U.S. Cybersecurity Not So Secure?

freaktheclown writes "According to CNet, 'government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be 'unprepared' for emergencies.'" The article discusses FEMA's handling of relief efforts for hurricane Katrina and how a very similar situation exists with electronic security measures in the U.S. In addition to a conjecture the department of cybersecurity has been "plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups."

Re:That's what happens when unqualified people..

And I am sure that is based on your intimate knowledge of the issue? The problem is not one of qualified people but crisis management. The unsuspecting public we all know and love pitted against the just because I can 'download" enemy is the problem. Sitting on the sidelines and condescendingly joking what losers Windows AOL'ers is really helping now, isn't it?

Authority grab is the problem

[keraneuology]

The problem isn't political appointments, inept federal chiefs or any political leanings or biases. The problem is the the federal government has no business in being in charge of domestic response. Response to a local emergency or disaster is, and must remain the domain of the local authorities who can be held accountable for their preparation and performance - or lack thereof.

FEMA can do nothing but react to an event and throw more debt at the problem. Unfortunately this leads to problems down the road - not only does it push the federal government closer to insolvency - but it leads to all kinds of expectations on the part of locals who develop the "we'll just sit back and wait for the calvary" mentality. Not only this, but you end up with gross inequity in the response: federal dollars to New Orleans for Katrina are already about 5 times the aid sent to Florida for four hurricanes combined. FEMA has given out some $600,000,000 in "emergency cash disbursements" so far, with many people upset that only the first 10,000 or so were given $2,000 cash cards. New Hampshire recently saw a few hundred people flooded out and it wouldn't shock me in the slightest if some of them file lawsuit under the equal protection clause asking for $2,000 cash cards, FEMA-paid apartments around the country and the like.

Local emergencies should be handled by city, the county, the state and then the federal. In that order. And the federal should not be allowed to call any of the shots: they should provide resources only but all decisions should be made by the local leaders.

Checklist for fixing ALL cybersecurity problems

[jd]

All the Federal Government needs to do is print out the following checklist and go through it. The same for every corporation. If you can get all of these things accomplished, I can pretty much guarantee you'll be immune to any existing attack method short of physical compromise.

• Ban .rhosts files. Totally. Sack and/or excommunicate those who use them. There are much more secure ways to have zero-password logins for automatic connections. If using an unencrypted network, ban RSH, RLOGIN and Telnet - use SSH instead. If using IPSec with host authentication by certificates, then you've already got the authentication and encryption covered, so unsecure protocols can be used there.
  
• Different channels should get different access rights. Unsecure channels should NEVER have access to secure data. Unsecure channels should NEVER be used to create secure channels, as that is a common point of attack.
  
• All servers with confidential data (credit card info, corporate data, missile plans, etc) should have some form of Mandatory Access Control at an absolute minimum, with such data unreachable from ANY combination of program and user other than those combinations specifically designated as having access. For Linux, you're wanting to look at SELinux or GRSecurity. Ideally, you want a B1-compliant OS at a minimum for commercially sensitive data and a B3-certified OS for Government work. Such servers should NOT be directly reachable, they should be accessed ONLY by intermediate servers. As such, we don't care about holes so much (as nobody should be able to reach them) - rather, we care about operations we're specifically allowing users to perform and making sure THOSE are bullet-proof.
  
• All intermediate servers should be damn-near 100% free of security holes. We don't care about access controls for these, as they don't have any data. They're merely front-ends. However, because they're first in line for any cyber-attack, they need to be as close to immune from such attacks as possible. THIS is an ideal place for OpenBSD or MirBSD systems.
  
• You should have two firewalls in series, pointing in opposite directions, at the entranceway. You want to control what comes into the network, but you ALSO want to control what comes out. That part is often forgotten, and THAT is why many network security strategies fail.
  
• Active NIDS systems and authentication systems should live in parallel to the two firewalls. You want them to be able to shut down BOTH firewalls, should EITHER firewall be compromised, which means you have to have direct connections to both. Otherwise, the compromised firewall can simply block your instructions.
  
• Servers that should NOT be reachable from the outside should NOT be on a LAN that is visible to the outside. If they need to connect to each other, use a private LAN.
  
• If using a centralized authentication system, use Kerberos V. DO NOT use NT domains, NIS+, or any other such method.
  
• Since the internal network is likely on private addresses, it would be better to use IPv6 and then have proxies map communication onto IPv4 for the outside world. The reason? It'll seriously bugger up those attack scripts that assume IPv4. It'll also make zombies that do reach the inside ineffective, as many of those will assume IPv4 as well. If IPv4 is not being carried, such software will break.
  
• We've defined three types of LAN so far - one LAN inside the firewall connecting to proxy servers, one LAN for secure servers, and bridging LANs linking secure servers to proxies. We need one further network, this time for users. This LAN ONLY connects to the proxy servers. As those can see the outside world, we can use them as proxies to see the outside as much as those on the outside can use them to see the inside.
  

If the Department of Homeland Paranoia were to implement such a system, I feel confident they'd score an A on their next evaluation, and would be as close to invulnerable as you can be using a computational system. People may disagee - and probably will - but I'd like to know where they think they'd be able to break in.

I'm not the CyricZ from GameFAQs.

[CyricZ]

I'm not the CyricZ from GameFAQs. My name is Cyric Zndovzny. I think his name is Scott Zdankiewicz. We're different people. I am, however, a vocal opponent of the forums at their site. I found out about that site after somebody pointed out that he was also using the username I'm using here.

In any case, the mainstream media puts up token opposition. But it's not true opposition in any way. I mean, does NBC really want to point out his flaws? Probably not, considering they're owned by General Electric. And General Electric is in the war industry. And Bush has perhaps been the greatest thing going for such industrialists, considering his interest in starting numerous wars.

The media is neither conservative nor liberal. It's corporatist. And as such it won't act as the media should, truly questioning the government all of the time.