Announcement

Collapse
No announcement yet.

CSIS Report: Securing Cyberspace

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CSIS Report: Securing Cyberspace

    This may appear political at first, but hopefully everyone can keep their partisan views to the side for the discussion.

    I finally reading the Report "Securing Cyberspace for the 44th Presidency" and was curious if other people had views on it and what they were?


    http://www.csis.org/component/option...d,5157/type,1/

    http://www.csis.org/media/csis/pubs/...erspace_44.pdf

    If anything is unclear in the report, perhaps you can go over to Slashdot now and ask the question for clarification.

    http://interviews.slashdot.org/artic...8/12/12/135207


    I am truly interested to hear what others here have to say about it.
    And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

  • #2
    Re: CSIS Report: Securing Cyberspace

    While Cyber Security is an increasing threat to the US National Security, I feel as though it's being approached completely wrong. The term is often thrown around as a buzz word to attract attention and scare people. Someone needs to clarify some of the goals rather than throwing big sweeping statements like "we will secure the internet." Some ideas are: securing emergency telecom, isolating military networks to prevent access, enforcing and updating in place security standards, etc. I mean for instance let's take a look back at DC16 and we see discussions on securing SCADA systems. This isn't a new topic either. It's been raised several times before. Aren't basic utilities sort of vital to the national infrastructure?

    I think we'd be a lot better off if they just started small. Review current security standards to make sure they are not only adequate but also practical. I'd say a lot of times people circumvent these standards simply because they are lazy and don't feel like dealing with them. Also: why should the FAA's new air traffic control system be told that DOD standards forbid them from having USB ports on their systems yet we just saw an issue where the US Army had an incident with USB thumb drives? People will always go after your weakest link in any security situation. I have a companion who said that following their post 9/11 analysis, the FAA reported their biggest security hole was ironically the link back to Pentagon. Let's set these standards and enforce them across agencies.

    If you want to help boost the economy and also help secure the national infrastructure then let's start some public works projects. Take a bunch of the best penetration testers you can and split them up. Have them just attack without warning and see how far they can get. Take their report, fix it, shift the groups and start over. Let's get some people who actually know what they're doing in there working on these projects. I can just see the recruitment posters now...

    Bottom line, if they want this to work, they need to actually set some realistic goals. Too often the phrases are used in a general sense and bad connotations get attached. For instance DRM and trusted computing would be great if it were being used to protect the users instead of protecting the producers from the users. Let's set these goals to actually secure the national infrastructure and stop trying to worry about the comcast user who is torrenting in his mother's back yard. It's also ironic that they're trying to control and centralize something that was originally designed to be decentralized and resilient to physical attack...
    afterburn

    Comment


    • #3
      Re: CSIS Report: Securing Cyberspace

      I mean for instance let's take a look back at DC16 and we see discussions on securing SCADA systems. This isn't a new topic either. It's been raised several times before. Aren't basic utilities sort of vital to the national infrastructure?
      It would be great if there were communication methods that have decent bandwidth and were cost affordable that did not have a direct connection to the internet. I investigated having an MPLS network built to link 40 sites all within the same area, the fastest they could give me was 56K and it would have cost me $9000/month.

      As long as it's cheaper to just drop in a cable/dsl modem and setup VPN routers utilities are going to continue to do so. Hopefully they've taken good steps to securing those connections.
      Last edited by streaker69; December 12, 2008, 13:16.
      A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

      Comment


      • #4
        Re: CSIS Report: Securing Cyberspace

        Originally posted by streaker69 View Post
        It would be great if there were communication methods that have decent bandwidth and were cost affordable that did not have a direct connection to the internet. I investigated having an MPLS network built to link 40 sites all within the same area, the fastest they could give me was 56K and it would have cost me $9000/month.

        As long as it's cheaper to just drop in a cable/dsl modem and setup VPN routers utilities are going to continue to do so. Hopefully they've taken good steps to securing those connections.
        I understand and have experienced a very similar situation myself. My point is time and time again we hear about systems having not just lax security but no security. I think a VPN would be better than nothing. What I've done is grabbed a few routers, loaded openwrt and openvpn on them, and established a complete layer 2 connection between all sites. It may not be the best thing but it's better than some things i've seen. My belief is no system is 100% secure however it's all about raising the security level to a point that breaking in isn't really worth the effort. Then again I'm mostly a hardware guy but know enough about IT/software to know there are problems. Maybe my approach isn't the best but at least it's something at this point.
        afterburn

        Comment


        • #5
          Re: CSIS Report: Securing Cyberspace

          Originally posted by afterburn188 View Post
          I understand and have experienced a very similar situation myself. My point is time and time again we hear about systems having not just lax security but no security. I think a VPN would be better than nothing. What I've done is grabbed a few routers, loaded openwrt and openvpn on them, and established a complete layer 2 connection between all sites. It may not be the best thing but it's better than some things i've seen. My belief is no system is 100% secure however it's all about raising the security level to a point that breaking in isn't really worth the effort. Then again I'm mostly a hardware guy but know enough about IT/software to know there are problems. Maybe my approach isn't the best but at least it's something at this point.
          Many utilities are a little slow on the catch up because for years they based their security on obscurity which we all know is a bad idea. SCADA security is coming to the forefront finally. So far, most of the breaches on SCADA systems were done by people with inside/intimate knowledge of the system they hacked. So in reality, it wasn't really hacking, they built backdoors into the system. There isn't much that can be done about that. Employers want to trust their employees, but at the same time they don't.
          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

          Comment


          • #6
            Re: CSIS Report: Securing Cyberspace

            They made Obama give up his Blackberry so that's a start. Reason too much of a security risk. Perhaps his BB will end up on E-Bay.

            xor
            Last edited by xor; December 12, 2008, 18:52.
            Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

            Comment


            • #7
              The Future of Cyber Security: Overhyped or Underestimated?

              I saw a few people in another thread discussing how Obama plans to overhaul the security industry in the States and make sure everyone becomes aware of the dangers the internet pose. I had mixed feelings when I heard this, as I'm glad the top dogs are taking notice after all this time, but I also sniff another "war on terror" around the bend.

              Then this morning I read this.

              Korea (I'm not sure whether it's north or south, I'll do a quick google search after) are taking it upon themselves to do the same thing, only take it a few steps further, by inviting ethical hackers to come along, prove themselves, and get a well paid job out of it.

              Perhaps I'm just so accustomed to the etiquette of Western Civilisation, but I think it wonderful that it can be reported that "The government is planning to host the country's first international hacking competition next year, which is part of efforts to train about 1,000 hackers who will lead research into the vulnerabilities of security systems."

              Can you imagine the american government doing the same thing? Or the British? Not a chance.

              Anyway, I went off on a tangent there.

              My question is; Is the general public (government and citizens) underestimating the threat of the internet that is to come, or is it being overhyped?

              And just to make that clear, by general public I do not mean your average IT consultant, or anyone subscribed to Bugtraq. I mean those that use their computers to check Facebook or do a little online banking from time to time, or maybe to buy something on eBay.
              This is a horrible font

              Comment


              • #8
                Re: The Future of Cyber Security: Overhyped or Underestimated?

                I think this thread should probably be merged with this one:

                https://forum.defcon.org/showthread.php?t=10024
                A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                Comment


                • #9
                  Re: The Future of Cyber Security: Overhyped or Underestimated?

                  Originally posted by artoir View Post
                  I saw a few people in another thread discussing how Obama plans to overhaul the security industry in the States and make sure everyone becomes aware of the dangers the internet pose.
                  So you created a new thread, to talk about generally the same topic?

                  Further, it's not what the President Elect plans to do, it's a report with recommendations for him... There is quite a difference.

                  Originally posted by artoir View Post
                  Then this morning I read this.

                  Korea (I'm not sure whether it's north or south, I'll do a quick google search after) are taking it upon themselves to do the same thing, only take it a few steps further, by inviting ethical hackers to come along, prove themselves, and get a well paid job out of it.
                  You had a chance to read the other thread, did you have a chance to read the report? It covers some of the things specifically mentioned in the article, from a US Administration perspective. And the Korea Times is South Korea.

                  Originally posted by artoir View Post
                  Perhaps I'm just so accustomed to the etiquette of Western Civilisation, but I think it wonderful that it can be reported that "The government is planning to host the country's first international hacking competition next year, which is part of efforts to train about 1,000 hackers who will lead research into the vulnerabilities of security systems."

                  Can you imagine the american government doing the same thing? Or the British? Not a chance.
                  Of course I can, and they have... Seriously, get your facts straight. I've been trying to be very neutral in my tone of postings, but that past statement seems like your just trolling to bash on the US Government.

                  Departments of the US Government routinely sponsors programs of that nature.

                  Originally posted by artoir View Post
                  Anyway, I went off on a tangent there.

                  My question is; Is the general public (government and citizens) underestimating the threat of the internet that is to come, or is it being overhyped?

                  And just to make that clear, by general public I do not mean your average IT consultant, or anyone subscribed to Bugtraq. I mean those that use their computers to check Facebook or do a little online banking from time to time, or maybe to buy something on eBay.
                  Maybe you should ask that to someone else? Honestly, you're asking for an opinion about the 'General Public' from people that aren't the 'General Public', all they can do is infer what they believe about the General Public be it go or bad. Also, "The Government" is not the General Public. Also, what Government are we talking about here?

                  Furthermore The Internet cannot be a threat since The Internet is not alive. People who use The Internet can be a threat, but not The Internet itself. It's much akin to people who say that Firearms are a threat... If a firearm is not interacted with, it doesn't pose a threat.

                  If you're question was: Do you believe the US Government (or Gov of your choice) and it's Citizenry are underestimating the threat posed be certain entities that utilize the internet for their malicious intents or is it being over hyped? - Then I think people could answer it better.
                  And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

                  Comment


                  • #10
                    Re: The Future of Cyber Security: Overhyped or Underestimated?

                    Threads merged.

                    Originally posted by artoir View Post
                    Can you imagine the american government doing the same thing? Or the British? Not a chance.
                    You might want to check your facts. Many governments do that, including the several US government agencies. While I have no direct knowledge of the UK government having such competitions, I would be rather surprised if they did not sponsor such things. Actually, my take on this story is that South Korea may be playing catch-up in this area.

                    Originally posted by HighWiz View Post
                    I've been trying to be very neutral in my tone of postings, but that past statement seems like your just trolling to bash on the US Government.
                    Agreed.

                    artoir, we maintain a "no politics" rule here. While politics is often the flip side to discussions such as this, it is one thing to discuss the impact on computer security of a national policy, it is quite another to openly criticize a government, political entity, or political leader.

                    Instead of saying what you did above, it would have been acceptable to ask "Are any other governments undertaking similar programs?" or to state "I am not aware of other governments conducting such programs, and it seems unlikely in my opinion."

                    If that isn't clear, please re-read the DefCon Forum Rules.
                    Thorn
                    "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                    Comment


                    • #11
                      Re: CSIS Report: Securing Cyberspace

                      Just my opinion, so take it for what it's worth, but any official government document that uses the term 'cyberspace' just seems like a bunch of malarkey.
                      A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                      Comment


                      • #12
                        Re: CSIS Report: Securing Cyberspace

                        Originally posted by streaker69 View Post
                        Just my opinion, so take it for what it's worth, but any official government document that uses the term 'cyberspace' just seems like a bunch of malarkey.
                        Or, in fact, anything that uses "cyber" as a prefix. Oh, the stories...
                        "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                        Comment


                        • #13
                          Re: CSIS Report: Securing Cyberspace

                          Originally posted by theprez98 View Post
                          Or, in fact, anything that uses "cyber" as a prefix. Oh, the stories...
                          cybernetics?
                          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                          Comment


                          • #14
                            Re: CSIS Report: Securing Cyberspace

                            Originally posted by streaker69 View Post
                            Just my opinion, so take it for what it's worth, but any official government document that uses the term 'cyberspace' just seems like a bunch of malarkey.
                            Originally posted by theprez98 View Post
                            Or, in fact, anything that uses "cyber" as a prefix. Oh, the stories...
                            Yeah, yeah. We know you guys are old school and prefer the term "Information Superhighway."

                            <ducking>
                            Thorn
                            "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                            Comment


                            • #15
                              Re: CSIS Report: Securing Cyberspace

                              Originally posted by theprez98 View Post
                              Or, in fact, anything that uses "cyber" as a prefix. Oh, the stories...
                              I disagree, Cyberdyne is still acceptable...

                              Originally posted by Thorn View Post
                              Yeah, yeah. We know you guys are old school and prefer the term "Information Superhighway."

                              <ducking>
                              When you were a kid back during World War One, what was the equivalent?
                              And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

                              Comment

                              Working...
                              X