U.S. Cybersecurity Report Available

Kaelem writes "Kevin Rose put up a copy of the report Cybersecurity for the Homeland (pdf), due to be released tomorrow. It talks about some interesting things, like expanding the US-CERT website as well as funding for colleges to develop cybersecurity curriculum."

Which department?

[wcitechnologies]

More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security

Re:Which department?

[canuck57]

More like from the U.S. Depeartment Of We're Not Going To Tell You Anything You Didn't Already Know About Security

No one cares about security until they get burned. Once burned the battle cry goes for awhile and fizzles as most don't give a rats ass about security beyond looking politically correct. It is why so many sites and users get hacked.

And here is a hint, most get hacked from the inside out, that is - some twit loads a spyware or malicious program and claims ignorance when it happens. More like carelessness but management often overlooks it.

Safe computing is like safe sex, use some precaution and don't be a slut and download everything you can click on.

Re:Which department?

[shufler]

How would you pronounce "WNGTTYAYDAKAS"?

"Wingtittyaydakas", obviously.

Re:Which department?

[neuro.slug]

I thought it was pronounced "Homeland Security"...

I guess I'd better brush up with my Hooked On Phonics tapes.

Re:Which department?

Safe computing is like safe sex - you tell everyone else to do it, but when it's your turn you do what's easy and feels good.

Wide range of topics ...

[ProfaneBaby]

They're definitely focusing on a wide range ... something I didn't expect to see in the report was the DDoS / zombie bot armies:

Just as 1920s gangsters evolved into organized crime syndicates, a sophisticated command and control network is emerging within the Internet with agreed-upon boundaries of control and "gangs" working for a "boss." These modern criminals and terrorists often don't know or meet the crews who carry out the actual cyber attacks, making it even more difficult to track and prosecute them.

Definitely something worth investigating, just wondering what a few billion in research dollars is going to reveal - hopefully more than "it's a problem that's difficult to fix" report.

Re:Wide range of topics ...

[The+Cisco+Kid]

Unfortunately, their probably solution will be to mandate hardware changes that prevent 'unauthorized' software from running. (And some large IT company such as MS will be in charge of deciding whats authorized, of course). So MS will lock out its competition, and lock everyone in to running vulnerable crap that is in itself the source of most of the zombie armies.

Re:Wide range of topics ...

[ProfaneBaby]

They've also identified that much of the problem comes from outside of their jurisdiction, so I'm actually optimistic that their solution won't be that stupid...

I could see something along the lines of mandated filters on international links, though. Time for MCI and Level3 to break out the lobbying money, else their international business may get much more expensive (can you imagine the peering complications if you have to enforce content filtering at the ISP level?)

Re:Wide range of topics ...

[Saeger]

I'm afraid you're right.

In order for the control-freaks of the world to keep their socio-economic power, it's in their best interest to turn the open internet into a "Secure Internet" dystopia where only "Trusted Computing" devices are permitted to communicate.

As usual, they'll spin total-accountability as a good thing necessary for combatting the evil cyber-terrahists, economic pirates, and pedophiles. But I, for one, will NEVER bow to DRM mandated by government and/or pushed by monopoly interests.

Cyber? give it a rest

[spoonyfork]

References to computer network infrastructure as "cyber" sound very amateur to me. 1995 already happened. Could we please get an adult vocabulary and start talking about serious subjects with maturity? Thank you.

Cyber security curriculum.

[eeg3]

Kind of a broad term. Don't most colleges already have courses similar to this? I know my college had something that could fit into that term. Anyone else seen "cyber security classes" at their college?

Re:Cyber security curriculum.

[ProfaneBaby]

Many certainly don't. Seems like something where the topic would be addressed in many separate classes, but I can't see the importance of a few course on it.

You talk about the coding implications when you teach common coding practices (buffer overflows, etc, belong in a C/C++ theory course), you talk about the practical implications in networking style courses, and you talk about the social and realistic implementations in computing ethics courses.

Build it into the curriculum doesn't mean making a single course and forgetting about it - it means building it into the curriculum.

Re:Cyber security curriculum.

[Raynach]

Well, I know that Purdue has CERIAS (Center for Education and Research in Information Assurance and Security), headed by the almighty Eugene Spafford. We've got a pretty big emphasis on security classes here, including a few undergrad courses in cryptography and secure networks.

I know that the grad program is much more extensive. If you want to do security research, Purdue is definitely the place to persue it.

...due to be released tomorrow

[R.Caley]

Security advice from people who can't manage a simple press release process. I'm sure you all feel safer already.

Actually, come to think of it, perhaps incompitence in a secret po^H^H^H^H^H^H^H^H^Hhomeland security department is not such a bad thing.

Yes, there are programs

[dexterpexter]

The National Science Foundation (NSF) and the Department of Defense (DoD) already sponsor Scholarship For Service (SFS) programs like the Cyber Corps to train students in aspects of cyber security with the intention of placing them in government information assurance positions.

And many colleges are developing Centers for Information Security (CIS), and among those, that is where you see the government encouraging these programs.

The tag line, I believe, is "Defending America's Cyberspace."

More information on the SFS program can be found here:
http://www.sfs.opm.gov/ScholarshipMain.asp

Roadmap for the future

[amigoro]

1. Assitant Secretary for Cyber security
2. Budget and Program
3. Private Sector Outreach and Information Sharing
4. Risk Assement and Remediation
5. NCSD/NCS
6. R&D and Education

Why do I see more bureaucracy and less action?

Moderate this comment
Negative: Offtopic Flamebait Troll Redundant
Positive: Insightful Interesting Informative Funny

Released by...

[kataflok]

the U.S. department of oxymorons...

Computer Science programs.

[dexterpexter]

That is very true. Many colleges simply have a few security courses, and that is it.

But there are some colleges with offer the five major security certifications and offer network security, ecommerce security, network programming, penetration testing, operational security, forensics, enterprise security managment, and more courses which basically make up a secondary Computer Science program. Those students still have to learn all of the fundamentals, but also push themselves to learn the security aspects. These courses are also often taught by ex-government workers, ex-hackers, and such. I know of at least one that is also broadening their program to include electrical engineering and hardware aspects as well, so things like biometric sensors are covered in addition to programming databases.

I was suprised at how many programs there are in the nation which gear into this stuff; unfortunately, it is probably not enough. Most CS or IS programs focus on the theory and some practical implications, but stop at the security implications.

I doubt that.

[dexterpexter]

Really? As someone who just finished studying and reading the CERT guide for System Administration and Accreditation (yes, it was torture), I find that most system administrators do not know the principles within, or recklessly choose to disregard some of the most helpful ones. Many system administrators are seat-of-the-pants, self-taught individuals who learn along the way as issues come up, and sometimes miss some of the fine points of securing a system. A lot of admins push large upgrades on production systems, or use test systems still connected to the main network (the recent 60,000 computer fiasco reported in /. is a good example), don't practice isolation, choose their products on budget or because of a last minute need (although sometimes this is unavoidable), do not configure firewalls correctly, do not lock down their systems tightly, etc. Sometimes they do everything they should, but out of order. A lot of people don't realize the importance of order in bringing systems online. Many times, these are on critical systems or systems which contain confidential information. Customer information is put at risk, simply because the administrators do not know any better.
A lot of companies hire admins who are actually unqualified, but who can do a "good enough" job because they don't understand what to look for in an admin.
Not all admins are this way, but a suprising number of them are.

If admins out there honestly knew everything there was to know about security, and administer their system to the CERT guide specs, then I would be impressed. Because my experience in observing everything from large university systems, health care systems, tag agency (all-you-need-for-identity-theft-agencies, more appropriately) systems, corporate systems (credit card information and personal information), is that this simply isn't so.
A lot of penetration testing reveals vulnerabilities in areas that are clearly stated in that CERT guide.

Re:I doubt that.

[chris_mahan]

It all comes down to money. Really.

Would you put a $50,000 alarm system in your $30,000 car?

Would you pay $300,000 a year to protect your company's data?

Answer: It depends how much the company data is worth.

For a lot of companies, especially smaller companies, the answer is no. The data might be compromised, but unless they deal with sensitive data whose loss could cause public embarrassment, they will not spend a lot of money to protect it.

Would you hire a top-notch guy for $130k plus 1 helper at $70k plus overhead ($100K) to protect a bunch of tractor part orders?

Re:I doubt that.

[dexterpexter]

Perhaps not, unless customer contact information was involved, specifically credit card information, addresses, names, etc.

But in my examples:

-large university systems
-health care systems
-tag agencies

and such and such. Yes, the protection of that information is extremely important.
Just think about the information that someone would have on you by compromising just your local tag agency.
When companies collect and store information about their customers, they owe it to their customers to protect that information.

But you are absolutely correct in stating that, in most cases, budget is the deciding factor. But its amazing what good administration can do to counter budget issues. A lot of times, but not always, it is poor administration (again, putting things online out-of-order) and such and such that causes these compromises.

If a company doesn't want to take extra steps to protect information, they they should consider not storing that information on a system accessible to the outside.

cyberia

[Doc+Ruby]

Does it mention why every cybersecurity "czar", starting with Richard Clarke, through this Fall, has quit in disgust? I didn't think so.

They do not disregard the fundamentals

[dexterpexter]

Actually, as I mentioned in another post, the students in these programs must basically double-up duty. They must learn the fundamentals as well as the security aspects.

The expiration date is true of most majors. I received my bachelors degree in Electrical Engineering and had three years of Mechanical Engineering, and beyond the basics, most of the specializations which students take on during their masters study, given technology trends, will carry an expiration date. That is why most college graduates should consider continuing education. In our program, the students learn the same fundamentals as a "regular" CS student, but then must learn in courses such as:

Some courses offered:
--Computer Security
--Secure Electronic Commerce
--Enterprise Security Management
--Secure System Administration and Certification
--Network Security
--Computer and Network Forensics
--Information System Assurance
--Advanced Computer Security
and I know there is also an Operational Security course being discussed, among others.

They also earn certificates in:
Information Security Professional (INFOSEC), Designated Approving Authority (DAA) and System Administrator (SA), Information Systems Security Officer (ISSO) and System Certifier (SC)

They must also carry out special side research projects as well.

Yes, burn out is initially high until the students become accustomed to having a lot asked of them, but the students make it through it and come out as highly competitive professionals (and highly paid), and the agencies they go into often pay to send them to school to keep up with technology trends. In five years, they can expect to be right back in the classroom (while working), but they will be paid for this. They are also paid to go to conferences. I would say that, after they emerge from the fire, most of them actually have a better understanding of the fundamentals because they get to apply them in a specific area, and also concentrate beyond the narrow focus of getting something to work, but to get it to work securely. They still go through the basic programming, operating systems, networking, and other courses as the other students do.
Also, because of their constant presenting and paper-writing in addition to their regular studies, they come out of the program as personable professionals who can write and speak in a public forum, basics that are often neglected in other programs.

The students in this specialization don't get out of the fundamentals. Call it fundamentals+.

my 2 cents

[TheLibero]

PATRIOTISM, n.
Combustible rubbish read to the torch of any one ambitious to illuminate his name.

In Dr. Johnson's famous dictionary patriotism is defined as the last resort of a scoundrel. With all due respect to an enlightened but inferior lexicographer I beg to submit that it is the first. (from The Devil's Dictionary)

Yes and no

[dexterpexter]

That is the problem. Prior to 9/11, there had been no comparable act of terrorism. While right now, things have been mostly peachy in the realm of cyber security (and when it's not, the public is not likely to hear about it), there is a general feeling in the cyber security community that our day will come. This time, however, they are actually attempting to prepare for it; how can that be a bad thing? Even if ineffective, there is effort being applied.

You would be suprised at who sits behind those computer screens and what their intention is. If the United States has an entity for electronic and cyber warfare, it seems that our enemies would have something similar. Now, back to the teenager thing... it is a sad truth that many compromises of confidential systems have been made by a teenager that is "just curious," but also some of these teens have developed an angsty hatred of the U.S. government and consider it a game to take it down.

You might not see it as terrorism... until the 911 systems go down. Until the IRS systems are compromised and your entire identity is stolen and abused. Until major systems are undergo a DDoS when you suddenly need them. That is why these preventative measures need to be in place, and why our youngest and brightest are being trained to take on this endeavor.

However, I don't think that 12 year old terrorists was the focus here. It is the damage that can be caused by even a 12 year old in context with what can be achieved by a highly trained individual who applies it for malicious purposes.

Re:Yes and no

[dave420]

You DO realise you're playing directly into their hands, right?

If you think Al Qaida could wreak more havoc cracking some government system and stealing some personal info, than by blowing something big up, you're grossly mistaken.

Fuck. You're seeing what the US is doing, and then going "Oh, well, if they're doing that, then there must be an enemy doing the same" - no. No, no, no, no, NO. That's how governments coerce the people. If the Army erected a massive cannon and pointed it at a hill, you'd assume that hill was dangerous. That's exactly what they're doing here. They're conjouring up threats to make their policies seem essential. If the Bush/Cheney administration doesn't hype up the enemy's potential, then they're out of a job. They fought the entire election over defense. It's their only perceived strength.

Where is the evidence that any terrorist organisation around the world is targetting the US en masse? Exactly.

Please, please, PLEASE don't buy into this. Look for some third-party information from someone not selling anything, who wants nothing in return. These guys have a vested interest in hyping danger, as more danger = more budget.

I'm sorry if I sound like a dick about this one, but from Europe, it's so blatantly obvious what your government is trying to evoke from you that it tears me up inside to see so many Americans swallowing it hook, line and sinker. I guess WWI && WW2 didn't feature too heavily in history classes over there. Or, if they did, they obviously missed out a bunch!

Everytime I read the term "Homeland"...

[BrianMarshall]

it reminds me of the term "Fatherland".

Shorten the report to 2 words (Common Sense)

[mrs+clear+plastic]

Can we please shorten this report to two simple words?

Common Sense

My career in computing security; which consisted mainly of securing sites for small companies; taught me that much of what is going on is lack of clear policy and common sense.

Much of what I see missing can be traced back to the lack of a clear, well thought security policy.

This one document (often not more than a simple statement) is the root of all security related activities within an company or organization.

It have collaped and wet my pants while laughing at what I have seen for 'security' at some organizations.

An example: A company with some of the greatest tools and equipment; firewalls, VPN, the whole works. But with no clear documentation on how to configure what. Everything kept between the ears of the lead sysadmins. If they quit or get laid off (which happens); all this information gets lost.

Firewall set nice and tight (nothing in at all except VPN and port 80 to a machine on a security island). However, the VPN was configured with shared passphrase that was 'secret' and with no restrictions on what IP can initiate a connection.

Or VPN's that have proper certificates but with no revocation lists. Road Warrier VPN clients with the passphrase hard coded on the box and not having to be keyed in: Stolen laptop - direct acces to company VPN to inside network.

Or, nice tight firewall and VPN; but with open wireless ports inside (easily reachable from the parking lot or common building lobby or better still, the public cafe on the ground floor).

What realy keels me over laughing is how vendors are allowed free access to the company network. And how that access it not properly terminated upon conclusion of the contract.

Couple this with no clearly written and fully agreed upon (throughout the entire enterprise) security policy. Easy path to desire.

Luv you all

Are our lives really changed?

[joeljones]

Am I the only person who is tired of the rhetoric "Since September 11th, each and every American's life has changed"? For those outside of the goverment, and particularly the military, has it really? Certainly we have mangled the Bill of Rights beyond recognition, but am I the only one whose reaction to the 2nd attack on the WTC was "well, it finally happened?" And the notion that using commercial airliners as weapons was unthought of? Given that Tom Clancy is a best selling author, the odds that no one in our security infrastructure read about that scenario is close to zero.

Re:Are our lives really changed?

[HeghmoH]

My life has changed a lot since then, but it has nothing to do with the attacks. I don't really mind the phrase, though, as it makes for an easy filter. Anybody who says something like "everything is different post-9/11", or "security is paramount" is an idiot and should not be listened to further.

Re:Are our lives really changed?

[dave420]

Seeing as the pentagon was having drills for what to do should airliners be used as weapons against them, and the previous G8 meeting earlier in the year when anti-aircraft armaments were deployed, to defend against rogue aircraft, their claim they didn't know about airplanes==weapons is just pathetic lying.

For a country that loves democracy so much, America doesn't seem to give a flying shit when their politicians lie. Unless it's about a blowjob, in which case it's TREASON, I tells ya! TREASON!

Sort it out, America. It's time for torches and pitchforks, and a nice stoll down to Washington DC... Unless you do that, the rest of the world will simply look on and laugh at the mess you've got yourself in ;)

RTFA - information density is very low in this...

[syrinje]

Very Helpfully(tm), the executive summary says "September 11, 2001, changed the life of each and every American..." as the first sentence in the report. As if we needed to be reminded yet again.

Just in case the reader forgot this fact while reading the rest of the exec summary, the next chapter, the Introduction, starts with "On a fateful day in September 2001, our lives changed forever as a handful of terrorists proved they had the means to destroy on a level equal to their hatred.".

Having grabbed the readers attention, the rest of the report goes on to do the following
a. Narrate an administrative history of the establishment of DHS and the cybersecurity divisions within it
b. Provide volkswagen loads of justification for the existence of said departments - based on various criteria, all liberally illustrated with suitably scary numbers
c. Lay the groundwork for greater control and monitoring by the departments, of all computing and telecommunication resources in the country, regardless of who owns/operates them.
d. Attempts a definition of cybersecurity - which is a good thing.
e. Provides more volksvagens full of information designed to prove that legislative and administrative machinery are acting diligently and responsibly along the road to better security. This also absolves the departments themselves from any potential blame in the event of a screw-up - "all our bases are covered"
f. Throws in some pseudo-wise statements about educating mom-n-pop about how to protect their store computers and generously mentions that it will fund education in related matters. Remains to be seen if they will just restructure existing funding, reallocate under a new head and claim a job well done there.

Not at all the level of analysis, detail or accountability information you'd expect. Of course, John Q.Public is told that his representatives are in the loop, so don't worry, sleep tight. Its almost as if the report was specifically designed to NOT reveal any information. We'd rather not tell you any more, thank you, cuz you and your neighbors might all be security risks.