. 33 of the PDF at http://www.dtic.mil/doctrine/jel/new_pubs/jp3_13.pdf That is intended, of course, for an actual war situation. The more open literature on electronic warfare is also relevant to understand the less silly military views -- and I emphasize a warfare situation, not a persistent spammer, may the fleas of ten thousand camels infest his armpits.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Oct 6, 2008 at 5:24 AM, Steve Church <nanog@headcandy.org> wrote:
I'm surprised that no one has made a Skynet reference yet, perhaps because such a reference would be trite and predictable. I'm feeling trite and predictable this morning, so allow me to be the first. Homeland Security is planning to launch Skynet. I hope you guys have your nuclear bunkers stocked with Ensure. We on this list might be all that's left after Judgement Day.
I guess you haven't heard about the "Server in the Sky": http://www.technovelgy.com/ct/Science-Fiction-News.asp?NewsNum=1405 :-) - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFI6kgoq1pz9mNUZTMRAs/3AKD02p1Mt+UL8SSEKnl0H/3Lx0lpYwCg06GM zZnHo2DydtR8ho/ZgcA41Js= =zpoo -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
William Hamilton wrote:
If it's going to "literally" shot down an attack like an AA weapon, are they planning on physically launching projectiles at compromised machines across the world and destroying them?
The politician saw the episode of Star Trek where "7 of 9" typed in a few computer commands which caused some massive electrical jolt to be emitted by the bad dude's keyboard a few light years away, knocking him out. So they immediately think that they can do the same to incapacitate those making attacks on USA govt systems :-) Of course, this means the USA government will require all the world's keyboards to be equipped with the 50,000 volt "this will shock you" devices that only the uSA government can trigger :-) In other words, the politician's words should be included in some comic book, but shouldn't be discussed seriously.
"The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0." Correct me if I'm wrong, but doesn't even a basic firewall or ACL provide the same functionality? Drop the packet, drop the attack? I'm in the wrong business if implementing a firewall can net me $millions$ by using appropriate buzzwords..... Ken Matlock Network Analyst (303) 467-4671 matlockk@exempla.org
Matlock, Kenneth L wrote:
"The system "would literally, like an anti-aircraft weapon, shoot down an attack before it hits its target," he said. "And that's what we call Einstein 3.0."
Correct me if I'm wrong, but doesn't even a basic firewall or ACL provide the same functionality? Drop the packet, drop the attack? I'm in the wrong business if implementing a firewall can net me $millions$ by using appropriate buzzwords.....
It sounds like the first step for such a firewall vendor would be to pay the appropriate license fees for the Einstein name and likeness... Then a little IP address geo-location coupled to the launch system and you're set. Any collateral damage would be no worse than the sort that's been caused by real anti-aircraft weapons. Matthew Kaufman matthew@eeph.com http://www.matthew.at
participants (21)
-
Buhrmaster, Gary
-
Gadi Evron
-
Howard C. Berkowitz
-
J. Oquendo
-
Jean-François Mezei
-
jim deleskie
-
Joel Jaeggli
-
Laurence F. Sheldon, Jr.
-
Marshall Eubanks
-
Matlock, Kenneth L
-
Matthew Kaufman
-
n3td3v
-
Patrick Darden
-
Paul Ferguson
-
Sean Donelan
-
Steve Church
-
Steven M. Bellovin
-
Tomas L. Byrnes
-
Tony Patti
-
Valdis.Kletnieks@vt.edu
-
William Hamilton