The Boom (Or Bubble) In Federal Cybersecurity

Hugh Pickens writes "The Washington Post reports that the increasing number and intensity of cyberattacks has attracted the attention of the Obama administration and Congress, which have begun steering dollars to the problem. Much of that new spending, estimated at $6 to $7 billion annually just in unclassified work, is focused on the Washington region, as the federal government consolidates many of its cybersecurity-focused agencies in the area. 'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products.' One reason the field is attracting so many companies is that the barriers to entry are low — at least, relative to other defense industries. But as start-ups and others rush to stake claims, some wonder if a bubble of sorts is beginning to inflate and recall that many venture firms in the early 2000s chased similar prospects. 'A lot of the early people made significant money,' says Roger Novak, founder of Novak Biddle Venture Partners. 'But there were [also] a lot of "me too" companies.'"

lawyerspeak for dummies

[Hognoxious]

'I think it is a real growth opportunity in coming years,' says David Z. Bodenheimer, a partner at law firm Crowell & Moring in Washington, who leads the firm's homeland security practice and specializes in government contracts. 'The market is still rather fragmented and in flux, but is developing with a speed that it is attracting both the major defense and homeland security contractors who are establishing independent business units to pursue these opportunities, and it is also a real opportunity for the smaller players who have niche products

Translation follows:
"Nobody has the faintest fuck of a clue what they're doing, but they desperately want to be seen to be doing something and so they're throwing money at anything. Get in right now and make out like a bandit while you can!"

What most of this "IT security work" really is...

[brennz]

Most of work involves commodity certification & accreditation (C&A) that involves the following:

Phase 1
a "system owner" (Govt IT manager) has staff prepare documentation of the security controls implemented on a "system" (Logical grouping of computers). The security controls are in NIST 800-53, this is FISMA in action.
C&A process http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
NIST Controls http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
NIST Audit process http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-A%20Rev.%201

Phase 2
A certification agent comes in, assesses the system using tools and configuration analysis. This is heavily slanted towards audit, instead of true security analysis.

Phase 3
A senior executive (Authorizing official) makes a decision about the risk acceptability of the system to operate, and may make the system owner do corrective action. The system then moves into continuous monitoring (phase 4).

That is how certification and accreditation operates in theory. Now I am going to tell you how the system is gamed.

During Phase 1, it implies you actually have competent IT security professionals on hand, performing work for the system owner. This is a false assumption. Most system owners don't know security, nor do their staff.

Phase 2 - First of all, have the certification agent companies don't understand security. They can talk the talk (CISSP) but have no solid IT / IT security expertise (not security testers). Many certification agents will not even test systems. They play a game of bringing in cheap staff or running vulnerability scanners then passing them off as "penetration tests". The amount of utter garbage in the field is amazing. Even more so are the reports they write up are audit garbage. If you asked most certification agents about a security methodology, they haven't heard of the OSSTMM or similar. They use NIST 800-53A (heavily audit driven) then they write up meaningless reports, equating technical weaknesses as just as relevant as a gap in a policy.

Phase 3 - The vast majority of government executives are clueless when it comes to IT. They know a little bit, like the name of an operating system (Linux - buzzword - yay!) but not much else. So, they are easily led astray. Most will allow a system to operate regardless of how bad it is, based on a horrible security review performed by incompetent certification agents, on a package made by the almost as clueless system owner and his staff.

After a system gets an authorization to operate, many staffs stop doing all security for 3 years, til the next C&A comes around.

It is not uncommon for a federal cabinet level agency to have 300+ systems, with 300+ system owners, with 300+ completely separate, unique and underfunded security implementations that have more holes than swiss cheese.

If you notice, what is missing from above is actually rigorous security analysis. Code is rarely audited. Configurations are rarely checked 100%. Policy is viewed as important as technical controls. Most testing is a wash. Penetration tests are vulnerability scans by nitwits.

And you wonder why the Chinese are plundering the US govt on a daily basis?

One snake-oil bubble, coming right up!

[King_TJ]

This cyber-security stuff is largely nonsense, IMO.

The fact is, the Internet was designed from the ground up to support flexible and open standards, and it makes certain assumptions about the credibility and honesty of those put in charge of its routing. (I was just reading an article complaining about the lack of "action" taken after the Bush administration did a security review of the Internet back in the 2003 time-frame and determined it was, indeed, quite possible to take down the entire Internet in a matter of hours or less, thanks to weaknesses in how traffic is routed. The fact is though, all the major ISPs expressed NO interest in changing the current system -- because they realize that would still require a "central authority" someplace to determine the "correct" routes traffic should follow to get from point A to B. The current system is rather like trying to drive on a road trip from, say, Dallas to San Francisco, except you have no road map in advance. You simply start out on your journey and follow the road signs as you go, until you arrive. Except in the case of the Internet, even those "road signs" aren't controlled by any central authority. If someone accidentally or purposely changes one, traffic gets shunted in the wrong direction (possibly to a destination router that just black-holes all of it, since it wasn't expecting it).

As we can see though, it generally works quite well, because the people doing most of the heavy-duty routing are ISPs with a vested interest in making sure it keeps performing well. If and when something goes wrong, they tend to pick up the telephone and start making phone calls, getting people to intervene and make manual routing changes to eliminate the problem.

As you look past this supposed "security weakness" and get more detailed about security of individual destination points on the Internet, you see a similar situation. People bitch and moan about security issues (PCI compliance, for example), and spend thousands of dollars trying to address it. Yet in the end, you still HAVE to place trust in your employees. If they're willing to let outsiders in to get information you're trying to protect? All bets are off, no matter how much you spend on the latest "next generation firewall solution" or what-not. (Remember the huge credit card breach AOL had a while back? Turned out to be an inside job.)

Right now, as an I.T. manager, I'm seeing a large number of start-up and obscure "computer security" businesses trying to get my attention. I was just invited to listen to a presentation given by Palo Alto Networks, for example, followed by a free pre-screening of Iron Man 2. (Yep, I went.... not a bad way to get our attention, actually!) But the presentation honestly didn't tell me anything new. It was full of a bunch of well-heeled customers of theirs talking about liking the device, and their founder making a few rather arrogant comments - suggesting they were going to be huge in the future, because unlike most companies doing firewalls, they were focused on "innovation". He commented that "Checkpoint hasn't innovated in at least a decade." and "Cisco has NEVER innovated at all. They just bought a bunch of start-ups."

I can't speak for the quality (or lack thereof) of their product, but I CAN say that it was exactly what I was expecting them to try to sell.... another "next gen firewall/traffic flow controller" device that tries to "wow" middle and upper management types by acting like they've unlocked a huge revelation, by realizing that port and IP based firewall rules aren't the complete answer for companies today.

Funny, but I think Rapid7 was just calling, trying to get me to attend a seminar about THEIR product that was essentially the same idea, and to hear them talk, THEY thought of it all first, too.

A lot of people see a chance to grab some money thanks to fear of the unknown out there, and they may have products that really DO address specific scenarios really well. But I'm convinced most companies would b