16
16
0
Edited 2 y ago
Posted 2 y ago
Responses: 6
Having worked almost my entire career in the bowels of Government/Military IT systems, I can tell you that the biggest problem is that they are usually bloated bureaucracies.
Systems that remain unpatched for a variety of 'reasons' (no money, can't take the system down, inconvenience, etc), outdated applications that aren't supported by the vendor anymore, M&M defenses (hard shell on the outside, but soft interior once you're inside), etc.
And the number one threat - user behavior. I remember a study I read back in 2014 when I was at ARCYBER - over 40% of the users on a network don't believe they should have to abide by security rules because it hampers their productivity, their work is so important it shouldn't be treated like 'everyone else', etc.
Systems that remain unpatched for a variety of 'reasons' (no money, can't take the system down, inconvenience, etc), outdated applications that aren't supported by the vendor anymore, M&M defenses (hard shell on the outside, but soft interior once you're inside), etc.
And the number one threat - user behavior. I remember a study I read back in 2014 when I was at ARCYBER - over 40% of the users on a network don't believe they should have to abide by security rules because it hampers their productivity, their work is so important it shouldn't be treated like 'everyone else', etc.
(8)
(0)
SPC Michael Duricko, Ph.D
So what are the preventative measures that must be implemented? Is anyone even trying since it keeps occurring?
(0)
(0)
COL Randall C.
Most are being implemented. The problem is that by its very nature a bureaucracy cannot change quickly except under extraordinary circumstances.
Add to that being a victim of success. Systems have been upgraded to make them more efficient over time and to give organizations capabilities that they didn't have before because more and more systems are connected and working together. However, that comes with a trade-off because a networked system introduces vulnerabilities that have to be accounted for.
Government is also schizophrenic. While they say they aren't corporate and worry about making a profit, they are concerned about fiscal constraints because there operating costs are competing with everyone else. Because of these constraints, many upgrades have to be pushed off until 'later'.
Revamping/upgrading systems also has an impact on operations. They have to be taken offline most times in order to upgrade them (most highly critical systems do have redundant networks that are swapped when they need to upgrade .. but that's costly in resources) and if you don't have multiple networks (i.e, a 'production' network that is used daily and a 'test' network to see how "what if" scenarios will impact (like upgrades)) you often have to slowly roll out changes to ensure they don't have an unexpected adverse impact.
For example, you hear about large data breaches every couple of years. A simple (in concept) approach that would address that issue is implementing a Data At Rest (DAR) strategy (there are some opinions that differ on this, but I'm using it as an example). With DAR, the data is encrypted when it is 'at rest' (i.e., not being accessed/used). When you need the data, you unencrypt it, retrieve/update it, then store it encrypted again. If someone were to get unauthorized access to the data, it wouldn't do them any good because they won't be able to unencrypt it. .... or at least that's how the theory works.
Issues with a DAR strategy is that it adds overhead (roughly 3%-5%) to the operation because you have to decrypt, use and encrypt the data every time you access it. When you up this at scale and are talking about millions and billions of records access, your are talking about a LOT of overhead (assume it's 5% .. that means you could lose up to 1/20th of your productivity from DAR). Security would be a lot better, but you slow down productivity. Which is better? The security focused individual will obviously say DAR while the Operations Manager might say productivity.
The real answer comes from Risk Management, and that is a call based on objective and subjective measures.
So .. can things be done better? Yes. Will things be done better? That's a question about human nature.
Every hear the saying that no matter what you do you'll make someone angry? That's absolutely true in this case. If you take a system down to improve security, then the people that use that system will complain loudly. To mitigate that, you work around them (weekends, afterhours, etc), but then you are constraining WHEN security upgrades can be made.
Add to that regulatory roadblocks that will prevent you from doing security fixes because some 'helpful' politician got something into a law or regulation that prevents you from doing something quickly or in a cost-efficient manner.
Add to that being a victim of success. Systems have been upgraded to make them more efficient over time and to give organizations capabilities that they didn't have before because more and more systems are connected and working together. However, that comes with a trade-off because a networked system introduces vulnerabilities that have to be accounted for.
Government is also schizophrenic. While they say they aren't corporate and worry about making a profit, they are concerned about fiscal constraints because there operating costs are competing with everyone else. Because of these constraints, many upgrades have to be pushed off until 'later'.
Revamping/upgrading systems also has an impact on operations. They have to be taken offline most times in order to upgrade them (most highly critical systems do have redundant networks that are swapped when they need to upgrade .. but that's costly in resources) and if you don't have multiple networks (i.e, a 'production' network that is used daily and a 'test' network to see how "what if" scenarios will impact (like upgrades)) you often have to slowly roll out changes to ensure they don't have an unexpected adverse impact.
For example, you hear about large data breaches every couple of years. A simple (in concept) approach that would address that issue is implementing a Data At Rest (DAR) strategy (there are some opinions that differ on this, but I'm using it as an example). With DAR, the data is encrypted when it is 'at rest' (i.e., not being accessed/used). When you need the data, you unencrypt it, retrieve/update it, then store it encrypted again. If someone were to get unauthorized access to the data, it wouldn't do them any good because they won't be able to unencrypt it. .... or at least that's how the theory works.
Issues with a DAR strategy is that it adds overhead (roughly 3%-5%) to the operation because you have to decrypt, use and encrypt the data every time you access it. When you up this at scale and are talking about millions and billions of records access, your are talking about a LOT of overhead (assume it's 5% .. that means you could lose up to 1/20th of your productivity from DAR). Security would be a lot better, but you slow down productivity. Which is better? The security focused individual will obviously say DAR while the Operations Manager might say productivity.
The real answer comes from Risk Management, and that is a call based on objective and subjective measures.
So .. can things be done better? Yes. Will things be done better? That's a question about human nature.
Every hear the saying that no matter what you do you'll make someone angry? That's absolutely true in this case. If you take a system down to improve security, then the people that use that system will complain loudly. To mitigate that, you work around them (weekends, afterhours, etc), but then you are constraining WHEN security upgrades can be made.
Add to that regulatory roadblocks that will prevent you from doing security fixes because some 'helpful' politician got something into a law or regulation that prevents you from doing something quickly or in a cost-efficient manner.
(0)
(0)
Lt Col Charlie Brown I thought last week I heard something about the justice department getting hit with randsomware then the story disappeared. The problem is the government doesn't do anything about things like this until it's too late.
(7)
(0)
And yet to make an appointment at a medical treatment facility I have to have a 12 digit Password with at least one Lower Case, one Uppercase, and one Special Character, AND I have to change it every 3 or 6 months and cannot duplicate a previous password.
(5)
(0)
Lt Col John (Jack) Christensen
AND you haven to properly respond to the verification code they send to you!
(3)
(0)
SPC Michael Duricko, Ph.D
Our government is all screwed up! You need all that, a tennis star can't enter our country and play in a tournament because he is unvaccinated and yet criminals and aliens can just walk in! Go figure.
(1)
(0)
Read This Next