DHS Offering Free Vulnerability Scans, Penetration Tests

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

The TSA does this every day

[mveloso]

Most people don't enjoy the TSA scans and penetration tests, but I guess different strokes for different folks.

Re:The TSA does this every day

[rtb61]

Nothing funny, legally it is a very bad idea as under law the DHS is allowed to lie to you, so the penetration tests have, under law, zero value. They are far more likely to not declare any holes they have found in case they can use them for investigatory purposes or put holes in place they can use for investigatory purposes. Basically under law you can not trust US investigatory agencies unless any those claims and declarations are made in a court of law, the only place they are legally required to tell the truth. Stupid people routinely write stupid laws and routinely allowing them to lie is as stupid as it gets.

It's a trap!

[Nidi62]

The newest scam call: (cue heavy Russian accent)"Hello, my name is Steven. I am calling from the Department of your Homeland Security and am definitely not former KGB agent. For limited time only we are offering free computer vulnerability scans and identity theft testing. Please give us your computer login credentials and bank information that we may begin our testing."(end heavy Russian accent)

Re:It's a trap!

[DoofusOfDeath]

(end heavy Russian accent)

Glad you remembered closing tag. Otherwise rest of comments would also have Russian accent.

Re:It's a trap!

[alexhs]

Now you closed it a second time ! Let's match opening and closing tags !

(cue heavy Russian accent)

Voilà ! Much better now.

A physicist, a biologist and a mathematician are sitting in a street café watching people entering and leaving the house on the other side of the street. First they see two people entering the house. Time passes. After a while they notice three people leaving the house. The physicist says, "The measurement wasn't accurate." The biologist says, "They must have reproduced." The mathematician says, "If one more person enters the house then it will be empty.

Sounds easy enough.

[NMBob]

...and all you have to do is install this one little piece of code. It will delete itself when the test is over. Really! Honest! ...What are you looking like that for!?

OPM only had to do it once...

[Defenestrar]

I'm sure they're very thorough. You can have your system vetted and as secure as OPM.

Re:OPM only had to do it once...

[Fire_Wraith]

One of the problems that the US-CERT/ICS-CERT/etc folks at DHS had (aside from the fact that they were/are forced to be part of DHS) was that while they could tell various Federal agencies that their systems had more holes than swiss cheese, what they didn't have was the authority to tell other federal agencies that they had to fix it, or else. I believe there's been a push to try and fix that problem, though I'm not aware of how far it's come, and it certainly wasn't in time for OPM.

I used to work there, in fact (at least until I found something in the private sector that was better for my sanity/soul/salary*). While I'm not familiar with anything to do with OPM in specific, that sort of scenario popped up all the time. It works much the same in the private sector, in that you can be the best pentester in the world, but if the customer you ran it for doesn't intend to spend the money fixing the holes you pointed out, or drags their feet in doing so, they're still going to get owned despite your best efforts.

As to whether DHS is competent - I knew a lot of really good people (and some less so) when I was there. I know many that went on to work at better jobs doing more interesting things in the private sector, for better pay, so the best of the best aren't going to stick around, but that doesn't mean there aren't competent people there. ICS-CERT (the group focused on critical infrastructure/control systems/etc) in particular always seemed pretty competent to me, and are probably about as different from the usual impression of DHS as you'd expect. To give an example, they showed up at Defcon this past year with an awesome hands-on setup, including an entire mock plant setup with all the controllers that people were free to plug in to and go nuts. (Granted, they never mentioned the fact that they were DHS, but then, would you?)

So certainly I wouldn't expect DHS to be outdoing the best of the best when it comes to penetration testing, but for that municipal water plant in West Nowhere, Texas, that doesn't have the money to hire the best, it's a much better solution than just not doing anything.

Get out of jail free.

[xxxJonBoyxxx]

>> The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’

This.

>> They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.

Simple solution: put in a regulation that says if you get breached, you agree to take down your online services for two weeks to get your house in order. Something like that would free up money for preventative solutions in a hurry. Furthermore, we KNOW the inspected organizations have some security personnel (which aren't cheap) because the permission form asks for specific contacts who might be smart enough to interpret any results.

Re:Get out of jail free.

[schwit1]

What is the punishment for government agencies? OPM knew they had been hacked for a long time but CHOSE to remain online so OPM business was not interrupted.

Why is this free of charge?

[rsborg]

Another example of corporate welfare... pen-testing costs time and money, why should I as a taxpayer be out this money?

Weird use of Government resources

[avandesande]

How about publishing a set of standards and tests that critical infrastructure companies must utilize?

Re:Weird use of Government resources

[Culture20]

it's really just a way for them to legitimize their own hacking and data collection habits.

It's like the local fire department asking if there are any fields farmers would like to burn or houses they can burn for practice stopping fires.

'DHS' and 'penetrate' . . .

[mmell]

Are these even words we ever want used in the same sentence?

Re:The Government is better because why?

[s.petry]

As a veteran and a person who has worked in IT for Government, Medical,Insurance, Automotive, DOD, and Telecom, I say you are simply wrong. Medical care in the US is not a private market, it's a government controlled monopoly. Having the direct authority for care, like the VA, is simply putting the biggest turd on the top of the pile.