Posted on Oct 26, 2015
Why is it that in this day and age, people are not concerned about Cyber Security?
5.2K
13
11
4
4
0
I saw something this past drill that has me pretty concerned. Concerned enough that I went to my PSG and requested to give a class on Cyber Security / PII. What I saw was an NCOER saved on a "public" computer. When I opened it, I saw full name and social of NCO being evaluated. Plus, full name and social of his 3 supervisors. If I was malicious, that would be a gold mine to me.
Now, as I was giving my class, my PLT seemed disenfranchised by what I was telling them and what I can do to them if I were to receive that information.
A couple years ago, I watched an E-9 give an E-7 his/her CAC card. I then heard the E-9 yell out his/her PIN number as E-7 walked away (along with several other soldiers I was by). That is a HUGE security breach.
OPM security hack should never have happened. Management didn't care about security therefore neither did the employees.
State Department - According the the IG, under Hillary Clinton, the security at the State Department started to decline and continued to decline with her successor.
At home, I have a full blown UTM with a managed switch. I have one port dedicated to all incoming and outgoing packets get dumped there into an IDS/IPS. My UTM has an IDS/IPS built in also. I also have a honey pot setup. All of this is done with recycled systems people didn't want anymore and ALL done with free software.
The only thing that cost me real money was the managed switch (don't remember the actual cost but it was over $300).
My system has had attempted breaches originating out of China, but I have been able to block thus far. If I can do this on my own, why the HELL can't the US GOVT with all of it's resources, spend the damn money to secure it's network and put together a decent IA Awareness Program.
The one the military currently has sucks. An IS program would be better suited to bring in the home networks that people have and say hey, you use these at work, you can also use them at home. And not just say this is our network and they are only attacking us. Hackers attack ANYONE. Period. Whether it's to use your system to store child pornography, pirated music/movies etc.
This is a rant. I know and I am sorry. But I'm irked about all of this and I'm also sleep deprived due to my civilian employment and trying to get stuff done. If anything doesn't make sense, let me know what it is and I will try to clarify.
Now, as I was giving my class, my PLT seemed disenfranchised by what I was telling them and what I can do to them if I were to receive that information.
A couple years ago, I watched an E-9 give an E-7 his/her CAC card. I then heard the E-9 yell out his/her PIN number as E-7 walked away (along with several other soldiers I was by). That is a HUGE security breach.
OPM security hack should never have happened. Management didn't care about security therefore neither did the employees.
State Department - According the the IG, under Hillary Clinton, the security at the State Department started to decline and continued to decline with her successor.
At home, I have a full blown UTM with a managed switch. I have one port dedicated to all incoming and outgoing packets get dumped there into an IDS/IPS. My UTM has an IDS/IPS built in also. I also have a honey pot setup. All of this is done with recycled systems people didn't want anymore and ALL done with free software.
The only thing that cost me real money was the managed switch (don't remember the actual cost but it was over $300).
My system has had attempted breaches originating out of China, but I have been able to block thus far. If I can do this on my own, why the HELL can't the US GOVT with all of it's resources, spend the damn money to secure it's network and put together a decent IA Awareness Program.
The one the military currently has sucks. An IS program would be better suited to bring in the home networks that people have and say hey, you use these at work, you can also use them at home. And not just say this is our network and they are only attacking us. Hackers attack ANYONE. Period. Whether it's to use your system to store child pornography, pirated music/movies etc.
This is a rant. I know and I am sorry. But I'm irked about all of this and I'm also sleep deprived due to my civilian employment and trying to get stuff done. If anything doesn't make sense, let me know what it is and I will try to clarify.
Posted in these groups: 
Informational Security
Informational Security
Posted 9 y ago
Responses: 6
1
1
0
1. Great job recognizing a problem, and even better having a ready made solution. Lots of folks would've just walked on.
2. Kudos on your system. Most don't even know what a "honey pot" is.
3. What you are able to do successfully on your home system or even through a small enterprise system is a lot different than what's found in the civilian world. I'm blown away by some of the things DOD did that actually made sense, but in the civilian world are NOT done. I've even brought this up to my supervisor and he shook his head. I think he knew it was wrong. But trying to make a large scale enterprise work when everyone wants their system set up their way is what would bring on some serious headaches as a SA or network admin. None of them match, yet they all claim to be "secure". Also some of the best data hacks are on UNCLASS because folks want to talk about everything, and if you can get two emails that form a picture, more than likely you'll score the third which will give a complete picture that is needed. Loose lips sink ships...but no one wants to take it seriously until they are on FB with multiple profiles, their credit is jacked, or you're emailing yourself with the standard scam from Nigeria. How are you going to write yourself a million dollar check?
Don't give up. Sooner or later, YOU'LL be the one who can look back and say you made someone more aware, and if you helped one person, that's a success. You won't be able to save them all.
2. Kudos on your system. Most don't even know what a "honey pot" is.
3. What you are able to do successfully on your home system or even through a small enterprise system is a lot different than what's found in the civilian world. I'm blown away by some of the things DOD did that actually made sense, but in the civilian world are NOT done. I've even brought this up to my supervisor and he shook his head. I think he knew it was wrong. But trying to make a large scale enterprise work when everyone wants their system set up their way is what would bring on some serious headaches as a SA or network admin. None of them match, yet they all claim to be "secure". Also some of the best data hacks are on UNCLASS because folks want to talk about everything, and if you can get two emails that form a picture, more than likely you'll score the third which will give a complete picture that is needed. Loose lips sink ships...but no one wants to take it seriously until they are on FB with multiple profiles, their credit is jacked, or you're emailing yourself with the standard scam from Nigeria. How are you going to write yourself a million dollar check?
Don't give up. Sooner or later, YOU'LL be the one who can look back and say you made someone more aware, and if you helped one person, that's a success. You won't be able to save them all.
(1)
(0)
1
1
0
"Big Sky little bullet." It's a phrase I once heard when asked about the deconflict ion of Artillery and Air Assets. I'm "pretty sure" it was said it jest. Much like NASA doesn't worry about comets running into the Earth for the most part.
A lot of Cyber is like that. "If" you take reasonable > some > none > flaunting safe practices, you are fairly safe, just because "you're one sheep in a crowd of sheep." It's when you start drawing attention to your self by being a heavily armored sheep that you end up looking like a tasty morsel.
The people go after OPM, and government sites not because of the quality of the data, but because of its quantity. High pay-off targets. They went after SONY because of the quality (and quantity to a lesser extent).
Now, you used a couple examples. The E9 didn't sweat it, because it didn't matter. Just like me saying my PIN number to my bank card in front of my kid doesn't matter. Controlled card plus trusted people. You have to have multiple failures for it to become an issue. Is it a bad practice? Sure.
Now, I'm a firm believer in the vigilance concept. People should be doing the right thing every time. But sooner or later the minutia is just going to become overwhelming and stupid. I have one company website I use that doesn't allow me to use the same password as within the last 6 months, must contain cap, special character, number, and cannot contain words in the dictionary. Do you know how hard that is without writing them down? When policies like this are instituted, bureaucracies start breeding "mold pits" where OPM and "Private servers" happen.
A lot of Cyber is like that. "If" you take reasonable > some > none > flaunting safe practices, you are fairly safe, just because "you're one sheep in a crowd of sheep." It's when you start drawing attention to your self by being a heavily armored sheep that you end up looking like a tasty morsel.
The people go after OPM, and government sites not because of the quality of the data, but because of its quantity. High pay-off targets. They went after SONY because of the quality (and quantity to a lesser extent).
Now, you used a couple examples. The E9 didn't sweat it, because it didn't matter. Just like me saying my PIN number to my bank card in front of my kid doesn't matter. Controlled card plus trusted people. You have to have multiple failures for it to become an issue. Is it a bad practice? Sure.
Now, I'm a firm believer in the vigilance concept. People should be doing the right thing every time. But sooner or later the minutia is just going to become overwhelming and stupid. I have one company website I use that doesn't allow me to use the same password as within the last 6 months, must contain cap, special character, number, and cannot contain words in the dictionary. Do you know how hard that is without writing them down? When policies like this are instituted, bureaucracies start breeding "mold pits" where OPM and "Private servers" happen.
(1)
(0)
SGT (Join to see)
At home i have a password policy that requires complexity minimum length is 16 characters and you can't use the last 24 password. I tell people that use pass phrases. They're easy to remember. Such as My D0g !5 B3tt3R Th@n Y0ure D0g. I also use white space in passwords. Ill elaborate more on my thought when i get some free time today though.
(0)
(0)
Sgt Aaron Kennedy, MS
SGT (Join to see) "Is the juice worth the squeeze?"
I have to remember no less than 25~ passwords for work, home, and related sites like VA etc. Everyone has different policies. That said, "simplicity" takes precedence, not complexity.
Common passwords/passphrases are far more dangerous than anything else, because of the "master key" concept, and the more complex organizations make the password scheme, the more likely people will be to repeat passwords, just so we can keep them straight. The human brain isn't wired to remember dozens of phrases. It just isn't. Not an excuse, just a fact. Especially when you have lockouts after X attempts.
This will all go away in 5~ years when we have authenticators on our phones for each site, but until them "security experts" are breeding an environment where this will happen.
I have to remember no less than 25~ passwords for work, home, and related sites like VA etc. Everyone has different policies. That said, "simplicity" takes precedence, not complexity.
Common passwords/passphrases are far more dangerous than anything else, because of the "master key" concept, and the more complex organizations make the password scheme, the more likely people will be to repeat passwords, just so we can keep them straight. The human brain isn't wired to remember dozens of phrases. It just isn't. Not an excuse, just a fact. Especially when you have lockouts after X attempts.
This will all go away in 5~ years when we have authenticators on our phones for each site, but until them "security experts" are breeding an environment where this will happen.
(0)
(0)
1
1
0
Read This Next
Continue with Facebook 
Continue with Google