Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS Offering Free Vulnerability Scans, Penetration Tests (krebsonsecurity.com)

Posted by timothy on from the from-government-here-to-help dept.

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

1 of 79 comments (clear)

  1. Re:OPM only had to do it once... by Fire_Wraith · · Score: 5, Interesting

    One of the problems that the US-CERT/ICS-CERT/etc folks at DHS had (aside from the fact that they were/are forced to be part of DHS) was that while they could tell various Federal agencies that their systems had more holes than swiss cheese, what they didn't have was the authority to tell other federal agencies that they had to fix it, or else. I believe there's been a push to try and fix that problem, though I'm not aware of how far it's come, and it certainly wasn't in time for OPM.

    I used to work there, in fact (at least until I found something in the private sector that was better for my sanity/soul/salary*). While I'm not familiar with anything to do with OPM in specific, that sort of scenario popped up all the time. It works much the same in the private sector, in that you can be the best pentester in the world, but if the customer you ran it for doesn't intend to spend the money fixing the holes you pointed out, or drags their feet in doing so, they're still going to get owned despite your best efforts.

    As to whether DHS is competent - I knew a lot of really good people (and some less so) when I was there. I know many that went on to work at better jobs doing more interesting things in the private sector, for better pay, so the best of the best aren't going to stick around, but that doesn't mean there aren't competent people there. ICS-CERT (the group focused on critical infrastructure/control systems/etc) in particular always seemed pretty competent to me, and are probably about as different from the usual impression of DHS as you'd expect. To give an example, they showed up at Defcon this past year with an awesome hands-on setup, including an entire mock plant setup with all the controllers that people were free to plug in to and go nuts. (Granted, they never mentioned the fact that they were DHS, but then, would you?)

    So certainly I wouldn't expect DHS to be outdoing the best of the best when it comes to penetration testing, but for that municipal water plant in West Nowhere, Texas, that doesn't have the money to hire the best, it's a much better solution than just not doing anything.