Slashdot Mirror
Contractors Pose Cyber Risk To Government Agencies (betanews.com)
Ian Barker, writing for BetaNews: While US government agencies are continuing to improve their security performance over time, the contractors they employ are failing to meet the same standards according to a new report. The study by security rankings specialist BitSight sampled over 1,200 federal contractors and finds that the security rating for federal agencies was 15 or more points higher than the mean of any contractor sector. It finds more than eight percent of healthcare and wellness contractors have disclosed a data breach since January 2016. Aerospace and defense firms have the next highest breach disclosure rate at 5.6 percent. While government has made a concerted effort to fight botnets in recent months, botnet infections are still prevalent among the government contractor base, particularly for healthcare and manufacturing contractors. The study also shows many contractors are not following best practices for network encryption and email security.
No fucking shit.
The Feds Office of Personnel Management 2015 data breach wins (or loses) hands down. Not only an employee's personal info but family members and others included in "security" background checks. So, yeah, about those negligent contractors...
In light of trying to dodge obligations and shortchanging the people doing the work, perhaps they might want to actually hire directly or have contract firms provide better conditions/terms.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
Donâ(TM)t trust it
Stop forcing them to install backdoors and you solve half of all internet security problems.
Manning, Snowden, and Winters were not H1B.
It little behooves the best of us to comment on the rest of us.
"I don’t want to paint with a broad brush here, but every single contractor in the world is a miserable, incompetent thief."
Just tie the security clearances of the company's executives to the company's security. If the company's security is compromised, the executives lose their security clearances, leaving the corporation with two options, replace all the executives or forfeit it's government contracts.
Anons need not reply. Questions end with a question mark.
they worked for lowest-bidders who squeeze as much profit out of the contracts as they can while still paying bonuses to executives and lobbyists, and kickbacks to government officials and lawmakers who gave them the gigs in the first place.
The reason the gov relies on contractors so much is that it's self-imposed bureacracy inhibits adding manpower any other way. To add a military member or federal civilian into the manpower pool can require years worth of paperwork, whereas contracting can be done in weeks or months. On the flip side, to remove a federal civilian takes an act of God if they have tenure, but a contractor can be removed near instantly. In general, most of the problems the government faces are due to it's own self-imposed red tape and backroom deals done by entrenched officials that face no such hurdles.
Vault 7, WannaCry, Intel AMT breach, CISCO lawful intercept.
None of these were breaches caused by government mandated backdoors.
Too bad nobody cares. Especially NY and CA, lots of abuses there. But it's about grabbing the cash and using cheap labor, not about delivering a product.
A... *gasp* CYBER risk!
All I can think of, is: Cyber Cyber Cyber Cyber.
In Germany, we have a word for people who use that word: Internetausdrucker. People who print out the Internet.
AIA, a trade group, said 700,000 jobs were in the clearance process. This hurts national security, not helping. Robert Oppenheimer losing his clearance was obviously politically motivated. Junk it.
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
Did you read all the NDA?
You mean Cisco and Intel and Microsoft installed backdoors without government pressure?
That's even worse.
And that is exactly the problem. The "proper" employees are not a risk, because they cannot get even get the work done. The second problem is that the process to get a clearance is based on a completely broken perception of the world. You can not evaluate whether somebody has honor, loyalty and integrity and their history, friends, family, etc. do not indicate so either. At the same time, even somebody deeply loyal may suddenly find they are more loyal to their species than to some scummy government agency trying to screw everybody over.
The only way prevent loyalty-problems with contractors is to a) pay them well b) treat them well and c) do not do evil crap that they may rightfully object to. Of course, all three are beyond what a dysfunctional government agency can do, so leaks (and sabotage) will continue to happen.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Looking at why India is so fucked up, it's easy to see, they do the minimum amount of work to pass the blame to someone else.
It's cultural.
It's a ticking time bomb in most software from Apple, Microsoft, VMware, etc.
It would also help to require that they not have been proven to have been doing unethical work during the past, say, five years. (I didn't say illegal, I said unethical. Unfortunately, that makes the term "proven" a bit difficult to define. Also the term unethical. So you'd need to set down certain minimum requirements that would substitute.)
I think we've pushed this "anyone can grow up to be president" thing too far.
Point?
It little behooves the best of us to comment on the rest of us.
Doesnt contract
The government loves contractors because (a) it absolves the gov of responsibility when things go wrong - "bad contractor", and (b) contractors can be hired and fired "at will" - something that the good ol' conservatives have always salivated over.
The idea is to walk the persons history. Their teachers, college, friends, family, extended family. Who they grew up with. What they read. Their politics, faith, role in a wider community. Bank account, cost of rent, home loan, other spending, hobbies, a criminal deviant lifestyle.
The experts at the FBI have some idea if a person is going to go full split loyalty at work and support another nation, cult, faith, political system over the USA.
Can a person be open to black mail? Need to seek funds from another nation to cover their hobby, addiction, need for luxury beyond their gov/mil wage?
Was the person political at university? Spend time with friends who are all criminals? Know lots of journalists who write about whistleblowing? Know a lot of activist human rights lawyers? Show an interest in faiths and cults that are incompatible with US mil/gov security?
Spend time been an activist online?
Most of that can be discovered when looking to work for the US gov/mil with a few interviews and by looking back over a person education, their friends, their spending patterns, internet usage, family and teachers.
The US gov kept all real time use of early social media and web sites, later social media.
Every face, party picture, holiday, political slogan, direct support for the actions of a faith and cult.
The security service do not have a "completely broken perception of the world". They know exactly who they want and who can keep all secrets for decades.
Contractors break that security the US once had in place by demanding to bring over their now staff who "once" had a clearance, who just need a clearance "updated". Failed staff keep getting gov/mil work by using their contractor as cover.
All kinds of people can then get let in, who never faced better security investigations.
The ability of a contractor to demand they get to bid on work with their self cleared workforce is the problem.
The party political demands that the US gov and mil start to accept criminals and other very bad people of faith due to political correctness.
Domestic spying is now "Benign Information Gathering"
Complete bullshit. The idea is to intimidate the candidates and identify those openly not intimidated. These then fail. With all others, they hope they stay intimidated.
You are just regurgitating propaganda. Look at what screenings high-level defectors and leakers went through to get an idea about how well that screening actually works.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Since they apply for classified government work, "unethical" is pretty much part of the job description.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
And yet nothing you listed has anything to do with the issues listed in the summary: "botnet infections", "network security", and "email security". The current problems have very little to do with your list, unless your claiming that very "unethical contractors" are the ones running the botnets and purposely compromising network security.
The absolutely most loyal network admin will have a difficult time stopping end users from clicking on phishing emails. Stupidity doesn't stop because of "patriotism".
The REAL problem is the contractors are not forced to follow already existing security publications. My current position deals directly with this; I'm working on finishing up NIST 800-171 compliance for a DoD contractor. My ability to hist the various requirements, implement the STIGs, has ZERO to do with my extended family, faith, or feelings on human rights. The correct "separations of powers" in our IT means that even if I wanted to somehow compromise our network, other people working there would notice pretty quickly. I may implement a GPO, but my boss gets a report on what GPOs have been modified and by whom, for example. I'm not the only person running STIG audits, I'm not the only person at our company doing "security related stuff".
What REALLY needs to happen is the feds need to step up on their compliance audits; first going over EVERY department on a 800-171 or 800-53 (for the actual DoD) level...and work their way out down the contractor tree. IMHO, our "election system" should be at least 171 compliant but "STATES RIGHTS!" get in the way.
Don't click on his homepage link! creimer is trying to get you to subscribe automatically to his youtube channel and make money off you!
CREIMER' SUBMISSIONS UPDATE: /. so make sure to go to:
Note also that creimer is trying to regain karma by getting his submissions published as articles on
https://slashdot.org/~cdreimer
https://slashdot.org/~criss69
https://slashdot.org/~Anonymou...
https://slashdot.org/~FatCashe...
https://slashdot.org/~ILoveFat...
https://slashdot.org/~IHateFat...
https://slashdot.org/~IAteFatC...
https://slashdot.org/~ITapeFat...
https://slashdot.org/~IApeFatC...
https://slashdot.org/~IPrayFat...
https://slashdot.org/~FatCashe...
and mod down his submissions as well. The great thing is that you don't even need mod points to mod down a submission, just click on the "minus" icon!
Yes, believe it or not, creimer owns all the above sock puppet accounts. It is a mystery why Slashdot management tolerates it!
creimer wrote:
I don't bother with mod points. I'm doing something much more sinister. It took ten story submissions ? I'll have to double check the number ? to move cdreimer's karma from neutral to excellent without ever being exposed to the capricious mods. Mmmmmwwwwahahahahahahaha!
https://slashdot.org/comments....
Danger, Will Robinson, Danger! Creimy is posting more than 2 posts a day. Hurry! mod down otherwise /. will go to hell again!
Note: you can mod down even if already at -1 to lower karma and to prevent lost /. users to accidentally mod up.
creimer wrote:
All you need to do is find a website with a permissive TOS, say, Slashdot, create a Python script to scrape your own comments, sprinkle Amazon affiliate links in various posts, and then re-post past links whenever possible. Won't be long before you start making "coffee money" each month.
https://slashdot.org/comments....
C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."
But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!
Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.
Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...
With "Vice President Pence Vowing US Astronauts Will Return To the Moon", we are sure they will need miracle workers up there, here is what it would look like. Note that Creimy takes care of bringing a lot of food to the moon as depicted below:
https://www.youtube.com/watch?...
Creimy's real pictures:
Before the sex change:
https://ibb.co/cc7Ddw
After the sex change:
https://ibb.co/gVad65
Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
Indeed, let's go Team creimer let's GO
Never give up on your dreams Team Creimer!
Never mind those hump-leg noob creimertard trolls!
Team Creimer dreams:
https://www.youtube.com/watch?...
I have just closed my eyes again
Climbed aboard the Team Creimer train
Driver take away my worries of today
And leave tomorrow behind
Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light
Fly me high through the starry skies
Or maybe to an astral plane
Cross the highways of fantasy
Help me to forget today's pain
Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light
Though the dawn may be coming soon
There still may be some time
Fly me away to the bright side of the moon
And meet me on the other side
Team Creimer, I believe you can get me through the night
Team Creimer, I believe we can reach the morning light
You must follow the instructions so that we may exchange keys and have encrypted conversations right in front of TEAM CREIMER!
After you have completed this task I will reveal the location of 1tb of multiethnic tranny porn. If your exposure to creimer has made you too slow to execute this task without special assistance then please post any questions as AC and I will answer them!
This link contains directions for FatCashewsLovesMe (and not creimer) to get into the NO CREIMER CLUB. A place exactly like slashdot except with unicode support and creimer can't see it!
Now remember DO NOT CLICK the link if you are creimer! Not even a peek! I mean it now!
https://pastebin.com/jzYrfipr
And fail. (Not your fault, it is easy to fall for this.) Compliance does not create security. In actual reality, it _decreases_ it, because it reduces mental capabilities available to understanding.
The only thing that creates security in people that must have "access" is understanding of what they do. Hence a) make sure all people with access to sensitive data really have a clue how things work and b) make sure they have personal integrity. No, a regular "screening" will not accomplish this. Also c) don't do evil things that will rub people with personal integrity the wrong way. Especially c) is often infeasible for government agencies, because they often are evil by design, not only by policy. Item a) makes people expensive and item b) very often makes them not want to work for the government in the first place.
So, no, I do not think this can be fixed. Just the same as "laws" do not fix "crime". In many cases they create it and without good reason.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, this article isn't about working "for the government" really; most contractors (especially the mentioned health care and aerospace) have multiple clients. My workplace has a 30% DoD involvement level. We don't deal in CUI (Controlled Unclassified Information), but Transactional Information. Both of these are several steps below anything like what Snowden revealed. Thus why we fall under 800-171 instead of 800-53.
I'm assuming your not intimately familiar with these NIST publications, the related STIGs, and so forth. I can guarantee the contractors who have had breeches did not implement items such as "Microsoft Windows 10 STIG - Ver 1, Rel 12", "Database SRG - Ver 2, Rel 8", etc. The Win10 STIG itself has almost 300 very precise requirements; to the point of "if Registry Key XYZ is not found this is a finding".
Compliance with these does create one part of the security model. There is no real way of testing for "personal integrity" outside of a clinical setting; intelligent people with no "personal integrity" can fake it for a long time even hiding it from close friends and family. Low-order sociopaths are quite common in the business world, especially as one moves up the management ladder. They would claim to have "personal integrity"...BUT their definition would be more along the lines of "keeping my person ahead of everyone else and my social standing integrity intact".
Compliance to the publications like 800-171 and 800-53 _increases_ "mental capabilities available to understanding" because to implement them properly you have to have a deep holistic understanding of various underlying technologies, people's psychological reactions (to make effective training), foreign relations (to know which APT are out there and just what vector they might be using), etc.
Case in point, stopping "email phishing" requires both a technical AND personnel approach. You need to implement various safeguards to stop the bulk of the attacks, AND need proper training for end-users to correctly deal with anything that gets past those safeguards. Neither one by itself will be effective due to the constantly evolving nature of threats. Technologies like Mimecast can stop 90%-95% of attacks getting through, properly configured GPOs can help stop other issues that slip past that; but attackers will craft some way that will eventually slip past. That's the whole reason for "risk management"; you have to accept that something bad will eventually happen and have procedures in place to quickly return to a stable operational state. Off-site encrypted backups, disaster recover contracts, keeping up vendor warranties...
This whole conversation (not yours in particular, but TFA in general) seems to have taken a pear-shaped turn into the "evils of TLA agencies". While that is a worthwhile (and VERY critical) conversation to have for a functioning democracy, the original summary was about the failings of contractors to follow basic security guidelines. Not some "hard to define" ideals like "personal integrity", but very specific guidelines that have existed for years and are (mostly) freely available to the public at large. If every government agency would just "do their job" in regards to ITSec and follow the REQUIRED published guidelines, many of these breaches would have been stopped.
I don't have technical knowledge on things like the OPM hack, but I am willing to bet that that breech (in the way it actually happened) could have been avoided if they had bothered to properly implement 800-171. Personally, I feel that ALL companies that deal with any financial data (looking at you EQUIFAX), health information, or other "personal sensitive data" should be required to follow NIST guidelines. It should be part of regulatory requirements; unfortunately our current administration is moving towards "less burdensome regulations" rather than towards compliance so we should expect to see breeches like this happening far more often in the future.